The EventCombMT.exe utility, included in the Account Lockout and Management Tools, is a multithreaded tool that can search the event logs of multiple computers from a central location, like your workstation.
You can specify the following parameters:
Individual event IDs Multiple event IDs A range of event IDs An event source Specific event text How many minutes, hours, or days back to scanSome search categories are built-in, such as Account Lockouts. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. You can add event ID 12294 to search for potential attacks against the Administrator account.
To search events logs for account lockouts:
1. Start EventCombMT.exe.
2. Press Set Output Directory from the Options menu, and select a folder or press Make New Folder. Press OK when you finish configuring the Output Directory.
3. On the Searches menu, select Built In Searches, and press Account Lockouts.
4. The Select To Search/Right Click To Add box is populated with all the domain controllers in your domain. You can right-click in the box to modify the list of computers.
5. The Event IDs box contains 529 644 675 676 681. After the 681, you can add a space, followed by 12294.
6. In the Scan Back box, select Minutes, Hours, or Days, and type a value.
7. Select the computers you want to search in the Select To Search/Right Click To Add box.
8. Press Search.
9. When the search is finished, you can view the results in the Output Directory, which is opened. You can import the files to a spread sheet or database.
