Send an email when an event is logged

As a systems administrator you may find yourself spending a significant amount of time in Event Viewer looking for specific events.  You will be happy to know that there is a new feature that shipped with Windows 2008 and all versions of Windows Server since then that allows you to attach events to a log file so that you can configure a specific action to occur.  There is a way to do this in previous versions of Windows Server that is covered below.

Perhaps you want to run disk space cleanup when a low disk space trigger is raised or perform another task based on an event that is logged.  Let’s look at a common task that you may want to perform; sending an email when an event is raised.

image

Open up Event Viewer and expand Windows Logs.  You’ll want to pick a log file that the task will monitor.  In this case we will choose System –> Attach a Task to this Log…

image

This starts the Create Basic Task Wizard.  Enter a meaningful name and click Next.

image

There are no configurable options on this page so click Next again.  We’ll fine tune the information to trigger the event later.

image

When an Event triggers this task you can have it Start a program, Send an e-mail, or Display a message.  For the purpose of this post we will be sending an e-mail.  Click Next.

image

A new screen shows up for your email information.  Populate it with the information that you want and click Next.

image

Review the information that you entered and click Finish.  You can check the box to open the Properties dialogue but we didn’t do that in this case so I can show you where it is created.

image

The next message box that pops up tells us where to find it.

image

So we’ll go to Task Scheduler.  Expanding Task Schedule Library shows us a new section called Event Viewer Tasks.  Highlighting that shows us the task that we just created.

image

Right click on the task and choose Properties.  This brings up the properties of the task.  Click on the Triggers tab.

image

Highlight the trigger and click Edit.  That brings up the Edit Trigger dialogue box.  From here you can easily set whatever log file you want, the source of the error, and the Event ID to look for.  Clicking OK is all that is needed to set these fields and have the event enabled so you receive an email.

image

If you choose Custom instead of Basic a new button shows up.  Click this New Event Filter button to get a new dialogue box.  On this screen you see that there are a lot of options that can be configured to give you granular control including having the vent watch more than one log file at one time.

You can see how easy it is to create a task and event trigger to perform a task when that event fires.  You will be happy to know that you can perform this same functionality on Windows 2003 servers.  While there is no friendly GUI and it’s not quite as granular, you can still perform a lot of the same basic features.

The tool is called EventTriggers.  Let’s say that we want to create an event to look for Event ID 539, an event that is logged when there is a logon failure due to a locked out account, and we want that event to send us an email.  Here are the steps that we would take.

Create a PowerShell script to send an email.  Create SendEmail.ps1 with the following information in it:

$smtpServer = “localhost”
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = “server@mydomain.com
$msg.ReplyTo = “me@mydomain.com
$msg.To.Add(“me@mydomain.com“)
$msg.subject = “Error 539″
$msg.body = “Error 539 was generated on server.  Please investigate”
$smtp.Send($msg)

Next create a batch file in the same folder, SendEmail.bat referencing the file above:

powershell .\sendemail.ps1

Lastly we need to create the EventTrigger to watch for this error.  That is done through an elevated command prompt by entering the following:

eventtriggers /create /eid 539 /tr EVENTLOCKOUT /ru myuser@mydomain.com /rp mypassword /tk C:\admin\SendEmail.bat

That’s all there is to it.  If you want to see a list of all the EventTriggers created, type eventtriggers /query from the command prompt.  You will also need to run that to get the Trigger ID of the task you created above when you want to delete it.  To delete, say, a trigger with an ID of 1, enter:

eventtriggers /delete /tid 1

Now you shouldn’t have to go digging through Event Viewer looking for specific issues when you can proactively be notified when an event is logged.

Rick is a Senior Support Lead at OrcsWeb, a hosted server company providing managed hosting solutions.

No Comments