Eventlog

Creating an EventLog entry in c#

using System;
using System.Collections.Generic;
using System.Text;
using System.Diagnostics;
 
namespace ConsoleTest
{
    class Program
    {
        static void Main(string[] args)
        {
            string source       = "My Application Name" ; 
            string log          = "Application"         ;
            string eventText    = "Sample Event"        ;
 
            if (!EventLog.SourceExists(source)) { EventLog.CreateEventSource(source, log); }
            EventLog.WriteEntry(source, eventText, EventLogEntryType.Information);
        }
    }
}

EventComb Commandline

Load a Saved Search

To load a search that you previously saved use:

/load:<previously saved search>

NOTE: if /load is specified no other parameters are parsed, except for /start.

DCs

To add all DCs in your domain to the list of servers to search use:

/dc

To add DCs from another domain use:

/dc:<domain name>

Example: /dc:redmond

Servers (from file)

To add servers from a text file use:

/file:<path to file>

Example: /file:"C:\program files\reskit\server.txt"

Servers (from command line)

To add server from the command line use:

/s:<server name>

Events

To specify events to search for use:

/evt:”string of events”

Example: /evt:"644 528 639"

Event Types

To specify the types of events to collect use:

/et:weisafasu

OR

/et:all

The different types are:

  • w - Warning
  • e - Error
  • i - Informational
  • sa - Success Audit
  • fa - Failure Audit
  • su - Success

Use all to search for all types

Event Logs

To specify event logs types use:

/log:sysappsecdsfrsdns

OR

/log:all

The log types are:

  • sys = System
  • app = Application
  • sec = Security
  • ds = Directory Services
  • frs = FRS
  • dns = DNS

Output Directory

To specify the output directory use:

/outdir:”path to where output files should be written”

example: /outdir:"c:\program files\reskit\"

NOTE: Do not specify a filename. The path should include the trailing '\'.

Threads

To specify the number of threads use:

/t:<number>

NOTE: The default is 25.

Event Source

To specify the Event Source use:

/Source:”Source of event message”

Example: /source:netlogon

NOTE: When using the GUI the list of sources is pulled from the registry. When populated from the command line there is no validation checking. You could choose a source and a log/event combination that is not possible.

Event Text

To specify the text that needs to be in the event use:

/text:"text to match"

NOTE: Only use quotes for CMD.EXE's argument parsing. Do not include quotes, or logical expressions (AND, NOT, OR) in your search criteria, unless you are actually searching for that phrase. The search is case insensitive.

Date Range

To specify the date range use:

/after: to set the starting point for events

/before: to set the ending point for events.

NOTE: Both parameters take a date in the form of MMDDYYYYHHMMSS, or Month, Day, Year, Hour, Minute, Second. The time/date format needs to be exactly 14 characters. It cannot be a year before 1980 or after 2035. Both parameters must be used together.

Example: /after:05012002123000 /before:05052002123000

This resolves to:

Find Events After: Wed May 01 12:30:00 2002

Find Events Before: Sun May 05 12:30:00 2002

All Events

To override /text, /source, /time, /unit and /evt use:

/getallevents.

This is useful when you want to dump an entire event log to a text file.

These commands are only used when searching from the command line.

/nologfile use this to skip creating a log file. This might be useful if you are parsing all the text files that were created and wanted to skip EventCombMT.txt

/start Use /start to automatically start searching.

NOTE: Using /start will cause MessageBoxes to be thrown in the event of errors with parameters. If your parameters are incorrect and you are not using /start, the GUI should catch any problems when you click Search.

/help Using /help (/? or ?) shows this page.
[[/code]]

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License