The Zetetic.Events Shell is a free, fast, and efficient tool to extract Event Log data for Active Directory and Windows computers (Server 2008, Server 2003, Windows 7, and newer), allowing you to find out where and when important things happened.
Suppose your environment has 50 domain controllers, and someone has modified a sensitive security group in Active Directory. You already know when the change happened, just by looking in the directory, but you don’t know who made the change, or what members were added or removed.
Zetetic.Events Can Help!
Logging into all 50 servers to scan the security event logs would take all day. Even worse, the events might disappear if the security logs rolled over before you processed them all. EventCombMT is a popular legacy tool, but isn’t a great solution because it would pull all available data over the wire, likely requiring several hours to complete.
The Zetetic.Events Shell tool makes this job quick and easy; you don’t even need to tell it the names of your domain controllers—just the interesting event IDs. From the commandline:
ZeShell -e 4728-4758,after=19-July-2011 ----------------------------------------------------- Event ID: 4728 Level: Information Keywords: Audit Success Publisher: Microsoft-Windows-Security-Auditing Created: 7/20/2011 2:35:17 PM Machine: dc-1.demo.net Log: Security Description: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-950928700-2040260430-2032203972-500 Account Name: Administrator Account Domain: DEMO Logon ID: 0x454d11 Member: Security ID: S-1-5-21-950928700-2040260430-2032203972-187428 Account Name: CN=Uncle Fester,OU=ZetDemo,DC=demo,DC=net Group: Security ID: S-1-5-21-950928700-2040260430-2032203972-187514 Group Name: Global1 Group Domain: DEMO Additional Information: Privileges: -
Want to save all available recent Active Directory account lockouts in your environment to a file? Piece of cake:
ZeShell -e 4740 > lockouts.txt
Or, perhaps you need to know which privileged users have conveniently forgotten to mention deleting users and groups?
ZeShell -e 4726,4730,4734,4758,4748,4753,4763
All the filtering happens on the remote server side, without installing any other software, and runs in parallel, so there’s no waiting, no cumbersome GUI, and no wasted network traffic sorting through all the stuff you don’t need to see.
Get Zetetic.Events Shell
You can download Zetetic.Events Shell for free today.
Combine – Security Event Management for Windows, Active Directory, and UNIX
We’re providing the Zetetic.Events Shell at no charge in the hopes that it will be useful to the community, and as a preview of our industrial-strength, realtime auditing package, Combine.
If you’ve ever wanted a live view and durable audit trail of changes to Active Directory, file shares, file security, pleasecontact us now for a demo and free evaluation information.
Key features of the full Combine package include:
- Near real-time streaming of event data
- Agentless, durable event monitoring of dozens to hundreds of hosts
- Pre-built, customizable capture templates for various server roles (domain controllers, file servers, web application servers)
- Deep inspection of audit trails; view by user activity or by targets of that activity
- Automatic topology discovery
- Event ID library and assistant
- Web-based management and reporting