Thursday, January 24, 2013

DumpEventLog is a great tool to parse Windows event logs

We have an instant messaging server in the office which helps with communication with those employees that telecomute.  The server is running OpenFire (I think) and the clients are using Pidgin to connect and instant message.  I'm not much of an administrator, so I can not comment on how good the tools actually are.  But, as a user, I find great value in being able to reach out to anyone and have a quick conversation without having to wait for email or the like.

That said, our Pidgin server has been going down with some regularity; roughly once a month, but sometimes a bit more.  And when it goes down, it takes forever to come back up.  The usefulness as a tool has been diminishing. 

As an incident response guy, one of the first things I wanted to see was the logs.  But, I did not know a way that I would be able to read the logs short of logging in to the server...and I did not have credentials (I'm not an admin.)  I looked for, and found, this script, DumpEvenLogs.vbs.  The script was suitable for me to give to an admin to run and provide the results back to me.  And, there were a couple of canned scripts to look at some of the low hanging fruit (failed logons, user accounts created, abnormal shutdowns, etc.)  The data returned to me was easy enough to read, and in a format that I could look at whatever criteria I wanted.  Ultimately, I filtered the data on date, and was able to pin down that the machine was hanging upon reboots after applying patches.  Rather benign.  But, having this tool helped solve the problem.  As for the server issue.....that hasn't been fixed, but at least we know when to expect it to go down again next.

No comments:

Post a Comment