You can never have too many logs, said the tree surgeon to the forest. We all know the importance of reviewing the event logs, not only for troubleshooting current issues, but to predict future ones. There are plenty of paid enterprise solutions for this, but let’s take a look at some free options.
This tool will allow you to monitor windows machines live, using a default polling time of 5 seconds. You can choose from the usual event viewer categories and as an additional bonus DNS / FRS / DS are also included. Once you have selected the categories you’d like to monitor, you can then select the log type, error, warning, information, audit success and audit failure.
In the server box, type the hostname or IP of the machines you would like to monitor, separated by a comma.
This is a handy tool if you’re keeping an eye out for a specific entry, or a server that is playing up.
I’ve been meaning to setup Nagios for some time for various reasons, one being a ping monitor with email alerting which is how I came across this application. PA Monitor free edition allows for 10 monitors including ping monitor and event log monitoring.
PA Monitor will poll the added servers and send an email alert, you can get pretty granular with which events you would like to be alerted to.
You can send a test alert from the GUI or if you want to manually add one to test you can use the eventcreate command.
Using Eventcreate to manually add entries
eventcreate /L Application /t Error /SO Test /ID 1 /D “Test”
This would put an error message in the application log, with a source of Test and the eventid of 1. Eventcreate could be handy if you’re scripting something out and would like a specific event logged.
From the /?
/S Specify the name of the remote system to connect to when recording the event
/U Specify a username to record the event as necessary
/P Specify a password for the given username; Prompts for input when a password is not specified.
/L Specify the log to record the event (e.g., Application, System, Security)
/T Specify the type of event; valid types include SUCCESS, ERROR, WARNING, INFORMATION
/SO Specify the source of the event (e.g., WinWord for Microsoft Word)
/ID Specify an ID for the event between 1 and 1000 (no commas accepted)
/D Specifies the description of the event to be entered; it requires surrounding quotation marks
Back to another of Mr Robots scripts, this script pulls the Application and System event warnings and errors into a htm report using WMI. From there you can either store them on a network share and/or email the report.
To get it running, create and populate a server.txt file using separate lines per IP. To execute the script we’ll be using cscript.
cscript MrRoboto-EventReporter.wsf /l:servers.txt /s:smtpserver /t:email@example.com /f:firstname.lastname@example.org
L: The text file with the list of servers you want to query
R: HTML Filename and path for report
H: The number of hours. Default is 24
U: Username with admin creds for remote servers
P: Password for the username you want to use
S: Mail server
T: Send to address, separated by commas
F: The from address
You can script this into a batch file for scheduling using scheduled tasks, and set it to run as often as desired.
That concludes our quick look at some useful tools for dealing with event logs.