Sunday, June 21, 2009

Dumb and dumber



Aysh and I got the Trail70 running this weekend and took it for a ride around the neighborhood. Keep it on the down-low and please don't call the po-po. Turn up the sound for this...


Dumb and Dumber - Trail70




Last weekend we hit the BMX track and had a little fun.


Ayshia at Highlands Ranch BMX


Thursday, April 30, 2009

What's wrong with this picture?

You may need to click on it to see it larger, but what's wrong with this picture? Leave a comment if you know...

Wednesday, September 3, 2008

Microsoft has a sense of humor?

This real error message cracked me up...



Cannot delete schIO_BROKER_2: There is not enough free disk space. Delete one of more files to free disk space, and then try again.

Thank heavens we still have the command line!

This next message, of course, is fake, but man, sometimes I feel this way...



Your mouse has moved. Windows must be restarted for the change to take effect.

Thursday, August 21, 2008

how to get around Group policy enforced screen savers

This is post #3 in my series of boring technolocy articles that can help people. If you would like to see the others, just click on "boring tech stuff" under the labels to the right.

This one deals with overzealous administrators trying to force you to have whatever screensaver they want on whatever time schedule they want, locking out your options to change it. Really annoying if you have a PC that has no mouse or keyboard movement, but has real-time monitoring info that you keep an eye on all day such as CPU or memory of your app servers.

Anyway, if you have XP, to get past this, open Notepad and put this example entry in it. Save it as a .reg file and double-click it. Once completed, right-click on your desktop, choose Properties, look at the screensaver screen and close it. This now changes the low 5 minute screensaver timeout to a whole 8 hours that you don't have to log back in just to see your monitoring stats.

If you open the keys below in the registry you will see an option called "SCRNSAVE.EXE", obviously here you can even change your screensaver as well. Sure, it will overwrite the next time the GPO runs, but you have the simple reg file to change it each time.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ScreenSaveTimeOut"="28800"

[HKEY_USERS\S-1-5-21-1454471165-1960408961-725345543-5403\Software\Policies\Microsoft\Windows\Control Panel\Desktop]
"ScreenSaveTimeOut"="28800"

The actual HKEY_USERS key may vary from PC to PC, you should check on that first.

Disclaimer #1: You can seriously fuck up your computer if you don't know what you are doing with registry crap. Take a little time to understand before doing and it will pay back in boatloads.

Disclaimer #2: Having your screen on for 8 hrs. straight is a security risk. Co-workers might sneak over and send a message to the entire team from you, stating that you love them all so much you'll bring donuts tomorrow. This risk is assumed.

Wednesday, February 13, 2008

Using Microsoft Log Parser to search event viewer for critical system errors

I'm an internet scour-er... All day long I scour Google to do my job, I see the work others have done, I research problems, I pile lots of fragments of thoughts of many people together to come up with my own solutions.

So for once I thought I'd give something back in the hope that it will be useful for others... For this you will need Microsoft Log Parser and blat. Log Parser is a powerful little utility that allows you to use SQL statements to search many different types of log files and then export them in to a variety of formats. For my example we will search the Windows Event Viewer for Warning and Error messages, we will then export them to an HTML file via a template, and finally we will email the message to ourselves.

First the code and what it does.

It's really broken in to 3 segments that do the same thing, just in different logs. The 3 things that it does are 1) Search the log for Warning, Error, or Failures, 2) If anything is found, email the results to me, 3) Delete the results to keep from getting any duplicate stuff.


rem @echo off

REM Using Microsoft Log Parser to stay on top of problems in Event Viewer
REM By Scotty D
REM February 2008


REM You need to download both "blat" and "Microsoft Log Parser"
REM Blat is at http://www.blat.net/
REM Microsoft Log Parser is at http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx
REM These only need to be installed on the machine where the script is run


REM Here you set all of your variables as it's much easier to do it here than in the details of the script

set evtlogshome=c:\tools\evtlogs\
set serverlist=%evtlogshome%servers.txt
set logparser="C:\Program Files\Log Parser 2.2\LogParser.exe"
set blat=C:\tools\blat262\full\blat.exe
set adminemail=bobkratchet@superniftyserver.com
set emaildomain=@superniftyserver.com
set SMTP=relay.superniftyserver.com



REM Parse the System Event log using Microsoft Log Parser
REM We are looking only for error events and Warning events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email

@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%systemerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %evtlogshome%reports\%%asystem.htm FROM \\%%a\System WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%evtlogshome%tail\%%asystemcheckpoint.lpc


