Powershell Centralized Log Monitor

Monitors a collection of servers for specified log events, and sends email alerts when it encouters the monitored events.

4.9 Star
Add to favorites
E-mail Twitter del.icio.us Digg Facebook
  • Found 0 alert events in 0.947528 seconds
    1 Posts | Last post May 01, 2018
    • Hi Mjolinor,
      Thank you for the amazing script!!
      Script is running and email notification is also working fine.
      However, I am stuck as it is reporting 0 alert events in 0.0xxx secs.
      All the pre-reqs are exactly what has been mentioned here. Not sure, where & what I am missing ??
      Need your help with this. Running the script on 2008 R2 with Powershell V3.
  • Have all events for System/Application log for the last 24 hours
    1 Posts | Last post February 19, 2016
    • First thank you very much for this script, looking for ages to find a powershell which does just that.
      Actually I would like to modify the script so it does:
      1) checks both the Application and System logs
      2) checks for all Warning/Error events for the last 24 hours
      Emailing me those results on a daily basis.
      Thanks if you could help me doing that.
  • Found 0 alert events in 0.0829357 seconds
    2 Posts | Last post September 15, 2015
    • Hi, I'm trying the script against my Windows 2012 Server but I get the following result:
      Log monitor started at 01/14/2014 23:37:18
      Started processing srv-jay-dc01
      Processing 200 events.
      Found 0 alert events in 0.0843992 seconds.
      ********** Sleeping for 59.9061102 seconds
      I created an alert_events.csv file by simply opening notepad, and typing the following line:
      and then saving the file as a .csv.
      There is nothing else in the file.
      I know that this event exist in my Application log. Why is the script not finding it?
      Thanks in advance for your help.
    • Hi jalewa, I think you miss the title.
      Like in this example:
  • weird issue trying to schedule the script
    1 Posts | Last post September 14, 2015
    • Hi there, I have no problem running manually the script but if I try to schedule it I get an output link the following...
      "Central Monitor has alerted on the following events: 
      do you have any idea abount this problem?
  • Error sending mail
    12 Posts | Last post June 14, 2011
    • Hi,
      Lately I've came across a problem sending mail, it used it work fine until I added another 60 servers for it to monitor. So I know this server is capable of sending mail.
      Now I always get
      Exception calling "Send" with "1" argument(s): "Failure sending mail."
      At C:\Powershell\alert\monitorevents.ps1:43 char:17
      + $SMTPClient.Send <<<< ($mailmessage) 
          + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
          + FullyQualifiedErrorId : DotNetMethodException
    • After doing a bit of troubleshooting, it seems to struggle when monitoring lots of servers, maybe around 15-20, I start getting the error after adding more and more computers to monitor. Is anyone monitoring more than say 15-20 machines successfully?
    • Actually 34 seems to be the limit. Fails everytime with 35 computers to monitor, even if they are different computers. Can anyone else confirm this?
    • What's your monitoring interval?  It's single threaded, so it's possible to throw more servers at it than it can handle in one cycle.  I can't think of any reason why it should stop at 35.
    • If it's only the email that's failing, can you check the SMTP protocol logs of whatever server you're using for a mail relay?  There may be more detailed information there about why the email didn't send.  
    • The monitoring interval is 120 minutes.
      I'll have a look at the smtp server.
    • This ties up with the failure time
      15:35:52 xxxxxx EHLO - 250
      15:35:52 xxxxxx QUIT - 240
    • That's not telling us much.  You're going to need more verbose logging than that.  
    • which options do you need turning on?
    • We need to see the whole SMTP conversation.  Why did it quit instead of accepting the email? Exactly how you do that is going to depend on what it is that's running that SMTP service (IIS? Exchange?  Exchange version?, something else?).  Diagnose it like any other email delivery failure.
    • OK. I've not really worked on mail problems before so you'll have to bear with me a little! thanks for your help so far anyway.
    • Hi, I am trying to use this script but I can't make it work....  
      I appreciate your help with the following errors.
      Kind regards
      PS C:\Temp> .\events.ps1
      Incomplete $(subexpression) sequence in string.
      At C:\Temp\events.ps1:115 char:18
      + Write-Host "`n$("* <<<< "*60)"
      Log monitor started at 06/14/2011 14:43:25
      Incomplete $(subexpression) sequence in string.
