Domain: Text box that lists the domain you are in, and where the DCs will come from when the list is populated.

Servers/Logs: Select the servers/logs you would like to search.

Right click in this window do add servers.

Use File\Open Saved Logs to add Saved Event Logs to this list.

Output Directory: Default is c:\temp and it will be created if it doesnÆt exist. Choose Set Output directory from the File menu to change this. This setting should be remembered between sessions.

Specific IDs: Enter the specific IDs you wish to search for. Enter IDs separated by

spaces, up to 10 events may be entered.

Source: The source is pulled from the registry. It is only available if exactly one

log is selected.

Text: Enter the text that must be in the event to capture it. Do not use logic (and, or), or

quotes. It is case insensitive.

Scan Back: Allows you to choose how far back in the logs to search. Enter a number in the text box and then choose: Minutes, Hours, or Days. Once this criteria is reached the log is abandoned.

Default: Days

Status: Lists information pertaining to the current search. This information is also saved to the file EventCombMT.txt file.

Choose Log File to Search:

            Allows you to select which log files to search.

            Available logs files are:

• Directory Service
• Application
• File Replication Service
• System
• DNS   
• Security

NOTE: Logs will be disabled if you do not have the capability to open them normally. You may be able to edit the registry to enable parsing of disabled logs.

Event Types: Allows you to choose which types of events you would like to search.

            You can choose from:

                        Error

                        Informational

                        Warning

                        Success Audit

                        Failure Audit

                        Success (very rare. Event Viewer shows these as Informational.)          

Get All Events Matching Above Criteria: Checking this box short-circuits any other search criteria. For instance, if you check Warning and Application, you will capture all Warning events in the Application log. This will also disable all search criteria since it will not be used. This applies even if data was previously enter in the criteria boxes and is visible. If the criteria controls are disabled they will not count towards the search.

Threads: Use this slider to control how many threads are running. It is active even when a search is running.

Default: 25 threads

NOTE: If there are 50 threads running and you slide it to 40, there will still be 50 threads running, it doesnÆt pause or kill running threads. However, no new threads will be spun until the count drops to 39.

Servers Running: Displays a list of the servers whose searches are running now.

Statistics:

            Total Records searched: The number of events that have been examined.

            Matching Events Found Total: The number of events that have matched the

search criteria.

Records per seconds: The average number of records per seconds that were parsed (saved or discarded.)

Threads Running: The number of currently running threads. The name of each thread is also shown.

Total Bytes Read: The number of bytes reads. As the number grows, it will switch

to Mbytes and then GBytes.

Cached DLLS: The number of DLLs in the cache. This number is usually low,

less than 50 for a large search, and is limited to 500, currently. If your search is specific (6005, Informational, System log) then this counter may stay at 1. DLLs are only loaded after all other search criteria have fired (except text.)

The name of each DLL is also shown.

Cached SIDs. SID to name lookups are very slow. These are cached so that if they are found again the

            search runs much quicker. This is especially useful for searching security logs, where every record has a

            SID attached to it.

The SIDs cached are shown in the list, this can be disabled under the options menu.

Completed: Progress bar that show the percentage of servers finished. The progress bar is updated when the search has completed. The progress bar does not indicate the progress of a log file, only the server. If you are searching 5 log files per server, all 5 log files must complete before registering.

Search: Starts the search. If you are missing some criteria you will be asked to correct it.

Quit:

When searching: Quits the search. It may take several minutes for all the threads to exit.