The Sysadmins

Tips and tricks from the Sysadmins

Event Log Monitoring and Reporting

You can never have too many logs, said the tree surgeon to the forest. We all know the importance of reviewing the event logs, not only for troubleshooting current issues, but to predict future ones. There are plenty of paid enterprise solutions for this, but let’s take a look at some free options.

Mr Roboto’s Event monitor

This tool will allow you to monitor windows machines live, using a default polling time of 5 seconds. You can choose from the usual event viewer categories and as an additional bonus DNS / FRS / DS are also included. Once you have selected the categories you’d like to monitor, you can then select the log type, error, warning, information, audit success and audit failure.

In the server box, type the hostname or IP of the machines you would like to monitor, separated by a comma.

This is a handy tool if you’re keeping an eye out for a specific entry, or a server that is playing up.

Live Event Monitor

PA Server Monitor

I’ve been meaning to setup Nagios for some time for various reasons, one being a ping monitor with email alerting which is how I came across this application. PA Monitor free edition allows for 10 monitors including ping monitor and event log monitoring.

PA Monitor will poll the added servers and send an email alert, you can get pretty granular with which events you would like to be alerted to.

PA Monitor Settings

PA Monitor Example Email

You can send a test alert from the GUI or if you want to manually add one to test you can use the eventcreate command.

Using Eventcreate to manually add entries

eventcreate /L Application /t Error /SO Test /ID 1 /D “Test”

This would put an error message in the application log, with a source of Test and the eventid of 1. Eventcreate could be handy if you’re scripting something out and would like a specific event logged.

From the /?

/S Specify the name of the remote system to connect to when recording the event
/U Specify a username to record the event as necessary
/P Specify a password for the given username; Prompts for input when a password is not specified.
/L Specify the log to record the event (e.g., Application, System, Security)
/T Specify the type of event; valid types include SUCCESS, ERROR, WARNING, INFORMATION
/SO Specify the source of the event (e.g., WinWord for Microsoft Word)
/ID Specify an ID for the event between 1 and 1000 (no commas accepted)
/D Specifies the description of the event to be entered; it requires surrounding quotation marks

Mr Roboto’s Event Reporter

Back to another of Mr Robots scripts, this script pulls the Application and System event warnings and errors into a htm report using WMI. From there you can either store them on a network share and/or email the report.

To get it running, create and populate a server.txt file using separate lines per IP. To execute the script we’ll be using cscript.

cscript MrRoboto-EventReporter.wsf /l:servers.txt /s:smtpserver /t:youraddress@domain.co.uk /f:eventlogs@domain.co.uk

L: The text file with the list of servers you want to query
R: HTML Filename and path for report
H: The number of hours. Default is 24
U: Username with admin creds for remote servers
P: Password for the username you want to use
S: Mail server
T: Send to address, separated by commas
F: The from address

You can script this into a batch file for scheduling using scheduled tasks, and set it to run as often as desired.

Event Reviewer HTM Report

That concludes our quick look at some useful tools for dealing with event logs.

1 Comment

  1. 1 more free option is the freeware version of netwrix event log manager (www.netwrix.com)—this tool collect events logs from multiple computers across the network and alerts on significant events.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.