Mr. Roboto

Event Reporting Revisited

Mr. Roboto uses PowerShell to revamp an old tool.

• By Jeffery Hicks
• 02/01/2009

At the time, the tool would only report on errors and warnings and ignored the Security Event Log. I hadn't updated the script, and after looking at it again I realized revisiting it as a PowerShell script would be just the ticket.

Using PowerShell lets me leverage the pipeline, which makes it easier to process a list of computers. I can also use the Get-WMIObject cmdlet, which supports alternate credentials for remote computers. Finally, sending an SMTP message using PowerShell is pretty straightforward. There are a number of SMTP-related cmdlets that you could use as part of this process, but I decided to make my script completely self-contained so it includes its own mail function.

Download Report-Events.ps1 from jdhitsolutions.com/scripts and save it to your scripts directory. By default with no parameters specified, the script will create an HTML report for all errors, warnings and audit failures in all logs for the last 24 hours:

PS C:\Scripts\> .\report-events.ps1

The HTML report, EventLogReport.html, will be created in the TEMP directory. Errors will be highlighted in red and audit failures in yellow. The WMI query will return ComputerName, Message, TimeWritten, Type, SourceName, EventCode and Logfile information for every matching record in all logs.

But more than likely, you'll want to run through a list of computers and build a single report. Here's where the PowerShell pipeline comes into play. I wrote Report-Events.ps1 so that it could take pipelined input. You'll likely pipe computernames to it using Get-Content:

PS C:\> get-content servers.txt | 
c:\scripts\report-events.ps1 

A single report will be created for every computer in the servers.txt file.

You can customize the script's behavior with a number of parameters:

Report-Events -report <string> -
hours <integer> -credential
<PSCredential> -smtp <string> -
Sendto <string> -From <string> -
username <string> -password 
<string> -debug <switch>

The Report parameter is the filename and path of the HTML file. Hours is the number of hours from the current time to report. The default is 24. The Credential parameter is used for alternate credentials. You must pass a saved PSCredential as a parameter. SMTP is the name of your mail server if you'll be e-mailing the report. Sendto is a comma-separated list of e-mail addresses; From is the address to indicate who is sending the message. If your SMTP server requires authentication, use the Username and Password parameters to pass those credentials. Finally, the Debug parameter is a switch. This means if you add -debug as a parameter, the script's predefined debug messages will be written to the debug pipeline. You shouldn't need this for production use. Here's how you might put this all together:

PS C:\> get-content servers.txt | 
c:\scripts\report-events.ps1 
-report 
\\intranet\d$\reports\eventre-
port.html -hours 36 -smtp 
mail.mycompany.com -sendto 
[email protected] -from 
[email protected] 

This will build a single color-coded HTML report for all computers in servers.txt. The report will show all errors, warnings and audit failures from all logs created in the past 36 hours. The report will be saved to a folder on a Web server, presumably configured as a virtual directory. A copy will also be mailed to the Admins group. You could wrap this one-line command into another PowerShell script and schedule it to run every few days.

Now you have a free event log consolidation and reporting tool.