Mr. Roboto

To Serve and To Report

EventReporter can help make event log management...manageable.

• By Jeffery Hicks
• 03/01/2007

If your shop is like most Mr. Roboto has seen, though, then resources and budgets are tight. Still, you'd like to make event log management a bit more efficient, if not more exciting. Mr. Roboto can help.

The Main Event
EventReporter is a script -- technically a Windows Script File (WSF) -- that queries a list of servers and builds an HTML report of all error and warning events recorded within the last 24 hours. The report is a basic HTML table that lists the computer name, logfile, time of the event, type, event code and event message. It will highlight critical errors in red, making it easy for you to find critical problems fast.

You can also configure the Event-Reporter so it sends you reports by e-mail. Now you can open your morning e-mail and see at a glance what server issues you might need to address over the course of the day. There's no more combing and filtering through event logs on multiple servers.

The only element you need to create before you can use this tool is a simple text list of all your server names. The tool will connect to each server on the list, using Windows Management Instrumentation (WMI), and query the event logs for the last 24 hours worth of errors or warnings. To be more specific, it will record all events within 24 hours of the exact time you run the tool. You can always run the tool manually as well.

The minimum required command syntax is: Cscript MrRobotoEventReporter.wsf /L:servers.txt

To see a complete help listing, open a command line and run: Cscript MrRobotoEventReporter.wsf /?

EventReporter will save the file by default in the same directory as the WSF file with a filename like 20070313060000-Eventlog.htm. You can specify a different filename and path with the /R parameter. Be aware that any existing file with the same name will be overwritten. If you plan on distributing the report via e-mail you must specify a filename with a complete path.

Because the tool uses WMI, you can specify alternate credentials using /U for the username and /P for the password. However, if you're going to run this as a scheduled task, all you need to do is run the task under domain admin credentials and you're covered.

If you want to mail the report, you'll need to use /S to specify an SMTP server, /T to specify a comma-delimited list of e-mail addresses to which you'd like to distribute the report, and /F to specify a name as sender of the report. The subject line of the e-mail will be "Event Log Report for (current date and time)." The report will be included as an attachment. Depending on your e-mail client configuration, you may still need to take an extra step or two to view it.

Here's how you might schedule an EventReporter job: cscript mrroboto eventreporter.wsf /l:servers.txt /s:mail01 /t:[email protected] /f:[email protected]

As Far as a Scan Can See
There are a few potential gotchas. Event log scanning can be resource-intensive, especially if you have logs upwards of 100MB. Hopefully, you've periodically saved and cleared your event logs.

Remember, the EventReporter tool uses WMI. This means it doesn't work very well across firewalls or over a WAN. If you can't use WBEMTest to connect to a server then this tool won't work, either. Finally, it will ignore the Security Event Log and doesn't report any Audit Failures -- perhaps I'll add that in a future version.