EventView
What is EventView ?
EventView is a software which checks Windows Eventlog and sends only needed log entry as an e-mail. Its' points are;
- To output only recent log entries.
It reports only log entries recorded in 24 hours in default. You can change the value with /p option.
- You can specify which log entry should be reported.
You can specify the types of log entries which should / shouldn't be reported by "Log file(Application, Security, System, etc.)", "Type(Information, Warning, etc.)", and "Source(WinMgmt, Security, etc.)".
- You can receive the report as an e-mail.
It can send the output as an e-mail using external software blat.exe(blatj.exe).
- It is written by Windows Script technology.
EventView is completely written by Windows Script (WSH and WMI functions are used, and its programming language is JScript), except for e-mail sending function which uses blat.exe (blatj.exe). So you can customize EventView to meet your purpose.
Requirements
EventView should be able to run on Windows 2003 Server, Windows XP Pro, Windows 2000, Windows NT system which Windows Script 5.6 is installed. But I checked only on Windows 2000 Server(English) and Windows XP Pro(English and Japanese).
Since EventView uses Windows Script 5.6 functions, Windows Script 5.6 have to be installed on Windows 2000 or Windows NT system before hand. The default version of Windows Script in Windows XP Pro is 5.6, you don't need to update Windows Script in Windows XP system. You can download Windows Script 5.6 from Microsoft web site.
If you use e-mail sending function of EventView, you also have to get;
blat.exe (for English version OS)
blatj.exe and tconvlib.dll (for Japanese version OS)
Download
If you use English version of Windows, get eventView.wsf and eventView.js. If you use Japanese version of Windows, get eventViewJ.wsf and eventView.js.
The differences between eventView.wsf and eventViewJ.wsf are only sample filtering configurations and e-mail sending software configuration (blat.exe or blatj.exe). Therefore any of them should work on your system, if you customize it correctly.
Installation
You don't need any special installation. Just download needed files, extract archives and put needed files(blat.exe, etc.) in a same directory, and edit eventView.wsf(or eventViewJ.wsf) to match your environment.
- Install Windows Script 5.6 (Windows XP Pro and Windows 2003 Server don't need it.)
- put eventView.wsf, eventView.js and blat.exe in a same directory. (In case of Japanese version of Windows, eventViewJ.wsf, eventView.js, blatj.exe and tconvlib.dll have to be located in a same directory.)
- Edit eventView.wsf (eventViewJ.wsf) to match your environment.
- IGNORE_LIST
Specify log entries which you don't want to be reported. You can use keyword "any" as a wildcard. Any characters righter than # are treated as comments. # can be used only IGNORE_LIST and MANDATORY_LIST field.
- MANDATORY_LIST
You can specify exceptions to IGNORE_LIST. EventView evaluates MANDATORY_LIST first, and if log entries match the list, the entries will be output. Then it evaluates IGNORE_LIST, and the log entries which don't match the list will be output.
- MAIL_SERVER
Specify your SMTP server address.
- MAIL_SENDER
Specify system administrator's e-mail address. This is used as Reply-to header of e-mails.
How to use
Run EventView from Windows Command Prompt like shown below.(You can
launch EventView from Scheduled Task.)
cscript eventView.wsf [/v][/p:HOUR][/t:MAIL_ADDRESS][/s:MAIL_SUBJECT]
cscript eventViewJ.wsf [/v][/p:HOUR][/t:MAIL_ADDRESS][/s:MAIL_SUBJECT]
/v causing to display debug information. (not so useful)
/p:HOUR Specifying log entries recorded how many hours before should be reported. It reports recent 24 hours log entries in the default. (same as /p:24)
/t:MAIL_ADDRESS Specifying e-mail address to send. If you omit /t option, EventView display the result to STDOUT instead of sending e-mail. You can specify multiple e-mail address separating with comma(,). Don't insert any white spaces.
/s:MAIL_SUBJECT Specifying subject of e-mail. If it includes any white spaces, please surround whole subject with double quotations("). (ex. /s:"log No.1")
Uninstall
You don't need any special uninstallation process, like clearing registories. Just remove the directory including EventView scripts.
Known issued, bugs, etc.
Source names or Type names which are described in IGNORE_LIST and MANDATORY_LIST could be defferent from the ones shown in Windows Event Viewer software. Please make sure what is the correct name of the log entry by running EventView without /t option first, then edit eventView(J).wsf.
Some anti-virus softwares check what script are doing, and when a script tries to access local resources (file system, Eventlog, etc.), they warn it to users. In this case, please configure your anti-virus software to allow eventView(J).wsf and eventView.js to access local resources.
Error handlings are not implemented, so you could meet a situation like "I'm not sure but doesn't work... Something wrong." In this case, /v option might help you. Please check if there are any tipos, wrong addresses, etc.
I'm not sure why, but I have met a problem that eventView.js couldn't have gotten Win32_NTLogEvent object. (You would receive empty e-mail.)
Terms of the license
EventView is a so called free software. You can use it freely, if you take self responsibility. Of course, there is no warranty. The author doesn't take any responsibility even if you suffer any damages from using this software. If you don't agree this condition, you are not authorized to use this software.
You can re-distribute this software freely. Also you can make link to this web site.
If you want to send opinions, requests, etc., please send an e-mail to the author. But the author is NOT obligated to fix bugs, add new functions, etc. He might do it, but don't expect so much. This software is just short scripts, please change them as your needs by yourselves. Also he might not reply to your e-mail, sorry.
Last Modified on 5th June, 2003
Hirotada Sasaki