Mr. Roboto

To Serve and To Report

EventReporter can help make event log management...manageable.

How often do you check your server's event logs? How often would you like to be able to check those logs? If you run a large shop or have endless resources, you've probably invested in server management software or an event log consolidation tool.

If your shop is like most Mr. Roboto has seen, though, then resources and budgets are tight. Still, you'd like to make event log management a bit more efficient, if not more exciting. Mr. Roboto can help.

The Main Event
EventReporter is a script -- technically a Windows Script File (WSF) -- that queries a list of servers and builds an HTML report of all error and warning events recorded within the last 24 hours. The report is a basic HTML table that lists the computer name, logfile, time of the event, type, event code and event message. It will highlight critical errors in red, making it easy for you to find critical problems fast.

Mr. Roboto

You can also configure the Event-Reporter so it sends you reports by e-mail. Now you can open your morning e-mail and see at a glance what server issues you might need to address over the course of the day. There's no more combing and filtering through event logs on multiple servers.

The only element you need to create before you can use this tool is a simple text list of all your server names. The tool will connect to each server on the list, using Windows Management Instrumentation (WMI), and query the event logs for the last 24 hours worth of errors or warnings. To be more specific, it will record all events within 24 hours of the exact time you run the tool. You can always run the tool manually as well.

The minimum required command syntax is: Cscript MrRobotoEventReporter.wsf /L:servers.txt

To see a complete help listing, open a command line and run: Cscript MrRobotoEventReporter.wsf /?

EventReporter will save the file by default in the same directory as the WSF file with a filename like 20070313060000-Eventlog.htm. You can specify a different filename and path with the /R parameter. Be aware that any existing file with the same name will be overwritten. If you plan on distributing the report via e-mail you must specify a filename with a complete path.

Because the tool uses WMI, you can specify alternate credentials using /U for the username and /P for the password. However, if you're going to run this as a scheduled task, all you need to do is run the task under domain admin credentials and you're covered.

If you want to mail the report, you'll need to use /S to specify an SMTP server, /T to specify a comma-delimited list of e-mail addresses to which you'd like to distribute the report, and /F to specify a name as sender of the report. The subject line of the e-mail will be "Event Log Report for (current date and time)." The report will be included as an attachment. Depending on your e-mail client configuration, you may still need to take an extra step or two to view it.

Here's how you might schedule an EventReporter job: cscript mrroboto eventreporter.wsf /l:servers.txt /s:mail01 /t:jhicks@sapien.com /f:roboto@sapien.com

Roboto on Demand

Download Mr. Roboto's EventReporter.wsf at www.jdhitsolutions.com/scripts.

What Windows admin task would you like Mr. Roboto to automate next? Send your suggestions to jhicks@sapien.com.

As Far as a Scan Can See
There are a few potential gotchas. Event log scanning can be resource-intensive, especially if you have logs upwards of 100MB. Hopefully, you've periodically saved and cleared your event logs.

Remember, the EventReporter tool uses WMI. This means it doesn't work very well across firewalls or over a WAN. If you can't use WBEMTest to connect to a server then this tool won't work, either. Finally, it will ignore the Security Event Log and doesn't report any Audit Failures -- perhaps I'll add that in a future version.

About the Author

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org. Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide. You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)

comments powered by Disqus

Reader Comments:

Tue, May 15, 2007 Gary NY

Funny, WMI is running on the servers I test it on, and I provide it everything it needs - yet it runs and creates an htm file that lists the headings but no data. I'm a domain admin, no error messages, but I can't get any data.. I also specified credentials and no data. Any ideas? Thx for the script.

Tue, Apr 24, 2007 Jeff Hicks Anonymous

The script should check all logs for warnings and errors except security because that log doesn't use those types. I know people have asked about the security log before and I might have to re-arrange some work to get a new version of this script online. But it should detect errors and warnings in directory services and other logs.

Thu, Mar 22, 2007 Joe Beverly Hills, CA

But what about the other logs, like directory services and security. How can those be added. That would make this script much more useful in a production environment. If I use the script daily as it is, I still need to manually check the other logs....so whats the point?

Tue, Mar 20, 2007 Peter Anonymous

Thanks for a great script. Very helpful.

You can filter out events you don't care about by modifying the ""WHERE (Type='warning' OR Type='error')..." line. Just add additional parameters to the SQL statement.

Wed, Mar 7, 2007 Jeff Hicks Anonymous

An alert reader pointed out that I was filtering for events within the last 36 hours instead of 24. Sorry. That was a left over from a debug session. I've since posted an updated script (v1.4). Or you can modify the script yourself.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.