      At C:\Temp\events.ps1:117 char:16
      + Write-Host "$("* <<<< "*60)`n"
      Started processing backup03
      Get-EventLog : A parameter cannot be found that matches parameter name 'Compute
      At C:\Temp\events.ps1:57 char:37
      + $index = (Get-EventLog -ComputerName  <<<< $_ -LogName $log -newest 1).index
      Processing 200 events.
      Get-EventLog : A parameter cannot be found that matches parameter name 'Compute
      At C:\Temp\events.ps1:80 char:45
      + else {$log_hits = Get-EventLog -ComputerName  <<<< $_ -LogName $log -Newest $
      n |
      Found 0 alert events in 0.0336741 seconds.
      Incomplete $(subexpression) sequence in string.
      At C:\Temp\vranger_events.ps1:129 char:19
      +  Write-Host "`n$("* <<<< "*10) Sleeping for $($sleep_time) seconds `n"
  • Getting error: "Cannot index into a null array"
    8 Posts | Last post February 02, 2011
    • Echoing the general sentiment, this is an awesome script. Thank you so much!
      That said (and truly meant), I get the above error twice each time the script loops. The first one says
      at (path) :60 char 14
      + if (loghist[ <<<< $_l)...
           + Category Info         : InvalidOperation: (servername):String) [], RuntimeException
           + FullyQualifiedErrorID : NullArray
      the second error says the same thing, but it's at line 83 char 10
      I'm not a programmer, but sometimes I'm forced to play one at work. Any help would be greatly appreciated.
      Ernie Lowell
    • Check your monitored_computers.txt for blank lines.
    • Thanks for getting back so quickly. The monitored_computers.txt file has one line, and according to Notepad has no CR/LF after the computer name nor a blank space after the last character. Is there a special type of format that file needs to have? All I have in there is the servername (VMPEPIC01) with no spaces, commas, headings, etc.
    • Can you recopy the script (use the  Copy Code link in the upper RH corner to copy directly to your clipboard, and then paste it into notpapad.
      This part of the error leads me to believe something didn't copy correctly:
        if (loghist[ <<<< $_l)...
      That line should read 
      if ($loghist[$_]) {$n = $index - $loghist[$_]}
      And it seems to be finding:
      if (loghist[$_1) 
    • I copied the file as requested, yet the error persists. This is the actual entire message (copied and pasted):
      Log monitor started at 02/02/2011 13:55:58
      Started processing VMPEPIC01
      Cannot index into a null array.
      At C:\Documents and Settings\e9service\event1000notify.ps1:60 char:14
        if ($loghist[ <<<< $_]) {$n = $index - $loghist[$_]}
            CategoryInfo          : InvalidOperation: (VMPEPIC01:String) [], RuntimeException
            FullyQualifiedErrorId : NullArray
      Log index changed since last run. The log may have been cleared. Re-seeding index.
      Processing 200 events.
      Cannot index into a null array.
      At C:\Documents and Settings\e9service\event1000notify.ps1:84 char:10
        $loghist[ <<<< $_] = $index
            CategoryInfo          : InvalidOperation: (VMPEPIC01:String) [], RuntimeException
            FullyQualifiedErrorId : NullArray
      Found 0 alert events in 1.408697 seconds.
      The contents of the monitored_computers.txt file is:
      There is only one event ID in the alert_events.csv file, ID 1000.
      Thank you for your time.
      Ernie Lowell 
    • Well, the error message has changed from what you originally posted, and line text looks right now.  See if there's a *loghist.xml file in the script directory and if there is, delete that and try re-running it.
    • There was such a file, I deleted it, and now it is running without error. Thanks!
    • Cool.  That file keeps track of the index of the last log entry read from that server.  It gets created the first time you run the script, and then after that gets re-used and updated on subsequent runs to know where to start reading the log file.  I suspect there was a problem with the original script that you were running that caused it to created incorrectly.  Deleting it forced the (now corrrect) script to recreate a new one.
  • Script not working?
    5 Posts | Last post January 18, 2011
    • I'm trying to use this to find failed login attempts.  I looks close but when I look for Security Event ID 4625 on Windows Server 2008 R2.  It returns nothing.  Any ideas?
