Use the Event Log Filter tool (Elf.exe) to specify the servers and events that you want to monitor. After you specify what you want to monitor, the tool writes the results to a text file. It can monitor events on servers, or it can filter events saved in .evt files by using the Windows NT Server Event Viewer.
Note
You can save an event log filter using the Configuration Add and Remove buttons.
1. Run Elf.exe.
2. Choose Add and Remove to specify the servers and .evt files you want to monitor.
3. Specify the name of the output text file.
4. Specify how far back you want to check events.
5. Select the services you want to monitor.
Choose Advanced to specify individual event IDs to ignore for a service.
6. Specify the entry types you want to monitor.
7. Select the Unattended box if you want to skip over errors and continue.
8. Choose Go to start the filter.
The output text file created is in the same format as the Windows NT Server Event Viewer, except that it monitors more than one server and it adds the text description for events.
If you have Microsoft Access, you can use the Microsoft Access Elf.mdb file to provide common summaries of the events. To do so:
1. Start Microsoft Access.
2. Open Elf.mdb.
3. Choose Open Event Log and specify the full path to the output file created with the Event Log Filter.
4. Choose View Details.
The top half of the view window shows the count of each event ID found. Click an event to see individual occurrences in the bottom half of the window.
Note
The Elf.mdb database will grow with use. You need to compact this database manually by using the Tools.Database Utilities.Compact Database option in Microsoft Access.
You can use the Event Log Scan tool (Evtscan.exe) to monitor servers for specific events. When a specified event is detected, the Event Log Scan tool can be configured to:
1. Create a configuration file with a .cfg extension specifying the events and actions required. The format is as follows:
EventID;Source;Action;Alert list;Mail list;Comment string
Configuration Entry | Description |
Event ID | The numerical event ID (see the Windows NT Server Event Viewer). |
Source | The source name for the service to monitor. |
Action | The action to take; can be Restart or Stop. |
Alert list | A comma-separated list of computers to send network pop-ups to when the event is detected. |
Mail list | A comma-separated list of e-mail aliases to notify when the event is detected. |
Comment string | A comment that is included in the alert pop-up and e-mail message when the event occurs. |
2. Run Evtscan.exe by using the following command-line format:
evtscan -f config_file -t delay_in_seconds server_list
where config_file is the name of the configuration file created in step 1, delay_in_seconds is the time the tool waits between scans (for example, typing -t 15 means the tool scans for events every 15 seconds), and server_list is a comma-separated list of the servers to monitor for the events.
3. Leave Evtscan.exe running on the desktop. You might want to minimize the command prompt window.
The following is a sample configuration file:
;sample config file. 9277;MSExchangeMTA;restart;nobellchem;nobellchem;Event 9277 9278;MSExchangeMTA;stop;nobellchem;;Event 9278 9279;MSExchangeMTA;;nobellchem;nobellchem;Event 9279 9297;MSExchangeMTA;restart;nobellchem;nobellchem;Event 9297