Centralized Windows Event Log

Another feature many administrators don’t know about, is the centralization of Windows Event Logs.
This allows you as administrator to view all related Event Log information on your Admin PC.
This is based on a documentation from Microsoft.

  1. Create a new Security Group (Domain Local) with the name “IT-RemoteManagement” and join all computer accounts that should be allowed to read the eventlog (not user accounts).
  2. Create a new GPO named “CentralizedEventLogClients” and bind it to all your clients (e. g. your domain)
    • Enable “Allow remote server management through WinRM” (Computer, Policies, Administrative Templates, Windows Components Windows Remote Management (WinRM), WinRM Service) and enter a “*” into the IPv4 and IPv6 filters.
    • Change the parameters of the “Windows Remote Management (WS-Management)” service to start automatically (Computer, Policies, Windows Settings, Security Settings, System Services)
    • Enable the Incoming Firewall Rule (Computer, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security – LDAP*, Inbound Rule, Right-click and select “New Rule…”, Predefined: “Windows Remote Management”, the one where Profile equals “Domain, Private”, Allow the connection, Finish, Right-click the created rule and go to the “Advanced” tab in the Settings to remove the selection of “Private”)
    • Add “C:\Windows\System32\cmd.exe” with the Parameter “winrm quickconfig -q” as Startup script if the above didn’t work (sometimes the listener is not created…)
    • Add the IT-RemoteManagement Group to the local group “Event Log Readers Group” (Computer, Preferences, Control Panel Settings, Local Users and Groups, Right-click, New, Local Group, Groupname: “Event Log…”, check both check boxes to remove all existing members, add the Group “IT-Remote…”, in the other tab select “remove element if…”, select yes and close the dialog with OK)
  3. Create another Policy named “CentralizedEventLogIT” and assign it to the computers of your supporters
    • Startup script: “C:\Windows\System32\cmd.exe”, argument: “wecutil qc -q:True”
    • Set the Eventlog collection service to start automatically
  4. Now your supporters can create there subscriptions (watched events) by clicking on “Subscriptions” in there local Event Log viewer.

Status Monitoring

Here is a code sniped to monitor your servers. In the first example the result is simply written into a CSV-File, but in the second a e-mail is sent.

Import-Csv -Path ".\IP-List.txt" -Header ComputerName | Test-NetConnection | Select-Object ComputerName,PingSucceeded | Export-Csv -Path ".\Summary.csv" -Delimiter ";" -NoTypeInformation
$isOnline = Import-Csv -Path ".\IP-List.txt" -Header ComputerName | Test-NetConnection | Select-Object ComputerName,PingSucceeded | Where-Object -Property PingSucceeded -EQ -Value $True

$DNSHostName = (Get-WmiObject win32_computersystem).DNSHostName;
$DNSDomainName = (Get-WmiObject win32_computersystem).Domain;

$From = "PowerShellMonitoring@$DNSHostName+'.'+$DNSDomainName";
$To = "edv@$DNSHostName+'.'+$DNSDomainName";
$Subject = "Failure $(@($isOnline).Count) Hosts down";

$Body = $($isOnline | Format-Table | Out-String);
Send-MailMessage -From $From -Subject $Subject -To $To -Body $Body;

Status Monitoring – Statusbar

How to have one line updated, for example showing available disk space updated every second.

Within one line:

while true; do echo -ne “$(df | grep /dev/sda4)\\r”; sleep 1; done

how it works:

while true: start of endless loop

  • echo:
    • -n: prevents line warp after outputting
    • -e: allows backslash escape keys
    • $(command): Runs the command and inserts the output
    • \\r: the first backslash escapes the second, and \r stands for jumping to the beginning of the line
  • sleep 1: pause for one second

done: end of endless loop


Within a script, you can write it into multiple lines:

while true
     echo -ne “$(df | grep /dev/sda4)\\r”
     sleep 1