    • This script is exactly what i'm looking for, however I'm getting nothing returned. I'm trying to query the Directory Service log for anonymous LDAP on a Windows 2008 R2 server. Here's my .csv
      Source ID (Each their own column)
      "NTDS LDAP"	1073744962
      "NTDS LDAP"	1073744713 <--- This is the event I'm looking for, the above was more frequent so I added it
      Can anyone help?
    • I believe that's an instance id, and not an event id.
      Does it work better if you run it with the -useinstanceid switch?
    • mjolinor,
      I get the same result running with the -useinstanceid switch. Sorry about my last post, I meant to say instanceID not eventID. I'm not sure what I'm doing wrong. In the csv file I enclosed the NTDS LDAP in quotes, and without quotes. I know those events are in the Directory Service log. I'm running the script from my windows 7 machine, launching powershell with my domain admin account. I'm just not getting anything back.
    • I don't have a 2008 R2 server to test with.  If you can email me your monitored_servers.txt and alert_events.csv files, and a half dozen or so of those events exported as clixml I can try to debug.
      [string](0..33|%{[char][int](46 ("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
  • Bug Fix and Missing Events
    6 Posts | Last post May 28, 2010
    • Hello,
      Firstly, thank you for this!  It's great to have something which only requires short-term monitoring outside the scope of 'infrastructure' monitoring.
      I've been doing a bit of QA on this script to ensure that the data it pulls back is definitely what it should be.  Unfortunately the script was not pulling back events which I could see in the event logs.  Gladly, I have found the source of the problem, and what to change.
      Around line 24 is the following line:
      $log_hits = Get-EventLog -ComputerName $_ -LogName $log -Newest $n |
      ? {$event_list[$_.source + "#" + $_.instanceid]}
      One event that was not pulling back in particular was in the Application log, Source SecCli event 1704.  This is because the above code is filtering on $_.instanceid rather than $_.eventid
      Corrected bit to pull on eventID rather than instanceID:
      $log_hits = Get-EventLog -ComputerName $_ -LogName $log -Newest $n |
      ? {$event_list[$_.source + "#" + $_.instanceid]}
      More often than not (but not always), the instance and event IDs appear to match (this can be seen by executing something like Get-EventLog -ComputerName workStation12345 -LogName Application -Newest 200)
      Then all I did was take Example 9 from get-help get-eventlog -full and noticed that $_.EventID was used to filter results.  Example 8 gives more detail on this also.
    • Sorry, the code in question is around line 76
    • First, thank you for the feedback.  It is much appreciated.
      Now, to business.
      I've had one other complaint about using instanceid, rather than eventid.  The reason for using it was that during the writing of the script, I perused several different log files for examples.  Basically it comes down to the lowest common denominator.  Doing a get-eventlog on the "classic" event log types will return both an eventid and an instanceid.  The newer log types being implemented in Vista/W7 will only return an instanceid.  I made the decision to go with the instanceid so that it would be compatible with both types of log files.  This seems to have caused much confusion, and I may need to re-think that.
    • That was the question which I intended to find the answer to today (difference between eventID and instanceID) so thanks for clearing that up!
      I believe I have a way that will allow accurate reporting across XP and Vista - 
      around line 56 I added the following:
      ## Get the OS version number below.  If it is older than Vista process the EventID.  If it is Vista or Newer (version 6) process
      ## the InstanceID
      $os = gwmi win32_operatingsystem -computer $server | % {$_.version}
      if ($ver -lt 6){
          $useID = 'EventID'
      else {
          $useID = 'InstanceID'
      then later in the script I changed the previous call of InstanceID from:
      ? {$event_list[$_.source   "#"   $_.InstanceID]}
      ? {$event_list[$_.source   "#"   $_.$useID]}
      I tested this by tweaking the os version to -lt 5 and it seems to work, but I don't (sadly) have access to anything newer than 2003 to try this on the newer platforms.
      I used this to nab the version numbers:  http://msdn.microsoft.com/en-us/library/ms724832(VS.85).aspx
    • Thanks for the input.  I thought about this some, and I'm considering changing the script to default to using eventid, since that seems to be the most common way of identifying the events, and adding a switch to allow specifying events by instanceid if you're reading events from logs that only provide that.  
