How can I filter only events with specific text strings out of a security event log and save them to a new log?

Posted on 2011-10-05
Last Modified: 2012-05-12
Greetings -

I'm looking to filter events out of a very large security event log that contain only certain text.  I would then like to save those events to a new log.  I'm seeking a utility, script, etc. recommendation on how I can do this in a more automated fashion.

Unfortunately, the Server 2008 R2 Event Viewer, while much nicer than prior versions, still doesn't seem to offer filtering based on a custom string.  If I'm wrong, please educate me.  There's a "Find" feature but that doesn't filter the log for only those events, it just finds events with that text in it.  Which means I would need to manually go through thousands of events selecting them one at a time.

I'm looking to search the log for lets say "MickeyMouse" and save only events that have that text into a new file.  Perhaps there's a more powerful Event Viewer out there somewhere that I could leverage.

Any advice is certainly appreciated.  Thank you!
Question by:amendala
    LVL 57

    Accepted Solution

    Have you looked at eventcomb

    It is a free tool you can download from Microsoft.  See if that helps

    I agree built in event viewer could be better.



    Author Comment

    I'd forgotten all about eventcomb... that works for me!  Thanks!

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now