Select Page

Reading Windows Event Logs

In our shop, we have to monitor a whole bunch of Windows servers to try to keep aware of any issues.  We have monitoring systems that let us know if computers or services fail as a whole.  But we have some of our own applications that write to the Windows Event logs to report their error conditions.  The errors happen, but not necessarily in huge volumes.  As administrators, we need to know whether the applications are logging a lot of errors because the events might be an indication of something needing more investigation.

In the past, we basically waited until something bad happened and then we’d go investigate by looking through Windows Event Logs.  We try to be as professional as possible and catch any problems as early as we can.  Our solution was to set up a monitoring system that scans through WIndows Event Logs across Windows Server computers to notify us of issues.

A Python Look at Windows Event Logs

ActiveState provides the very useful PyWin32 library[1] that enables a Python program to read Windows Event Logs remotely.  You may need to install the library, but that is pretty easily done:

We’ll provide the complete program in a link at the end of this post.  The core of this post is a discussion about how to make use of PyWin32 to read the Event Logs from remote servers.  The methodology is pretty straightforward:

You do have to open each log on each server individually.  But we can handle that pretty easily.  In order to make good use of our own code, we want to create a function that will handle implement the pseudo-code for us.  We have  readEventLog  that accepts the name of a server and the name of a log as parameters.  The function gathers the events from the server and returns a list of all of the events.

The function generally follows the outline of the pseudo code.  We open the event log using the PyWin32 function  win32evtlog.OpenEventLog(server, log_type). This gives us a handle that we can use to get more information.  You can think of the handle as your connection to the event log.  You can then use that handle to get more data.  For example, you can use the handle to find out the total number of events in the log:  win32evtlog.GetNumberOfEventLogRecords(log_handle). In fact, this function prints out a little status message so that you can see that it is running.

Then we drop into the essence of the function: the loop.  The  while loop is going to run “forever.”  Or at least until the  events variable is None.  We initialize the variable so that we enter the loop and then we actually read data from the event log and assign the list of events to the  events variable.  Each Event2 object contains the details from a log entry.

The function actually does a little more than just return events from the event logs.  It is also doing some filtering so that it returns only error events and only events within the last N number of hours.  Those filtering features are accomplished by:

  1. Converting the event time stamp into seconds since the epoch.  The complete program contains the date2sec() function.
  2. Examining the Event.EventType attribute to see whether the event is actually an error.  The ActiveState example program shows a clever way to make use of the enumeration as indexes in a dictionary:

We wrap up this code in our job scheduling system so we can have the program scan Windows Event Logs periodically and then email us the results.  The bottom half of the program is interesting because it builds an array of dictionaries with Windows Log Events.  However, we’ll leave that breakdown to another discussion and another day.  The complete program actually generates an HTML summary of what it found. You can download the  MonitorEventLogs Source Code.

How do you keep tabs on what’s happening in your Windows Event Logs?

Improvement Suggestions

  1. Update the look back number of hours to send more frequent checks.
  2. Filter to show only the “real” errors in which you’re interested.
  3. Modify readEventLog  so there is a parameter to control the types of Windows Events to collected.
  4. Add a mechanism to filter the kinds of events on which to report.

 

References

  1. ActiveState PyWin32: http://docs.activestate.com/activepython/3.3/pywin32/Windows_NT_Eventlog.html
  2. The attributes in the Event object: http://docs.activestate.com/activepython/3.3/pywin32/PyEventLogRecord.html
Share This