The is not a tutorial on using dumpel or batch file programming although I attempt some explanation of both. Rather it is to show some a way to make monitoring security a little easier.

As we all may or may not know going threw each and every single event in the event viewer is a freaken pain in the butt (no fun).

Microsoft however does have a command line utility in its resource kit that makes it a little easier. It can dump all the events to one file in a number of different formats. Now this isn’t nearly as bad as using event viewer. But it’s still no fun. (slightly less of a pain in the butt)

Attached is a zip file containing dumpel.exe (ms’s tool) and a batch file that calls all the parameters I normally use. And puts the resulting output into two separate web pages. One with all the messages for the past 24 hours and one that just lists the failures for that time period. On the main page (index.htm) is a link to a CSV file (included in the zip) containing the complete error code list for windows. Clicking this link will open it as an excel spread sheet(if you have excell) or whatever program csv files are registered to on your machine. On the main page is also a link to the page with just the errors.

The batch file in the zip is made for a stand alone machine. There is an example later in this text that shows how to dump logs from multiple servers

To run it unpack it to a directory of your choosing and just execute dump.bat:

echo (M,1,)Application >dump.log
dumpel -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -l system -c -d 1 >>dump.log
type head.txt >index.htm
type dump.log >>index.htm
type foot.txt >>index.htm
find "M,1," dump.log >dump2.log
type head2.txt >errors.htm
type dump2.log >>errors.htm
type foot.txt >>errors.htm
start index.htm


With the incredible number of worms and viruses on the internet you might want to exclude them from the list

dumpel -s \\<servername> -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log

or if you use the bat that’s in the zip for a stand alone computer just change:
dumpel -l application -c -d 1 >>dump.log
to
dumpel -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log

or a part of every message that is common to each and ever virus warning can go in between “ ” in the find statement rather than using 'Symantec AntiVirus/Filtering'.

By piping the output “|” to “find /V” only those lines NOT containing the text in the quotation marks will be added to the output file dump.log

This I’ve included at the top of the batch file to help in making it more specific to you needs

@echo off
REM dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]
REM
REM -d <days> Filters for event last days (number larger than zero)
REM -e nn Filters for event id nn (up to 10 may be specified)
REM -f <filename> Output filename (default stdout)
REM -l <name> Dumps the specified log (system, application, security)
REM -b Dumps a backup file (use -l to specify file name)
REM -m <name> Filters for events logged by name
REM -r Filters out events logged by name (must use -m too)
REM -s <servername> Remote to servername
REM -t Use tab to separate strings (default is space)
REM -c Use comma to separate fields
REM -ns Do not output strings
REM -format <fmt> Specify output format. Default format is
REM dtTCISucs
REM where
REM t - time
REM d - date
REM T - event type
REM C - event category
REM I - event ID
REM S - event source
REM u - user
REM c - computer
REM s - strings
REM
REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

As is stated above the format for the command is
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3..] [-r] [-t] [-d x]

What im using here

“dumpel -l application -c -d 1 >>dump.log“

doesn’t make use of -f to input to a file but rather redirects the output to a file it creates/overwrites using ‘>’ to overwrite and >> to append to it.

Some people that use dumpel make extensive use of the event ids (-e) but for me it suffices to just view all the errors. This is easy enough to do on a daily basis. If you’d like to change the number of days that dumpel scans for just change the “-d 1” to –d (number of days) so for once a week you’d make it –d 7. As if no one could figure that out, buts it’s never good to assume.

I run an expanded version of this batch every morning. Repeating the same routine for each server, appending to the logs for each before making the final htm document. It has helped to avert some disasters and optimize the network. I feel my explanation is going to suck so here’s an example of how to do this on multiple servers. Just remember to have event logging turned on J



REM =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) DC LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\huntington-dc -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\huntington-dc -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\huntington-dc -l system -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) DATA LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\data -l application -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\data -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\data -l system -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) MAIL LOGS >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Security >>dump.log
dumpel -s \\mail -l security -c -d 1 >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)Application >>dump.log
dumpel -s \\mail -l application -c -d 1 | find /V "Symantec AntiVirus/Filtering " >>dump.log
echo (M,1,) >>dump.log
echo (M,1,) >>dump.log
echo (M,1,)System >>dump.log
dumpel -s \\mail -l system -c -d 1 >>dump.log
type head.txt >log.htm
type dump.log >>log.htm
type foot.txt >>log.htm
find "M,1," dump.log >dump2.log
type head2.txt >errors.htm
type dump2.log >>errors.htm
type foot.txt >>errors.htm
start log.htm
del dump.log

if you want to change the appearance of the created web page the html for it is contained in the head.txt and foot.txt files.

note: using “M,1,” was the only line common to all messages therefore a cheap way to include titles and blank lines in the final “find” redirect