EventComb: It's Free; It's Essential; Get It!

Over the past few years, network security has moved from a "we oughta" task for a lot of firms to a "we gotta" task. But network security isn't painless: Firewalls aren't cheap, tighter password rules create unhappiness among employees, and writing security procedures is tedious.

Microsoft equipped Windows NT with a rich set of security-logging tools that you can use to audit every event on every machine on your network. In no time, you'll have a wealth of information about who's doing what—and where and when they're doing it.

But how do you use this information to secure your network? For example, you might think that you can just peek at the Security event logs to see whether someone's trying to hack your system, right? Well, not exactly.

Windows .NET Server (Win.NET Server) 2003, Windows XP, and Windows 2000 store auditing information in each system's Security event log. Thus, if you have 20 servers and 1000 workstations, you'd have to look through 1020 Security event logs, each on a separate computer. So trying to figure out something relatively simple becomes a major task that requires visiting lots of computers and searching for a particular event ID.

With the Security event logs, Microsoft developers gave us a great security auditing and warning tool but neglected to add a centralized way to manage, store, and query the logs. (Well, they didn't leave it out; they decided to charge separately for it in the form of Microsoft Operations Manager—MOM.) I can't solve the "manage and store" part today, but I've discovered a nifty tool for looking through piles of Security event logs—a free Microsoft application called EventComb.

EventComb is part of a Microsoft document called "Security Operations Guide for Windows 2000 Server." To obtain EventComb, you need to go to http://www.microsoft.com/downloads/release.asp?releaseid=36834 and download secops.exe. When you run secops.exe, the program creates a folder called SecurityOps. Within SecurityOps is a folder named EventComb, which contains a compiled HTML Help file and the EventComb program.

To illustrate how EventComb works, let's perform a simple event log search. Because you currently might not have anything in your Security event log, let's search the System event log for something we'll likely find: We'll look for messages from W32Time, the service that synchronizes your system time to some outside time source.

When you open EventComb, you'll see why the application is free: The user interface definitely leaves something to be desired. The left-hand side of the application window contains a box labeled "Select to Search/Right Click to Add." Right-click inside the box and in the field that opens, enter the name of the computer you want to search. Add as many computers as you want, but the more machines you search, the longer the search will take.

In the EventComb window, you'll see a series of check boxes under the heading "Choose Log Files to search." Select System. Under "Event Types," select the check boxes next to Error, Informational, and Warning. In the lower-left of the EventComb window, you'll see a text field labeled "Event IDs"; leave the field blank. Below that field is a drop-down list called "Source"; select "W32Time." Click Search and wait for the application to finish searching.

When EventComb finishes searching the specified computer, the program opens a window showing the C:\Temp directory, in which it keeps the search results and log files. You'll see a text file named <systemname>-System_LOG.txt. For example, if you search a machine named MYPC, you'll get a file named c:\temp\MYPC-System_LOG.txt. Open the file with Notepad to see a list of W32Time-related events.

EventComb lets you create far more complex searches than the example I used, and also lets you create and store searches for future use. (Here's an interesting search: Check the System log for errors on source "atapi." You might be surprised by the number of hard disks on your network that are a little wobbly.)

So download a copy of EventComb and start making use of your event logs! (And keep flossing; it's good for the gums.)

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.