Zetetic.Events Shell

The Zetetic.Events Shell is a free, fast, and efficient tool to extract Event Log data for Active Directory and Windows computers (Server 2008, Server 2003, Windows 7, and newer), allowing you to find out where and when important things happened.

Download Now

Suppose your environment has 50 domain controllers, and someone has modified a sensitive security group in Active Directory. You already know when the change happened, just by looking in the directory, but you don’t know who made the change, or what members were added or removed.

Zetetic.Events Can Help!

Logging into all 50 servers to scan the security event logs would take all day. Even worse, the events might disappear if the security logs rolled over before you processed them all. EventCombMT is a popular legacy tool, but isn’t a great solution because it would pull all available data over the wire, likely requiring several hours to complete.

The Zetetic.Events Shell tool makes this job quick and easy; you don’t even need to tell it the names of your domain controllers—just the interesting event IDs. From the commandline:

ZeShell -e 4728-4758,after=19-July-2011
-----------------------------------------------------
Event ID:    4728
Level:       Information
Keywords:    Audit Success
Publisher:   Microsoft-Windows-Security-Auditing
Created:     7/20/2011 2:35:17 PM
Machine:     dc-1.demo.net
Log:         Security
Description: A member was added to a security-enabled global group.

Subject:
        Security ID:            S-1-5-21-950928700-2040260430-2032203972-500
        Account Name:           Administrator
        Account Domain:         DEMO
        Logon ID:               0x454d11

Member:
        Security ID:            S-1-5-21-950928700-2040260430-2032203972-187428
        Account Name:           CN=Uncle Fester,OU=ZetDemo,DC=demo,DC=net

Group:
        Security ID:            S-1-5-21-950928700-2040260430-2032203972-187514
        Group Name:             Global1
        Group Domain:           DEMO

Additional Information:
        Privileges:             -

Want to save all available recent Active Directory account lockouts in your environment to a file? Piece of cake:

ZeShell -e 4740 > lockouts.txt

Or, perhaps you need to know which privileged users have conveniently forgotten to mention deleting users and groups?

ZeShell -e 4726,4730,4734,4758,4748,4753,4763

All the filtering happens on the remote server side, without installing any other software, and runs in parallel, so there’s no waiting, no cumbersome GUI, and no wasted network traffic sorting through all the stuff you don’t need to see.

Get Zetetic.Events Shell

You can download Zetetic.Events Shell for free today.

Download Now

Combine – Security Event Management for Windows, Active Directory, and UNIX

We’re providing the Zetetic.Events Shell at no charge in the hopes that it will be useful to the community, and as a preview of our industrial-strength, realtime auditing package, Combine.

If you’ve ever wanted a live view and durable audit trail of changes to Active Directory, file shares, file security, pleasecontact us now for a demo and free evaluation information.

Key features of the full Combine package include:

  • Near real-time streaming of event data
  • Agentless, durable event monitoring of dozens to hundreds of hosts
  • Pre-built, customizable capture templates for various server roles (domain controllers, file servers, web application servers)
  • Deep inspection of audit trails; view by user activity or by targets of that activity
  • Automatic topology discovery
  • Event ID library and assistant
  • Web-based management and reporting