Powershell Script for Collection Events Logs from multiple servers and generating a single html report

i was asked by a customer to do this and it was one of those scripts that was written in about 15 mins and to me anyway proved interesting just to write and output to html…

their big thing is they wanted to be able to collect multiple events logs from multiple systems and have on file that stored the information for later purposes (which havent been divulged yet!)

Anyway here is the script


Feedback is always welcome…..




$inputfilepath = $env:USERPROFILE + “\Desktop”
$inputfilename = “servers.txt”
$serverlistinput = $inputfilepath + “\” + $inputfilename

Write-host “Check Input File” -Foregroundcolor Yellow -Backgroundcolor Black
$checkinputexist = test-path $serverlistinput

if ($checkinputexist -ne $True)
 Write-host “Please Generate Servers.txt on the desktop. This should contain all the servers you wish to connect to” -Foregroundcolor Red -BackgroundColor Black
 write-host “One Entry per line” -Foregroundcolor Red -Backgroundcolor Black
 Exit 1
write-host “Input File Exists!” -Foregroundcolor Green -backgroundcolor Black

Write-Host “`nReading in server list, Please wait…” -foregroundcolor Yellow -backgroundcolor Black
$serverlist = Get-Content $serverlistinput
if ($serverlist.count -gt 0)
Write-Host “`nWe have read ” $serverlist.count ” servers from the file” -Foregroundcolor Green -backgroundcolor Black
Write-Host “The following servers will be scanned `n” $serverlist -Foregroundcolor Green -backgroundcolor Black
 write-host “Servers.txt is either empty or corrupt please re-create or add server names to the list” -foregroundcolor red -backgroundcolor black
 exit 1

#test for results directory if does not exist create it!

$resultsdirexist = Test-Path $env:USERPROFILE
$resultsdirparent = $env:USERPROFILE + “\Desktop”
$resultsdirname = “EventLog”
$testpath = $resultsdirparent + “\” + $resultsdirname
$resultsdirexist = Test-Path $testpath

if ($resultsdirexist -ne “True”)
Write-Host “Directory Does not exist.”
Write-Host “Creating….”
Set-Location $resultsdirparent
New-Item -path $resultsdirparent -Name EventLog -type directory
Write-Host $testpath ” has been created”
Write-Host “This is where all output from the files will be stored”


$report = $testpath + “\reports.htm”
Clear-Content $report

[array]$eventlogs = $null
$eventlogs += “Application”
$eventlogs += “Security”
$Eventlogs += “System”
$countarr = $eventlogs.count


Foreach ($s in $serverlist)
 $progress = “.”
 Add-Content $report “<html>”
 Add-Content $report “<head>”
 Add-Content $report “<meta http-equiv=’Content-Type’ content=’text/html; charset=iso-8859-1′>”
 Add-Content $report ‘<title>Event Log Report for Server $s</title>’
 add-content $report ‘<STYLE TYPE=”text/css”>’
 add-content $report “<!–“
 add-content $report “td {“
 add-content $report “font-family: Tahoma;”
 add-content $report “font-size: 11px;”
 add-content $report “border-top: 1px solid #999999;”
 add-content $report “border-right: 1px solid #999999;”
 add-content $report “border-bottom: 1px solid #999999;”
 add-content $report “border-left: 1px solid #999999;”
 add-content $report “padding-top: 0px;”
 add-content $report “padding-right: 0px;”
 add-content $report “padding-bottom: 0px;”
 add-content $report “padding-left: 0px;”
 add-content $report “}”
 add-content $report “body {“
 add-content $report “margin-left: 5px;”
 add-content $report “margin-top: 5px;”
 add-content $report “margin-right: 0px;”
 add-content $report “margin-bottom: 10px;”
 add-content $report “”
 add-content $report “table {“
 add-content $report “border: thin solid #000000;”
 add-content $report “}”
 add-content $report “–>”
 add-content $report “</style>”
 Add-Content $report “</head>”
 Add-Content $report “<body>”
 add-content $report “<table width=’100%’>”
 add-content $report “<tr bgcolor=’#CCCCCC’>”
 add-content $report “<td colspan=’7′ height=’25’ align=’center’>”
 add-content $report “<font face=’tahoma’ color=’#003399′ size=’4′><strong>Event Logs Collection From Server $s</strong></font>”
 add-content $report “</td>”
 add-content $report “</tr>”
 add-content $report “</table>”

 add-content $report “<table width=’100%’>”
 Add-Content $report “<tr bgcolor=#CCCCCC>”
 Add-Content $report “<td width=’20%’ align=’center’>Index</td>”
 Add-Content $report “<td width=’20%’ align=’center’>Time</td>”
 Add-Content $report “<td width=’20%’ align=’center’>EntryType</td>”
 Add-Content $report “<td width=’20%’ align=’center’>Source</td>”
 Add-Content $report “<td width=’20%’ align=’center’>InstanceID</td>”
 Add-Content $report “<td width=’20%’ align=’center’>Message</td>”
 Add-Content $report “</tr>”

For ($count = 0; $count -lt $countarr;$count++)
  write-host “`n`nCollection Event Logs” $eventlogs[$count] “from Computer $s” -foregroundcolor yellow -backgroundcolor black
  $logs = get-eventlog -logname $eventlogs[$count] -computername $s
  Write-host “Processing” -foregroundcolor yellow -backgroundcolor black

