Event Log Summary

Monitoring NT, W2K and W2003 server's event logs is a real pain.   There are tools to do this, some free and some pretty pricey.   My goal was to summarize the System and Application logs Warning and Error messages on a daily basis and have it output the results to a web page.   Not just a long list of every event but rather a count of the same event and only the previous day's events.   So as you start your next day's work you can see at a glance which servers are having problems.   From my experience when something is starting to go wrong the logs gets many event messages.

The output is a web page as below.   Run the script just before midnight using Task Scheduler.

Latest Event Logs 05/05/2005 - 4 Records

Machine 

EventID 

Source 

EventCount 

Name 

Logfile 

TimeWritten 

khowlett

29

W32Time

8

Error

System

05/05/2005

khowlett

5719

NETLOGON

3

Error

System

05/05/2005

khowlett

15

AutoEnrollment

2

Error

Application

05/05/2005

khowlett

10016

DCOM

1

Error

System

05/05/2005

As you can see the table is sorted by the highest number of events.

Requirements

The script is written entirely in Perl and uses Dave Roth's Win32::ODBC module.

  1. ActiveState Perl freely downloadable from www.activestate.com
  2. Dave Roth's Win32::ODBCmodule www.roth.net
  3. A ODBC connection to the Access database, provided in download
  4. Administrative access to your servers.

Installation

  1. Download the code and extract to suitable directory
  2. Download and install Perl 5.6.1 http://downloads.activestate.com/ActivePerl/Windows/5.6/ActivePerl-5.6.1.638-MSWin32-x86.msi
  3. Open a command prompt and type ppm install win32-odbcbeta --location=http://www.roth.net/perl/packages. You'll need direct internet access for this.   A proxy can be used if that's all your permitted.   See the Active State documentation on PPM
  4. Copy the asp files to your web server's root or virtual directory.
  5. Copy the MS-ACCESS database to the same directory.
  6. Create a System DSN pointing to the MS-ACCESS database and call it "Eventlogs"
  7. Open the datasrc.asp file and edit the path to point to your location
  8.             strConnect = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\events\web\events.mdb;Persist Security Info=False;"
  9. Create a text file with a list of all the servers you want to monitor e.g. serverlist.txt
  10. Change to the directory where you unzipped the files and run perl ev3.pl -s serverlist.txt > out.txt
  11. Go to your web browser and enter the URL you installed the default.asp page to.
  12. You should get a page displaying summarised daily event logs.   If you run the program again the logs will be duplicated so you'll get duplicate messages

Troubleshooting

 

  1. Make sure your ISUR_COMPUTERNAME user account has read access to the directory you've located the default.asp in.
  2. You need to run the script as a user with Admin rights, otherwise you'll get permission errors.
  3. For NT4 Server you'll need to install WMI from Microsoft
  4. Check the out.txt file for errors.
  5. If all else fails drop me a line with as much info as possible and I'll do my best to help.

      

Notes

The MS-Access database has no housekeeping so it's up to you to monitor its size and archive/delete as necessary.