So for once I thought I'd give something back in the hope that it will be useful for others... For this you will need Microsoft Log Parser and blat. Log Parser is a powerful little utility that allows you to use SQL statements to search many different types of log files and then export them in to a variety of formats. For my example we will search the Windows Event Viewer for Warning and Error messages, we will then export them to an HTML file via a template, and finally we will email the message to ourselves.
First the code and what it does.
It's really broken in to 3 segments that do the same thing, just in different logs. The 3 things that it does are 1) Search the log for Warning, Error, or Failures, 2) If anything is found, email the results to me, 3) Delete the results to keep from getting any duplicate stuff.
rem @echo off
REM Using Microsoft Log Parser to stay on top of problems in Event Viewer
REM By Scotty D
REM February 2008
REM You need to download both "blat" and "Microsoft Log Parser"
REM Blat is at http://www.blat.net/
REM Microsoft Log Parser is at http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx
REM These only need to be installed on the machine where the script is run
REM Here you set all of your variables as it's much easier to do it here than in the details of the scriptset evtlogshome=c:\tools\evtlogs\
set serverlist=%evtlogshome%servers.txt
set logparser="C:\Program Files\Log Parser 2.2\LogParser.exe"
set blat=C:\tools\blat262\full\blat.exe
set adminemail=bobkratchet@superniftyserver.com
set emaildomain=@superniftyserver.com
set SMTP=relay.superniftyserver.com
REM Parse the System Event log using Microsoft Log Parser
REM We are looking only for error events and Warning events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%systemerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %evtlogshome%reports\%%asystem.htm FROM \\%%a\System WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%evtlogshome%tail\%%asystemcheckpoint.lpc
REM Now email the details from each server out if anything is found@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asystem.htm %blat% %evtlogshome%reports\%%asystem.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New System Event log event on %%a"
REM Delete those suckers so we don't get junk@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asystem.htm del %evtlogshome%reports\%%asystem.htm
REM Parse the Application Event log using Microsoft Log Parser
REM We are looking only for error events and Warning events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%Applicationerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %evtlogshome%reports\%%aapplication.htm FROM \\%%a\Application WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%evtlogshome%tail\%%aapplicationcheckpoint.lpc
REM Now email the details from each server out if anything is found@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%aapplication.htm %blat% %evtlogshome%reports\%%aapplication.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New Application Event log event on %%a"
REM Delete those suckers so we don't get junk@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%aapplication.htm del %evtlogshome%reports\%%aapplication.htm
REM Parse the Security using Microsoft Log Parser
REM We are looking only for Failure Audit events
REM Only the new events since the last time this script was run will be sent via email
REM You will get one email per server where a new event is found
REM If no new Error or Warning event is found, you won't get an email@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%evtlogshome%Securityerror.tpl "SELECT TimeGenerated, EventTypeName, SourceName, ComputerName, Message INTO %evtlogshome%reports\%%asecurity.htm FROM \\%%a\Security WHERE EventTypeName = 'Failure Audit event'" -iCheckpoint:%evtlogshome%tail\%%asecuritycheckpoint.lpc
REM Now email the details from each server out if anything is found@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asecurity.htm %blat% %evtlogshome%reports\%%asecurity.htm -serverSMTP %SMTP% -f %%a%emaildomain% -to %adminemail% -s "New Security event log event on %%a"
REM Delete those suckers so we don't get junk@for /f "tokens=1" %%a in (%serverlist%) do if exist %evtlogshome%reports\%%asecurity.htm del %evtlogshome%reports\%%asecurity.htm
The block of set commands is simply for setting a bunch of variables. They are rather self-explanatory, just follow the format of the examples given. The checkpoint files are files Log Parser uses so that it doesn't look at the entire log again, it's a similar concept to using "tail".
Now let's break out the first set of commands.
@for /f "tokens=1" %%a in (%serverlist%) do %logparser% -i:EVT -o:TPL -tpl:%systemtemplate% "SELECT TimeGenerated, EventTypeName, SourceName, Message INTO %systemresults% FROM \\%%a\System WHERE EventTypeName = 'Error event' OR EventTypeName = 'Warning event'" -iCheckpoint:%systemcheckpoint%
The for command is simply a batch command which tells the script to open the txt file of servers and loop through the command until all servers are done. Starting at do is the log parser script.
%%a - anytime you see that it's current "token" pulled from txt file of servers
-i:EVT tells the script you are looking at Windows Event Viewer
-o:TPL tells the script to output the findings to a template format
-tpl: tells the script the location of your templates
SELECT - the SELECT statement is your SQL, in this instance we pick selected fields from Event Viewer. You could substitute * to see everything and pick which fields you want just as you would when doing a database query.
INTO tells which output file to put the results in to, in my case HTML
FROM is the server and log. In this case \\%%a\System means it will be the current server of the batch for loop and it's system log.
WHERE is simply conditional SQL to filter out all of the stuff I don't want to see.
-iCheckpoint spells out the file where the past parsed information is kept so that it doesn't send you duplicate messages.
The tough part is done. Next we simply see if a file exists, and if it does we sent it out via blat. After that, we check if the file exists and then delete it.
The last part of this is the template and it's ridiculously simple. Basically what I wanted to do was set up a simple HTML table that would get emailed to me via blat. You really just need to correspond the fields you selected in the query to the fields you want in the table.
<LPBODY>
<TABLE border=1>
<TR>
<TD width=15%>%TimeGenerated%</TD>
<TD width=5%><font color=red>%EventTypeName%</TD>
<TD width=10%>%SourceName%</TD>
<TD width=70%>%Message%</TD>
</TR>
</TABLE>
</LPBODY>
Once I had this set up, I just set one of my machines to check every server (via the list) every morning before I come in. Since it's only new events, the volume is rather low and I can skim through them quickly to see if there are problems needing addressing. The final result is simply an email like this. :)
Example System Event Log error message:
From: monitoredserver@superniftyserver [mailto:myserver@superniftyserver]
Sent: Wednesday, February 13, 2008 1:11 PM
To: Kratchet, Bob
Subject: New Server Event log event on monitoredserver
| 2008-02-13 12:45:55 | Warning event | LSASRV | The Security System detected an authentication error for the server LDAP/powerfulserver.superniftyserver.com/superniftyserver.com@superniftyserver.com. The failure code from authentication protocol Kerberos was "The specified user does not exist. (0xc0000064)". |
| 2008-02-13 12:46:41 | Warning event | LSASRV | The Security System detected an authentication error for the server LDAP/nitcdc01.superniftyserver.com/superniftyserver.com@superniftyserver.com. The failure code from authentication protocol Kerberos was "The specified user does not exist. (0xc0000064)". |
