Event by Event
Strapped for cash? Forget expensive server management tools -- here's a real-time event log monitor for the smaller shops.
- By Jeffery Hicks
Perhaps you're part of a huge IT shop, or perhaps you're blessed with a budget
that lets you buy more than a box of CAT5 cable from eBay. If this sounds like
you, then you have most likely invested in some sort of server management and
If you're from a smaller, more financially constrained shop, Mr. Roboto has
crafted a real-time event log monitor for you. Well, it's close to real time.
Specify a server or two and the types of events you want to monitor and Mr.
Roboto's Event Log Monitor will display events pretty much as they happen.
Mr. Roboto's Event Log Monitor is an HTML application (HTA) that uses Windows
Management Instrumentation (WMI) to watch for new event log entries on remote
servers. Although you can install this on a server, it makes more sense to use
it from your desktop.
As with most of my utilities, this HTA requires Windows XP or later. You'll
have to run this tool with administrator credentials on the systems you want
This utility will run under Windows Vista, but you'll need to run it as an
administrator. The HTA file type isn't recognized as an executable, so you can't
run it by choosing the "Run as Administrator" option. Here's a workaround
for that limitation:
Create a new shortcut and set the target path to: C:\Windows\System32\mshta.exe
If you'd like, you can change the icon to point to the icon file in the same
directory as the HTA. Just right-click on the shortcut, and select "Run
as Administrator" to launch the tool. The Event Log Monitor will then start
with the right level of access control.
After you've launched the tool, enter the name or names of computers you want
to monitor, separated by commas. Select the event logs and types of events you
want to monitor from the drop down boxes. Use the Ctrl key to select multiple
entries. You can mix and match event logs, even if they aren't on the computer
you're monitoring. This lets you monitor errors in the system log on a file
server or domain controller. You can also monitor Directory Service errors.
The Event Log Monitor uses WMI to establish an asynchronous event query to
each specified server. When an event fires on the remote machine, information
about that event is returned to the Event Log Monitor.
By default, the HTA will check for new events every five seconds. You can increase
this time interval, but I wouldn't recommend making it any shorter. When an
event fires from any machine in your list, the tool will display event info,
including the machine name. Errors and Audit Failures will show up in a red
If the network connection between the remote computer and the computer running
the Event Log Monitor is interrupted (if the remote computer is rebooting, for
example), it won't capture any more events until you restart the monitor and
re-query. You shouldn't select more event types than you really need, especially
when you're monitoring multiple servers.
Roboto's Event Log Monitor at: www.jdhitsolutions.com/scripts.
Extract the .ZIP file to any directory you want and add a
shortcut to the HTA to your desktop or start menu.
What Windows admin task would you like Mr. Roboto to automate
next? Send your suggestions to firstname.lastname@example.org.
Close to Real Time
Event Log Monitor is hard-coded with the most common Windows events. I wanted
to give you the option of selecting multiple servers, so I compromised. If there's
a log type that isn't listed, you can edit the HTML code and add it to the option
The Event Log Monitor doesn't permanently store any event information. Events
are still written to the event log on each server. The monitor simply lets you
know -- in close to real time -- when it has recorded an event.
If you can afford one of the full-featured event log consolidation and management
tools, then by all means find one that meets your business needs. In the meantime,
Mr. Roboto's Event Log Monitor will fill in the gaps and help you keep a close
eye on critical or troublesome servers.
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)