<

Event Log Notification via PowerShell and Task Scheduler

Published on
30,552 Points
18,552 Views
5 Endorsements
Last Modified:
Awarded
Editor's Choice
With the release of Task Scheduler 2.0 (which shipped with Vista and Server 2008) Microsoft has upped the ante with an exciting list of changes.  Starting with Windows 7, Task Scheduler 2.0 now uses the unified scheduling engine provided by the underlying OS, the ability to reject starting tasks in Remote Apps Integrated Locally (RAIL) sessions, as well as task security hardening and a slew of API changes.  

Diving deeper into the API changes, the new Triggers and Actions have now become a staple of the IT Administrator and Support Teams, in an effort to standardize and automate their workflow.  Building upon Microsoft's Task Scheduler foundation of calendar and event-based triggers, we are now able to drill down into specific Actions and Triggers and use them to our advantage in a very simple and straightforward approach, while utilizing PowerShell to fill in any remaining gaps, such as in the email reporting.

In an undersized or underfunded environment, investigating and finding solutions to some events can be prove to be a nightmare.  While larger environments may utilize tools such as Microsoft's System Center Operations Management or other similar tools, those smaller organizations are left to rely on Open Source or custom tool sets.

Truth of the matter is, sometimes you just need a quick and dirty method of notification in the event (pun intended) that something pops up in a log.  Utilizing a simple to use and customize PowerShell script, we can add in the resources of the Event Viewer and the Task Scheduler to send a notification email to a specified user or help-desk when an Event is logged.

The first step is find your Event ID and then customize the following PowerShell script.

Navigate to the event in Event Viewer (eventvwr) under Windows\system32\ or by clicking Start and typing Event.  Once you have found your event in the Event Viewer that you would like to be notified about, record the Event ID as indicated in the following image.



#PowerShell must run with elevated permissions:
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
#Powershell is now elevated

$Event = Get-EventLog -LogName LOG_NAME -InstanceId EVENT_ID -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated

$MailSubject= "EMAIL_SUBJECT"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "SMTP.DOMAIN.COM"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "FROM_EMAIL@DOMAIN.COM["
$MailMessage.To.add("TO_EMAIL@DOMAIN.COM[")
$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)

Open in new window


For this example script set, I will be working with a User Lockout Event, which has an Event ID of 4740.  Using the script template above and a basic text editor like Notepad or my choice, Notepad++, we can replace the following values:

LOG_NAME - Application, Security or System.
EVENT_ID - Numerical Event Log ID.
EMAIL_SUBJECT - Subject of the Email you receive.
SMTP.DOMAIN.COM - SMTP address of your mail server.  You can also use a free email service such as Google's GMAIL with the following settings as described here.here.
FROM_EMAIL@DOMAIN.COM - Sender's email
TO_EMAIL@DOMAIN.COM - Who the email is sent to.

and get our final script:

#PowerShell must run with elevated permissions:
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
#Powershell is now elevated

$Event = Get-EventLog -LogName System -InstanceId 4740 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated

$MailSubject= "User Lockout Notification"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "mail.mymailsite.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "admin@mymailsite.com"
$MailMessage.To.add("admin@mymailsite.com")
$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)

Open in new window


Now that the script is finished, save down to a directory you can remember, such as \\location\scripts, as a PowerShell shell script (.ps1).  Once the file is saved, we can set up our trigger-

Navigate back to the event in the Event Viewer, highlight the event by single-clicking, and then using the right-click menu, select 'Attach Task To This Event' as illustrated below.



In the New popup window, fill out the Name of the Task or optionally leave as-is, and add a description.  I highly encourage that all Tasks have at least a very basic description.  In the event of multiple personnel, you do not want them to delete your Task, not knowing what it is used for.



When you advance to the next screen using the 'Next >' button, you can verify the trigger with the shown Log, Source and Event ID Fields.  



Advance to the next screen using the 'Next >' button and then choose 'Start a program'*, and then hit 'Next >' again.  On the next screen, you will need to select the 'Browse...' button and navigate to, and then select your script that you saved earlier.  



Select the 'Next >' button to continue on to the Finish screen.

Optionally, you can use a command that you would normally type into the 'run' dialogue to execute a script, including any switches/arguments.  When you select 'Next >' to advance to the Finish Screen, the Task Wizard will automatically recognize and parse the command and the switches/arguments for you.

On the Finish screen, you will be able to view the Summary of the Task that you have created.  



Once you have verified the Summary, select 'Finish'.

Now that your logs are now being monitored by your Task Scheduler, the following actions will take place:

1. Task Scheduler monitors the Event Viewer for the specified Event
2. Once the specified events occurs, the Task scheduler will call up the PowerShell script.
3. The .ps1 file will open PowerShell, parse the Event Logs for the specified event and append the output to an email.
4. An email is sent to the specified address with the appended Event Log information.

Using this method, hopefully you will now go out and take any of the Windows Event ID's that you would like to monitor, and set up notification features or a variety of other actions based on your specific needs.

--------------------------

For more information on Microsoft's System Administration Tools, please visit:  Windows Dev Center - System Administration

*   Using the 'Attach Task to this Event' method you do have the option to send an email upon the Event occurring; however, the email will not contain any relevant information for business level purposes (e.g. UserName or Caller as used in the User lockout example).
5
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free