A. A. A utility called DUMPEL.EXE is supplied with the Windows NT Resource Kit which outputs a comma or tab separated file. It allows the events from all 3 logs to be dumped on the local or remote computer. For full information see the NT Resource Kit Tools help however below is the basic syntax.
This would dump out the application log as a comma separated file (alternatively use -t instead of -c for a tab separated file).
Another useful switch is -e
dumpel -f winlogon.txt -l application -c -m "winlogon"
Would display all information re winlogon (you don't need the quotes if the event is one word).
Another application is NTLast which can be downloaded from http://www.ntobjectives.com. This utility does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. Example uses:
ntlast - gets a default list of last 10 successful logons
against local machine
ntlast /f - gets last 10 failed logon attempts
ntlast /f /i - gets last 10 failed interactive logon attempts
ntlast /f /r - gets last 10 failed remote logon attempts
ntlast /i - gets last 10 successful logons
ntlast /r - gets last 10 successful remote logons
ntlast /n 6 - gets last 6 logons
And most useful
ntlast /m machinename /f /r - gets last 10 failed remote attempts against machinename