REM Now email the details from each server out if anything is found

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asystem.htm %blat% %evtlogshome%reports\%%asystem.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New System Event log event on %%a"


REM Delete those suckers so we don't get junk

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asystem.htm del %evtlogshome%reports\%%asystem.htm



REM Parse the Application Event log using Microsoft Log Parser
REM We are looking only for error events and Warning events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email

@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%Applicationerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %evtlogshome%reports\%%aapplication.htm FROM \\%%a\Application WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%evtlogshome%tail\%%aapplicationcheckpoint.lpc


REM Now email the details from each server out if anything is found

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%aapplication.htm %blat% %evtlogshome%reports\%%aapplication.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New Application Event log event on %%a"


REM Delete those suckers so we don't get junk

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%aapplication.htm del %evtlogshome%reports\%%aapplication.htm



REM Parse the Security using Microsoft Log Parser
REM We are looking only for Failure Audit events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email

@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%Securityerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, ComputerName, Message INTO %evtlogshome%reports\%%asecurity.htm FROM \\%%a\Security WHERE EventTypeName = 'Failure Audit event'" -iCheckpoint:%evtlogshome%tail\%%asecuritycheckpoint.lpc


REM Now email the details from each server out if anything is found

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asecurity.htm %blat% %evtlogshome%reports\%%asecurity.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New Security event log event on %%a"


REM Delete those suckers so we don't get junk

@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asecurity.htm del %evtlogshome%reports\%%asecurity.htm



The block of set commands is simply for setting a bunch of variables. They are rather self-explanatory, just follow the format of the examples given. The checkpoint files are files Log Parser uses so that it doesn't look at the entire log again, it's a similar concept to using "tail".

Now let's break out the first set of commands.

@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%systemtemplate% "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %systemresults% FROM \\%%a\System WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%systemcheckpoint%

The for command is simply a batch command which tells the script to open the txt file of servers and loop through the command until all servers are done. Starting at do is the log parser script.

%%a - anytime you see that it's current "token" pulled from txt file of servers

-i:EVT tells the script you are looking at Windows Event Viewer

-o:TPL tells the script to output the findings to a template format

-tpl: tells the script the location of your templates

SELECT - the SELECT statement is your SQL, in this instance we pick selected fields from Event Viewer. You could substitute * to see everything and pick which fields you want just as you would when doing a database query.

INTO tells which output file to put the results in to, in my case HTML

FROM is the server and log. In this case \\%%a\System means it will be the current server of the batch for loop and it's system log.

WHERE is simply conditional SQL to filter out all of the stuff I don't want to see.

-iCheckpoint spells out the file where the past parsed information is kept so that it doesn't send you duplicate messages.

The tough part is done. Next we simply see if a file exists, and if it does we sent it out via blat. After that, we check if the file exists and then delete it.

The last part of this is the template and it's ridiculously simple. Basically what I wanted to do was set up a simple HTML table that would get emailed to me via blat. You really just need to correspond the fields you selected in the query to the fields you want in the table.

<LPBODY>
<TABLE border=1>
<TR>
<TD width=15%>%TimeGenerated%</TD>
<TD width=5%><font color=red>%EventTypeName%</TD>
<TD width=10%>%SourceName%</TD>
<TD width=70%>%Message%</TD>

</TR>
</TABLE>
</LPBODY>


Once I had this set up, I just set one of my machines to check every server (via the list) every morning before I come in. Since it's only new events, the volume is rather low and I can skim through them quickly to see if there are problems needing addressing. The final result is simply an email like this. :)

Example System Event Log error message:

From: monitoredserver@superniftyserver [mailto:myserver@superniftyserver]
Sent: Wednesday, February 13, 2008 1:11 PM
To: Kratchet, Bob
Subject: New Server Event log event on monitoredserver










2008-02-13 12:45:55Warning eventLSASRVThe Security System detected an authentication error for
the server
LDAP/powerfulserver.superniftyserver.com/superniftyserver.com@superniftyserver.com.
The failure code from authentication protocol Kerberos was "The
specified user does not exist. (0xc0000064)".








2008-02-13 12:46:41Warning eventLSASRVThe Security System detected an authentication error for
the server LDAP/nitcdc01.superniftyserver.com/superniftyserver.com@superniftyserver.com.
The failure code from authentication protocol Kerberos was "The
specified user does not exist. (0xc0000064)".