Link to home
Start Free TrialLog in
Avatar of DVation191
DVation191

asked on

Send Alert when Event is Logged in Windows Server 2000

I'm looking for the easiest free solution to getting alerts when specific events are logged in windows 2000 server.

There are specific things happening that I want to be alerted to immediately by email as a mimimum.

I know there are LOTS of event management applications, but alerting is really all I want...nothing more, nothing less...and I want a free way of doing this. Anybody know of anything like this?
Avatar of mredfelix
mredfelix

do you know how to program in vb?
Avatar of DVation191

ASKER

no =/

but if you could provide a template, i could just edit it as needed.
scratch that, i was thinking of vb script.
and no, i can't program either =)
Here is a Microsoft sample VBScript  from http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/lgevvb17.mspx

This sample issues a pop-up message when event code 533 occurs in the security log, but you can use this as a model for a script to send an email for some other event id in some other event log.

For a sample VBScript to send an email message, see
http://www.microsoft.com/technet/scriptcenter/scripts/message/smtpmail/mssmvb01.mspx

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '533' ")

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
     strAlertToSend = objLatestEvent.TargetInstance.User _
         & " attempted to access DatabaseServer."
     Wscript.Echo strAlertToSend
Loop


ASKER CERTIFIED SOLUTION
Avatar of LittleRed1
LittleRed1

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Carlo-Giuliani,
Is that a .vbs script? If not, what kind of script is it and how (or where) do I put it?
Do I just put this .vbs in the startup folder so that it runs everytime windows starts? Or is this something that only checks once everytime it's run so it will need to be scheduled to run, say, every minute in the task scheduler?

LittleRed1 ,
That also looks promising although I don't particularly like the methods required to have to "watch" for events as you put it. I will try the vbs script first (since of course it was posted first) and I'll try the batch file if that doesn't work.

Thanks for the input so far guys...I've been really busy but will definitely try to run these today!
Yes, it is a VBScript, using WMI.  More complete explanations are on the site I pointed to.

This script does exactly what you asked for....issues a message every time a specific event occurs....it is an endless loop...so it just needs to be started once each time you restart the machine.    It can be started using the cscript command, as a scheduled task, or even set up as a service (but how to do that is a whole other question).  The easiest method is probably the Scheduled Task method, using the "At System Startup" option.
Okay this is great...I jsut have a few questions about where and what I'm supposed to edit.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _                  // 'Security' gets replaced with the log I want to monitor I'm guessing? (Application, System etc would be choices...)
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _                              // 'Win32_NTLogEvent' gets replaced with anything? The Source of the eventid I'm guessing?
            & "and TargetInstance.EventCode = '533' ")                              // '533' is obviously the event code that needs to be change to whatever is being monitored?

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
     strAlertToSend = objLatestEvent.TargetInstance.User _
         & " attempted to access DatabaseServer."
     Wscript.Echo strAlertToSend
Loop


>> Where do I change what computer the pop-up alert is sent to?
>> Also, do I need to run a separate script for every event I want to monitor?
I don't actually know how to send a pop-up to a different computer.  You asked for how to send an email, and I pointed to a sample script for that in my first posting.

Yes, 533 is the event id, but 'Win32_NTLogEvent' is *not* the event source.  It is the WMI class, and is documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/win32_ntlogevent.asp

I think you could filter on event source by adding the following to the select string:
     TargetInstance.EventSource =  'whatever'
My appologies, I was just under the impression that the original script you posted made a pop-up as it's alert...I just wanted to get the alert part of it working before I tried to integrate the email portion of it. Anyhow, this is now what my script looks like to monitor (as an example) a DNS event.



strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (System)}!\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '5781' ")

Do
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "exserver@domain.com"
objEmail.To = "administrator@domain.com"
objEmail.Subject = "CRITICAL EVENT LOGGED"
objEmail.Textbody = "There is a DNS Problem."
objEmail.Send

Loop



>> Unfortunately, when I run it I get an error.

Windows Script Host
Script: event_alert.vbs
Line: 2
Char: 1
Error: Unspecified Error
Code: 80004005
Source: (null)


Any idea?
The "Security" string you changed to "System" is *not* the log type....it has something to do with WMI security context and should not be changed.

