Event Reporting Revisited
Mr. Roboto uses PowerShell to revamp an old tool.
I received an e-mail recently asking me about the Mr. Roboto EventReporter tool I wrote in 2007 (see "To Serve and to Report
," March 2007). That tool was a VBScript capable of querying a list of computers for recent events, as well as creating a color-coded HTML report. The tool even included an option to send the report via e-mail.
At the time, the tool would only report on errors and warnings and ignored the Security Event Log. I hadn't updated the script, and after looking at it again I realized revisiting it as a PowerShell script would be just the ticket.
Using PowerShell lets me leverage the pipeline, which makes it easier to process a list of computers. I can also use the Get-WMIObject cmdlet, which supports alternate credentials for remote computers. Finally, sending an SMTP message using PowerShell is pretty straightforward. There are a number of SMTP-related cmdlets that you could use as part of this process, but I decided to make my script completely self-contained so it includes its own mail function.
Download Report-Events.ps1 from jdhitsolutions.com/scripts and save it to your scripts directory. By default with no parameters specified, the script will create an HTML report for all errors, warnings and audit failures in all logs for the last 24 hours:
PS C:\Scripts\> .\report-events.ps1
The HTML report, EventLogReport.html, will be created in the TEMP directory. Errors will be highlighted in red and audit failures in yellow. The WMI query will return ComputerName, Message, TimeWritten, Type, SourceName, EventCode and Logfile information for every matching record in all logs.
But more than likely, you'll want to run through a list of computers and build a single report. Here's where the PowerShell pipeline comes into play. I wrote Report-Events.ps1 so that it could take pipelined input. You'll likely pipe computernames to it using Get-Content:
PS C:\> get-content servers.txt |
A single report will be created for every computer in the servers.txt file.
You can customize the script's behavior with a number of parameters:
Report-Events -report <string> -
hours <integer> -credential
<PSCredential> -smtp <string> -
Sendto <string> -From <string> -
username <string> -password
<string> -debug <switch>
The Report parameter is the filename and path of the HTML file. Hours is the number of hours from the current time to report. The default is 24. The Credential parameter is used for alternate credentials. You must pass a saved PSCredential as a parameter. SMTP is the name of your mail server if you'll be e-mailing the report. Sendto is a comma-separated list of e-mail addresses; From is the address to indicate who is sending the message. If your SMTP server requires authentication, use the Username and Password parameters to pass those credentials. Finally, the Debug parameter is a switch. This means if you add -debug as a parameter, the script's predefined debug messages will be written to the debug pipeline. You shouldn't need this for production use. Here's how you might put this all together:
PS C:\> get-content servers.txt |
port.html -hours 36 -smtp
This will build a single color-coded HTML report for all computers in servers.txt. The report will show all errors, warnings and audit failures from all logs created in the past 36 hours. The report will be saved to a folder on a Web server, presumably configured as a virtual directory. A copy will also be mailed to the Admins group. You could wrap this one-line command into another PowerShell script and schedule it to run every few days.
Now you have a free event log consolidation and reporting tool.
Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org.
Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide.
You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)