www.teknobot.co.uk » Blog Archive » Parsing Event Logs with Log Parser

Parsing Event Logs with Log Parser

May 9th, 2007 Posted in Tech

I have a bunch of SBS servers who email me nice reports highlighting any errors in their Event Logs over the past day. I inherited a Server 2003 Std machine and with no reporting I had to rely on catching issues by labouriously trawling the logs or [worse] having someone at the site get in contact to report an issue. Not good.

I turned to Microsoft’s Log Parser to solve this lack of timely and, most importantly, automated reporting with the help of blat (a command line mailer).

What you need

Download and install Log Parser
Download Blat and extract the archive
Copy the contents of the ‘full’ directory to a sub directory called ‘blat’ in the Log Parser directory

Configuration

We need to tell Log Parser we want it to read the System and Application Event Logs on the server and then output the information in a format that’s easily readable. I wanted HTML reports since that’s what my other SBS machines mail me.

Log Parser uses an SQL style syntax:

SELECT EventTypeName AS Type,TimeGenerated AS Date,SourceName AS Source,

EventCategoryName AS Category,EventID AS Event,ComputerName AS Computer,

Message INTO Report.html FROM System,Application

WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()),86400))

AND EventType IN (1;2) ORDER BY TimeGenerated DESC

Before you run off screaming . . . all this means is we want Log Parser to read the System and Application Event Logs and output the Warning and Error events over the past 24 hours to a file called Report.html and display the information in a similar format to Event Viewer.

We’re also going to need a template so Log Parser can output the Report.html as desired. To do that we create a text file, call it template.txt, and save it in the Log Parser directory.

Put the following template code in the file:





Event Log Report



Event Log Report






























Now we have what we need to get the information from the Event Logs in HTML format, it’s time to put it together as a command for Log Parser.
Create a file called ParseEventLogs.cmd and put the following command in it (all on a single line):
logparser -i:EVT "SELECT EventTypeName AS Type, TimeGenerated AS Date, SourceName AS Source, EventCategoryName AS Category, EventID AS Event, ComputerName AS Computer, Message INTO Report.html FROM System,Application WHERE TimeGenerated > TO_TIMESTAMP(SUB(TO_INT(SYSTEM_TIMESTAMP()),86400)) AND EventType IN (1;2) ORDER BY TimeGenerated DESC" -q:ON -stats:OFF -o:TPL -tpl:template.txt
To get the Report to our email we need to invoke blat to send us the message. On the next line customise and add the following (again, all on one line):
blat\blat - -subject "Daily Event Log Report" -body "Here is the daily report." -to RECIPIENT -f SENDER -server MAILSERVER -attacht Report.html
Finally you need to create a scheduled task to run on the server. Open a command prompt (Start > Run… > CMD) and enter the following:
schtasks /create /RU "SYSTEM" /SC DAILY /ST 05:45:00 /TN LogParser /TR "\\"C:\Program Files\Log Parser 2.2\ParseEventLogs.cmd\\"

	






	
	
	

	Post a Comment

		
	
		Name (required)
		
				
		E-mail (will not be published) (required)
				
		
		Website
		
	
	
		

		
		
	
	
	




		
			Tags
ActiveSync
Certs
CRM
Diagnostics
Email
Hardware
Linux
Modding
Software
SysAdmin
Troubleshooting
UBCD4Win
					Recent Posts
			
						Bitten by a [Old] Bug . . . 
						MS CRM 3.0 Email Routing Rules 
						70-282 Designing, Deploying and Managing a Network Solution for a Small and Medium-Sized Business 
						
		
					Meta
			
						Log in
			Entries RSS
			Comments RSS
			WordPress.org
						
		
		

		
www.teknobot.co.uk is proudly powered by WordPress | Design by Bob | Top  


%FIELDNAME_1%
%FIELDNAME_2%
%FIELDNAME_3%
%FIELDNAME_4%
%FIELDNAME_5%
%FIELDNAME_6%
%FIELDNAME_7%



%FIELD_1%
%FIELD_2%
%FIELD_3%
%FIELD_4%
%FIELD_5%
%FIELD_6%
%FIELD_7%