To Serve and To Report
EventReporter can help make event log management...manageable.
- By Jeffery Hicks
How often do you check your server's event logs? How often would you like to
be able to check those logs? If you run a large shop or have endless resources,
you've probably invested in server management software or an event log consolidation
If your shop is like most Mr. Roboto has seen, though, then resources and budgets
are tight. Still, you'd like to make event log management a bit more efficient,
if not more exciting. Mr. Roboto can help.
The Main Event
EventReporter is a script -- technically a Windows Script File (WSF) -- that
queries a list of servers and builds an HTML report of all error and warning
events recorded within the last 24 hours. The report is a basic HTML table that
lists the computer name, logfile, time of the event, type, event code and event
message. It will highlight critical errors in red, making it easy for you to
find critical problems fast.
You can also configure the Event-Reporter so it sends you reports by e-mail.
Now you can open your morning e-mail and see at a glance what server issues
you might need to address over the course of the day. There's no more combing
and filtering through event logs on multiple servers.
The only element you need to create before you can use this tool is a simple
text list of all your server names. The tool will connect to each server on
the list, using Windows Management Instrumentation (WMI), and query the event
logs for the last 24 hours worth of errors or warnings. To be more specific,
it will record all events within 24 hours of the exact time you run the tool.
You can always run the tool manually as well.
The minimum required command syntax is: Cscript MrRobotoEventReporter.wsf /L:servers.txt
To see a complete help listing, open a command line and run: Cscript MrRobotoEventReporter.wsf
EventReporter will save the file by default in the same directory as the WSF
file with a filename like 20070313060000-Eventlog.htm. You can specify a different
filename and path with the /R parameter. Be aware that any existing file with
the same name will be overwritten. If you plan on distributing the report via
e-mail you must specify a filename with a complete path.
Because the tool uses WMI, you can specify alternate credentials using /U for
the username and /P for the password. However, if you're going to run this as
a scheduled task, all you need to do is run the task under domain admin credentials
and you're covered.
If you want to mail the report, you'll need to use /S to specify an SMTP server,
/T to specify a comma-delimited list of e-mail addresses to which you'd like
to distribute the report, and /F to specify a name as sender of the report.
The subject line of the e-mail will be "Event Log Report for (current date
and time)." The report will be included as an attachment. Depending on
your e-mail client configuration, you may still need to take an extra step or
two to view it.
Here's how you might schedule an EventReporter job: cscript mrroboto eventreporter.wsf
/l:servers.txt /s:mail01 /t:firstname.lastname@example.org /f:email@example.com
As Far as a Scan Can See
There are a few potential gotchas. Event log scanning can be resource-intensive,
especially if you have logs upwards of 100MB. Hopefully, you've periodically
saved and cleared your event logs.
Remember, the EventReporter tool uses WMI. This means it doesn't work very
well across firewalls or over a WAN. If you can't use WBEMTest to connect to
a server then this tool won't work, either. Finally, it will ignore the Security
Event Log and doesn't report any Audit Failures -- perhaps I'll add that in
a future version.
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)