Event viewer / reading 1

[mutley1]

Guys,

SQL2000 - is there any kind of integration / manner in which I would be able to report on event viewer logs through SQL?

TIA,

M.

 

[JayKusch]

You could use a 3rd party app like LogParser to gather windows event logs (Application, Secruity, System) and import them into a staging DB where you could then run queries against the tables and find the events you are interested in.

I have done this in the past with minimal effort.

Thanks

J. Kusch

 

[mutley1]

thanks J,

I was trying to use Scriptomatic from MS to get a text file i can import, but when i "adapted" it if gives me not a lot. I'll look up LogParser - do you have a site for it please?

Thanks,

M.

 

[JayKusch]

LOL ... well when I said 3rd party tool I really should have said Non-Native SQL Server tool since Log Parser is a Microsoft tool. Here is the link ...

http://www.microsoft.com/downloads/...6b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Now what I have done is to create 1 staging and 1 archive table for each of the App/Sec/Sys Windows Event Logs I am pulling down from all of my remote server (at one time I was pulling over a 100 servers).

Now each day I had a job that would:

1. trunc the staging tables
2. Execute the batch file that uses LogParser to gather the App/Sec/Sys Win event logs for all the servers I had listed in a "Servers" table (ones thathad their "active" flag set to yes).
3. Once all of the recs were pulled, I exported the recs from the staging tables to the archive tables for historical purposes (a method to keep all events pulled in case we needed to look back at them).
4. I then have scrub scripts that cleaned up (deleted) records we were not interested in like print drivers not being installed, security alerts for good logins, terminal server messages, ect.
4. From there I created one report for event log that gave a total event record count per server. I then had another report that showed only the major (ERROR) events that happended per server. If the ERROR was duplicated many times in a row, I would just list the error on one line of the report followed by another line item with the total number of times the error happened. Of course I emailed these out.

From there you are on your own as what you want to report on and view.

ONE NOTE: You will find that some of the Windows Event Logs can be VERY LARGE ... so what I did was ran the process the first time (which took a LONG TIME since LogParser has to read the WHOLE event log) on a weekend to get all of the event logs for as long as they had been around then I went to each server (yes it can be tedious the first time - lol) and I save the event logs to local disc, purge the log and then set it to roll over every 2 weeks).

This helped me in that the import process now only had to deal with a 2 week sized log possibly AND it also retained 2 weeks worth of events on the server for the Systems Engineers (or whoever) to see in case they were fighting a fire.

Hope this help and ENJOY~

Thanks

J. Kusch

 

[mutley1]

Cheers J.

I'm only interested in one specific error so as long as I can get a dump to text it should be easy enough to import and scrub the keek in the middle. the person I'm doing it for is too lazy to give it a go and look for the means so I'll just give him the poo and let him sort out what he wants.

Thanks,

M.