Recently one of our clients asked us about the best way to organize a passive monitoring of their servers. The client told us that they don’t need to monitor the servers actively, but they want to have weekly reports about the problems. They tried to gather events using Windows PowerShell and export them to CSV format (to view events in Excel), but finally they gave up.
Task
The customer reported that he is a system administrator of a network with 4 Windows 2008 Severs and he needs to check out only system and application event logs of these servers. Ideally, these machines should generate only information events (no error or warnings). He would like to have reports of the problems in the beginning of every week.
So we can reformulate the task as follows:
Generate weekly report of all non-Information events in Application and System logs.
Our solution
First of all, we suggest to start a new copy of Event Log Explorer and create a new workspace for this task (use File->New workspace command). You can ignore this suggestion, but we recommend to always separate long-running tasks (like active monitoring or scheduled tasks) from operative event log tasks.
Then we need to add the required servers to the tree. This can be done either with help of Add Computer Wizards or manually (by pressing Add computer button).
It’s time to create our log view. We will consolidate all the application and system logs from these servers in one view.
Open Serv1 server in the tree and double click on System log to open in.
We can subsequently add other event logs to the view, but it is better to set on-load filter first. Go to View->Log Loading Options, select Load event from last 7 days (we need a report for the last week) and untick Information type.
Now we can add other logs to the view and they will be filtered automatically:
Right click on Application log of Serv1 and select Merge with the current view. Open Serv2, Serv3 and Serv4 and continue to add their application and system logs to the view.
Click on Date column to sort all merged events by date and time.
Rename unclear “Merger” name to something better: select View->Rename and change the name to “Weekly report“.
Now you should get something like this:
Let’s automate this.
Select Advanced->Scheduler from the main menu and create a new task. Name the task as “Problem Report” and click Next.
Set when we want to run the task, e.g. on Mondays at 7:00:
Click Next and select what we want to do: Refresh, then export:
We will export to Excel 2007 format with event descriptions.
Leave “Export path” with the default value “%USERPROFILE%\Documents” which means that Event Log Explorer will save reports in Documents folder of your user profile (note that in Export path you can enter any Windows path, including UNC paths, so it lets you store reports on remote computers).
Click Next, then Finish and then OK in Scheduler window. Now you can save the workspace (File->Save workspace) and minimize the application (you can minimize it even into the notification area).
That’s all. On Monday at 7:00 AM, Event Log Explorer will load error and warning events for the last week from the servers and export these events into XSLX file:
And even if you close the program or restart your PC, you can always run Event Log Explorer and open your workspace – this will load all your settings and restore the scheduler.
Conclusion
As you can see, tuning Event Log Explorer didn’t take a lot of time (I did it in just 4 minutes), and what is more important you will have regular reports about problems from different sources without extra work! Needless to say that you can easily modify event filters to fulfill your specific requirements.