      Selecting by OS version adds the additional overhead of having to do a WMI query of each system being monitored and either saving it, or re-running it on each pass. WMI is nice, but relatively expensive to the target system.  Since this was made to run constantly and repetitively I'd like to be as non-intrusive to the monitored systems as possible.
    • I updated the script to use EventID, rather than InstanceID for the event identifier.  I left the InstanceID bits in, and added a -useinstanceid switch in case anyone needs to use it on log types that only return an instanceid when doing a get-eventlog.
  • no results returned
    10 Posts | Last post May 13, 2010
    •     This script looks exactly like what I am looking for but I think I am doing something wrong maybe with my .csv file because it never finds the events i'm looking for. I want to scan system log for source disk event id 7.  when I run get content \\My CSV file it returns disk,7. I changed $log = system. Any idea what else I am missing?
    • I didn't see my last reply post, so I'll try again.
      You need to have column headings of Source and ID in your csv in the first row.
      In your csv, row1 would be Source,ID
                   row2 would be disk,7
      You can do it up in Excel, and save it as type MS-DOS CSV
    • Looks like I am having the same problem even though my .CSV is set up correctly as far as I can tell.
      $log = system (in script)
      I also get the following emails which don't correspond with the events I'm searching for:
      Log monitor found monitored events. 
      Any ideas on what I'm doing wrong?
    • Make sure you're using the correct event ID.  If you run get-eventlog from a PS console on the system/log you're wanting to monitor and find one of the events you want to alert on, the event ID will be the number listed under InstanceID in the output. 
    • ***UPDATE***
      It looks like the only time using the "Event ID" straight from Event Viewer works is when you are searching the "Security" log. Otherwise you have to use the InstanceID you get after you execute the following command from PowerShell:
      Get-EventLog -ComputerName <COMPUTERNAME> -LogName "<LOG>" -Newest 100 |
      ? {$_.source -eq "<SOURCE>"}
      (In the code above, everything including the < > needs to be replaced with a value supplied by you.) 
      This will look at the newest 100 events for your "source" criteria. If you are looking at the "System" log, -Newest 100 should suffice to find what you need. If however you are looking at the "Application" log, you may need to increase the -Newest value.
      My new .CSV file now looks like this:
      Works like a charm now. 
      Thanks to mck74 
    • Looks like I got cut off. That last sentence was supposed to be:
      Thanks to mck74 
    • Glad it's working.  I'll pass it along to mck74 if they're still active on the thread.  
    • This worked fine on my VMWare setup.  However, it is not happy on my test network.  I have a domain and workstations.  When I add the local server name to the txt file, it works fine.  If I try to add the computer name of any other system, I get this error:
      Get-EventLog : Attempted to perform an unauthorized operation.
      I am sure it is something simple and quick, but I can't seem to figure it out.  Any ideas?
    • That sounds like a permissions issue.  Make sure the account you're using is a domain account, with permissions to access the event logs you're monitoring on the remote systems.  
    • @mjolinor 
      First, thank you for this script....as others have mentioned, I have been searching and searching for someting along these lines to assist with identifying a particular workstation event which we are attempting to resolve with the deployment of a critical update via WSUS.  Rather than searching through the very cumbersome WSUS interface to identify any workstations which have not received the update, this will allow me to query the workstations for the particular event.
      In order to get it to work, I had to complete the same procedure as Mstrwhizrd, and locate the InstanceID and use it in place of the regular Event ID taken from the actual event.  I am searching the Application Log as well.
      Couple of Questions:
      1. How can I limit the query and the email results to only include the most recent instance of the event rather than all instances of the event I am searching for?
      2. How can I include the Date and Time of the event in the display results and the resulting email output.
      3. If the above can be achieved, I would also like a to include a total number of instances identified.  Meaning, if my computer.txt file contains 100 computer names, and script identifies the most recent occurrence of the event on 35 out of the 100 computers, I would like to add a calculation of the total numbers of occurrences  identified and include that in the display output as well as the email output.
      4. Finally, the last of my laundry list....when running the script against 200 workstations, some of the workstations are powered off or unable to be queried for whatever reason.  At the end of the script, I would like to have those computer names displayed in the results as well as included in the email output.
      I am a beginner to PS and trying to learn little by little but after spending hours trying to accomplish some of these items, I know it is time to turn to the experts.
      Thanks in advance