To specify what logfile you want to look in, I think you would add a qualifier to the SELECT statement, like this:
       TargetInstance.Logfile  = 'System' and TargetInstance.EventCode = '5781'

...but I'm not sure about this.  You will have to do some digging to get the query right.
I changed security back. It ran without errors this time.

Unfortunately after about 3500 emails dumped into the administrator account I couldn't seem to stop the script and ended up having to reboot. wow that sucked.

I don't know why but the emails were being generated so fast I couldn't stop it. Don't know what went wrong...
i deleted the vbs script and rebooted...and i'm still getting the emails...help!!!
somebody help me stop this thing! it's going to take down my entire server!!!
Look for a process called wscript (or cscript, depending on how you started it).
Cancel that process.
wscript was running when I initially ran the script. i end tasked it and the emails kept coming. thats when i deleted it and rebooted.

now that i've rebooted, and the emails are still coming, neither wscript or cscript show up in the task manager and the email flood continues!
Looking at the script you pasted into this forum, the Do loop includes only the code to generate a message.  It does not include the line "Set objLatestEvent = colMonitoredEvents.NextEvent", which is what would tie it to an event.  So it simply sent the message endlessly.

I think the CDO.Message object communicates directly with the message server...I don't think there is any local queue.  So the mails must have piled up in a queue on your message server.   If you executed this on the message server itself, it would have been able to create a *lot* of messages in a short time.
Yea well, it definitely sent the messages endlessly.

I suppose all these messages are now just piling up in the queue and I keep trying to delete them all but they keep coming back. i've even emptied the event log thinking maybe it kept looking there.

This is bad...really really bad....especially since i did run it on the actual exchange server....

any idea how i can stop this?
ok its under control now...

the script generated about 20,000 emails...i deleted them all...now back to the task at hand...lol.

Carlo I appreciate your endless patience in this matter. would you mind revising the script for me so that it actually does what it's supposed to since I have no idea what i'm doing apparently? =) thanks
My but you are having fun.

This is one of the reasons I prefer using batch files, you have much more control over the functions and little or no dependencies on system configurations or versions.

A couple of things you should consider:

Do you really want a process to endlessly watch (there's that word again) for events?
What impact does this process have on the system?
What impact does this process have on the network?
When an event does occur, how many emails are sent?
Does this allow for monitoring of remote servers?
What alerts do you get when the computer crashes? - None.

You should also put some thought into how you will get alerted if the monitor itself is not running.

You can actually send a popup message to a specific user from a batch file if in a domain.
I am suprised you prefer the batch polling method proposed by LittleRed1.  As far as I can tell, the batch code suggested will produce multiple messages (one every time the batch file is run) for a single event log entry.  

As for the above list of "things you should consider", it seems to be based on ignorance about WMI.
- to monitor remotely, all you have to do is specify a computer name (instead of ".") for strComputer.
- the event-trigged method generates one and only one event for each log entry.
  The number of messages that results depends on your code, of course.
- one process waiting for an event will have much less impact than launching a new process every 5 or 10 minutes.



 
Carlo-Giuliani, I am aware of the merits of wmi, but in reality the process is the same. At the end of the day the outcome is only as good as your ability to code, whether in batch script or vb. If you are really serious about this sort of thing there are also commandline utilities that use wmi, and they are very useful, providing wmi itself is working properly.

If you would like some 'real' examples of what can be achieved with batch scripting, let me know and I will point you in the right direction. I have done scripts that not only alert on events, but on services that have stopped, nodes that have crashed, critical disk space levels, critical CPU usage levels etc. etc. I have also done daily  and monthly reporting on server status, disk utilisation and forecasting etc. etc...... all with batch script. Oh, and sometimes I call cscript from my batch files to do tasks that require it, but generally only if there isn't a dependable commandline utility available.
Carlo,
In defense of the batch file method, I never got the WMI method working properly. At this time I am currently investigating a paid solution anyhow. I found that the details involved in properly setting up such a script wasn't worth the time or effort.