A. A. A utility called DUMPEL.EXE is supplied with the Windows NT Resource Kit which outputs a comma or tab separated file. It allows the events from all 3 logs to be dumped on the local or remote computer. For full information see the NT Resource Kit Tools help however below is the basic syntax.

dumpel -f <filename for output> \[-s \\<servername>\]  \[-l <which log, e.g. system, application,security>\] -c
e.g., dumpel -f applog.txt -l application -c

This would dump out the application log as a comma separated file (alternatively use -t instead of -c for a tab separated file).

Another useful switch is -e <event> which allows you to only output a given event, e.g.

dumpel -f winlogon.txt -l application -c -m "winlogon"

Would display all information re winlogon (you don't need the quotes if the event is one word).

Another application is NTLast which can be downloaded from http://www.ntobjectives.com. This utility does two major things that event viewer does not. It can distinguish remote/interactive logons and it matches logon times with logoff times. Example uses:

ntlast - gets a default list of last 10 successful logons against local machine
ntlast /f - gets last 10 failed logon attempts
ntlast /f /i - gets last 10 failed interactive logon attempts
ntlast /f /r - gets last 10 failed remote logon attempts
ntlast /i - gets last 10 successful logons
ntlast /r - gets last 10 successful remote logons
ntlast /n 6 - gets last 6 logons

And most useful
ntlast /m machinename /f /r - gets last 10 failed remote attempts against machinename