A. A. A utility called DUMPEL.EXE is supplied with the Windows NT Resource Kit which outputs a comma or tab separated file. It allows the events from all 3 logs to be dumped on the local or remote computer. For full information see the NT Resource Kit Tools help however below is the basic syntax.
dumpel -f <filename for output> \[-s \\<servername>\] \[-l <which log, e.g. system, application,security>\] -c
e.g., dumpel -f applog.txt -l application -c
This would dump out the application log as a comma separated file (alternatively use -t instead of -c for a tab separated file).
Another useful switch is -e <event> which allows you to only output a given event, e.g.
dumpel -f winlogon.txt -l application -c -m "winlogon"
Would display all information re winlogon (you don't need the quotes if the event is one word).
Another application is NTLast which can be downloaded from http://www.ntobjectives.com. This utility does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. Example uses:
ntlast - gets a default list of last 10 successful logons against local machine
ntlast /f - gets last 10 failed logon attempts
ntlast /f /i - gets last 10 failed interactive logon attempts
ntlast /f /r - gets last 10 failed remote logon attempts
ntlast /i - gets last 10 successful logons
ntlast /r - gets last 10 successful remote logons
ntlast /n 6 - gets last 6 logons
And most useful
ntlast /m machinename /f /r - gets last 10 failed remote attempts against machinename