Use your eventlogs as CSI material

When troubleshooting an issue, the eventlog is the first place one would look. If you’re lucky you might find a clue what is happening, on that troublesome server. POW! There, I found it…cool! Now you want to know since when this error has been occurring or if it has occurred before. How would you go about accomplishing this..?

Again, like I always say..this is not THE way of doing things but A way of doing things. I’m hoping to stimulate you to think about your environment and have you come up with some cool other way of doing things that will make other sysadmins happy!
Since I reboot my Terminal Servers every day, I’ve made saving the eventlogs a part of my daily reboot script.
First off, download the tools DUMPEVT, LOGEVENT  and PSLOGLIST (=optional, you can also use DUMPEVT to clear the logs). These tools will help us save the logfiles, clear the logfiles and tell the eventlog what we’re doing.
My rebootscript is written in kixscript but this is up to you. (use cmd, vbscript or powershell if you know how).
A little chunk of the script looks like this (click).
The following things happen in this example:
1) A directory is created to save the logfiles (YEAR-MONTH-DAY)
2) We then use DUMPEVT to save the System, Application and the Security logs and save that to the location specified in step 1
3) PSLogList is used to clear the eventlogs we saved in step 2
4) Then we use LogEvent to log that we cleared the logs (are u still there?)
If everything went smoothly you should see this list at the fileserver location where the eventlogs have been stored.
evtvwrlogs This way, over time, you will create a complete library of eventlogs from your (terminal server) farm.
For example. I want to know when event id: 1509 first started showing up on my Citrix Farm. I use UltraEdit to search through all the files in each subdirectory and looked for Event id: 1509. UltraEdit was busy for about a minute and *ping*…first time that this event occurred was
10-10-2007, awesome right? Now that you are completely thrilled and inspired, go out and make your own eventlog library using vb script, powershell or whatever your poison is and make other sysadmins happy..!
If this post helped you out, help me out keeping this site alive and visit some of my sponsors on the left or right.. Thanks..!
TAGS Save, Event logs, Script, how to

Comments are closed.