Mr. Roboto

Event Reporting Revisited

Mr. Roboto uses PowerShell to revamp an old tool.

I received an e-mail recently asking me about the Mr. Roboto EventReporter tool I wrote in 2007 (see "To Serve and to Report," March 2007). That tool was a VBScript capable of querying a list of computers for recent events, as well as creating a color-coded HTML report. The tool even included an option to send the report via e-mail.

At the time, the tool would only report on errors and warnings and ignored the Security Event Log. I hadn't updated the script, and after looking at it again I realized revisiting it as a PowerShell script would be just the ticket.

Using PowerShell lets me leverage the pipeline, which makes it easier to process a list of computers. I can also use the Get-WMIObject cmdlet, which supports alternate credentials for remote computers. Finally, sending an SMTP message using PowerShell is pretty straightforward. There are a number of SMTP-related cmdlets that you could use as part of this process, but I decided to make my script completely self-contained so it includes its own mail function.

Download Report-Events.ps1 from jdhitsolutions.com/scripts and save it to your scripts directory. By default with no parameters specified, the script will create an HTML report for all errors, warnings and audit failures in all logs for the last 24 hours:

PS C:\Scripts\> .\report-events.ps1

The HTML report, EventLogReport.html, will be created in the TEMP directory. Errors will be highlighted in red and audit failures in yellow. The WMI query will return ComputerName, Message, TimeWritten, Type, SourceName, EventCode and Logfile information for every matching record in all logs.

But more than likely, you'll want to run through a list of computers and build a single report. Here's where the PowerShell pipeline comes into play. I wrote Report-Events.ps1 so that it could take pipelined input. You'll likely pipe computernames to it using Get-Content:

PS C:\> get-content servers.txt | 
c:\scripts\report-events.ps1 

A single report will be created for every computer in the servers.txt file.

You can customize the script's behavior with a number of parameters:

Report-Events -report <string> -
hours <integer> -credential
<PSCredential> -smtp <string> -
Sendto <string> -From <string> -
username <string> -password 
<string> -debug <switch>

The Report parameter is the filename and path of the HTML file. Hours is the number of hours from the current time to report. The default is 24. The Credential parameter is used for alternate credentials. You must pass a saved PSCredential as a parameter. SMTP is the name of your mail server if you'll be e-mailing the report. Sendto is a comma-separated list of e-mail addresses; From is the address to indicate who is sending the message. If your SMTP server requires authentication, use the Username and Password parameters to pass those credentials. Finally, the Debug parameter is a switch. This means if you add -debug as a parameter, the script's predefined debug messages will be written to the debug pipeline. You shouldn't need this for production use. Here's how you might put this all together:

PS C:\> get-content servers.txt | 
c:\scripts\report-events.ps1 
-report 
\\intranet\d$\reports\eventre-
port.html -hours 36 -smtp 
mail.mycompany.com -sendto 
Admins@mycompany.com -from 
EventReporting@mycompany.com 

This will build a single color-coded HTML report for all computers in servers.txt. The report will show all errors, warnings and audit failures from all logs created in the past 36 hours. The report will be saved to a folder on a Web server, presumably configured as a virtual directory. A copy will also be mailed to the Admins group. You could wrap this one-line command into another PowerShell script and schedule it to run every few days.

Now you have a free event log consolidation and reporting tool.

About the Author

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org. Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide. You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)

comments powered by Disqus

Reader Comments:

Mon, Sep 20, 2010 Jeffery Hicks http://jdhitsolutions.com/blog

A newer, PowerShell 2.0 version of this script can be found at http://jdhitsolutions.com/blog/2010/09/new-event-report/

Tue, Jul 27, 2010 Jeffery Hicks

Use the direct link and scroll down to the Mr. Roboto section http://www.jdhitsolutions.com/scripts.htm

Tue, May 19, 2009

When I run this script it is ignoring the Security Event Log. Help! I can get events from any other log but the Security Event Log.

Wed, Apr 8, 2009 Murph KY

Great article. Have enjoyed this and many other Mr. Roboto articles. I did find the html output for this script didn't quite meet the needs I had, but, by simply adding one additional line of code, I now have a CSV file created in addition to the HTML file. I can use the CSV file for sorting and filtering events. Just insert "$all export-csv $env:tempEventLogReport.csv" after "if ($all.count -gt 0) " and before "$footer............" Thanks for the great stuff, Jeffery!

Wed, Feb 18, 2009 RMNornes Anonymous

Hey Jeffery, just a FYI, you need a $msg.Dispose() after your $mail.send($msg) or the .html file will be held open and not released until you shut down your power shell session meaning you cannot call this ps1 more than once per session.

Fri, Jan 30, 2009 Anonymous Anonymous

The script is now available on the author's website - thanks, Jeffery.

Fri, Jan 23, 2009 Colin NJ

I would like to make use of this greta sounding script but I don't see it on the page jdhitsolutions.com/scripts..am I blind?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.