  Foreach ($l in $logs)
  write-host $progress -nonewline -Foregroundcolor Green -backgroundcolor Black
  $index = $l.index
  $time = $l.timegenerated
  $Entrytype = $l.entrytype
  $Source = $l.source
  $InstanceID = $l.instanceID
  $Message = $l.message
  if ($entrytype -eq “Error”)
  Add-Content $report “<tr>”
  Add-Content $report “<td bgcolor=’#FF0000′>$index</td>”
  Add-Content $report “<td bgcolor=’#FF0000′ align=center>$time</td>”
  Add-Content $report “<td bgcolor=’#FF0000′ align=center>$entrytype</td>”
  Add-Content $report “<td bgcolor=’#FF0000′ align=center>$source</td>”
  Add-Content $report “<td bgcolor=’#FF0000′ align=center>$InstanceID</td>”
  Add-Content $report “<td bgcolor=’#FF0000′ align=center>$Message</td>”
  Add-Content $report “</tr>”
  if ($entrytype -eq “Warning”)
  Add-Content $report “<tr>”
  Add-Content $report “<td bgcolor=’#FFF000′>$index</td>”
  Add-Content $report “<td bgcolor=’#FFF000′ align=center>$time</td>”
  Add-Content $report “<td bgcolor=’#FFF000′ align=center>$entrytype</td>”
  Add-Content $report “<td bgcolor=’#FFF000′ align=center>$source</td>”
  Add-Content $report “<td bgcolor=’#FFF000′ align=center>$InstanceID</td>”
  Add-Content $report “<td bgcolor=’#FFF000′ align=center>$Message</td>”
  Add-Content $report “</tr>”
  if ($entrytype -eq “Information”)
  Add-Content $report “<tr>”
  Add-Content $report “<td>$index</td>”
  Add-Content $report “<td>$time</td>”
  Add-Content $report “<td>$entrytype</td>”
  Add-Content $report “<td>$source</td>”
  Add-Content $report “<td>$InstanceID</td>”
  Add-Content $report “<td>$Message</td>”
  Add-Content $report “</tr>”
Add-content $report “</table>”
Add-Content $report “</body>”
Add-Content $report “</html>”

Comments (16)

  1. Anonymous says:

    what about consolidating events, as most are duplicated?  maybe show the number of events and also for the last 24 hours!  also email the log?    this would be a killer script, with those parts.  

  2. Brichardi05 says:

    This is an excellent script.  Is there a way that you can limit the error/warning to 100 newest events?


  3. isaac says:

    A couple of problems with formatting the HTML.  

    Everything from:

    Add-Content $report "<html>"


    Add-Content $report "<body>"

    should be moved outside the loop, only needs to be added to the report once.

    and the last three Add-Content lines should be moved to the outermost loop.

  4. isaac says:

    brichardi05 –

    Add -newest 100 to the end of this line:

    $logs = get-eventlog -logname $eventlogs[$count] -computername $s

  5. flotsman says:

    How would I set this up to run by date range. The other issue I have is I have a mixed env of servers from 2008 to 2003 and versioning of PS from 1.0 to 2.0. Is there a way to make formatting change based on OS/version

  6. jeremy says:

    I made the corrections suggested by isaac, and I also set the value of $logs = $null at the end of the loop.  If someone puts an invalid servername in the servers.txt list it was just populating the report with the previous valid servernames eventlog data.  Setting it to $null resolved this.

    I also made a second version that looks for specific event id's.

    All around great script, kudos!

  7. Nitai says:

    How can I change it to collect just the "warning" & "critical" logs from "system" from the past 24h?

    Is that possible?

  8. Sultan Rayes says:

    does it work in windows server 2012 ?

  9. T1 says:

    how about breaking the report out so that it creates a separate HTML file for each system?

  10. thomas says:

    Hy thank you very much for that script. Could you please let me know in whicht format i have to add the servers in the servers.txt file. the script keeps complaining about an empty txt file. so far i tried 1 ip address. and after that i tried the hostname
    of the server. Thank you very much. Regards from austria, Thomas

  11. tony says:

    Hi, powerscript noob here. I’m wanting to use this script, but just to pull specific event logs, 4688 , 4648 and 4624

  12. Shabbir says:

    Hey, I want to use this script, please share how to use input Server.txt file, on which format we have add the server name.

  13. CharlieMong says:

    So for the server.txt file simply create a file with that name on the desktop and then enter


  14. CharlieMong says:

    Great script by the way made a few alterations as mine is a none standard platform and works a treat.

  15. Zach says:

    First I’d like to thank John McCabe as I couldn’t find a single piece of open source software that could do this that wasn’t limited to 5 clients.

    I modified this a bit in a way which will hopefully help others. I changed the filepathing to d:eventlog. This can be changed at line 38, 70, 71. Change this to c: or whatever you want.

    The most important change IMO is it will check each machine before trying to collect information which will save a lot of time since it won’t have to wait to error out. In my case this is important as I’m collecting a certain event from a bunch of pcs on my

    I added a field that takes the current date and subtracts the date events were listed. It then calculates the days difference and stores it in a new column. Based on this information I made a variable that can be changed which allows to only list events created
    within x days. This can be changed on line 185. I have it set to 7 days at the moment.

    My version also will only show event 865 which can also be configured on line 185.

    I shrunk the columns and made the "Message" column much larger which improves readability.

    Finally it also only shows warnings since my only event I’m looking for is a warning. I commented out the informational and errors. So you’d just have to un-comment those if you want to use them. It all starts to make sense after you look at it long enough.

    I’ll eventually ad email functionality, but for now this is good enough.

    Anyway you can look at my version here: http://pastebin.com/V7V5KMAL Thanks again John!

  16. David says:

    This script is great! I have it running for several servers, on several different OS’s. However, I have two particular servers that are misformatted on the HTML report. I can’t figure out why this is happening. They are both 2008 R2 servers; however, I
    have other 2008 R2 servers that are formatting properly on the HTML report. Any ideas why this might be happening?

Skip to main content