[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Send Alert when Event is Logged in Windows Server 2000

Posted on 2005-04-22
23
Medium Priority
?
2,788 Views
Last Modified: 2007-12-19
I'm looking for the easiest free solution to getting alerts when specific events are logged in windows 2000 server.

There are specific things happening that I want to be alerted to immediately by email as a mimimum.

I know there are LOTS of event management applications, but alerting is really all I want...nothing more, nothing less...and I want a free way of doing this. Anybody know of anything like this?
0
Comment
Question by:DVation191
  • 12
  • 7
  • 3
  • +1
23 Comments
 
LVL 5

Expert Comment

by:mredfelix
ID: 13846156
do you know how to program in vb?
0
 
LVL 20

Author Comment

by:DVation191
ID: 13846173
no =/

but if you could provide a template, i could just edit it as needed.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13846181
scratch that, i was thinking of vb script.
and no, i can't program either =)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13846886
Here is a Microsoft sample VBScript  from http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/lgevvb17.mspx

This sample issues a pop-up message when event code 533 occurs in the security log, but you can use this as a model for a script to send an email for some other event id in some other event log.

For a sample VBScript to send an email message, see
http://www.microsoft.com/technet/scriptcenter/scripts/message/smtpmail/mssmvb01.mspx

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '533' ")

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
     strAlertToSend = objLatestEvent.TargetInstance.User _
         & " attempted to access DatabaseServer."
     Wscript.Echo strAlertToSend
Loop


0
 
LVL 4

Accepted Solution

by:
LittleRed1 earned 1500 total points
ID: 13863496
This is quite easy with a batch file.

You will need two commandline utilities:
DUMPEL.EXE - dumps the eventlog
SMTPSEND.EXE - sends email using SMTP.

The difficulty with this is that you need to get the batch file to 'watch' for events. This can either be scheduled to run every x day, hour, minute or looped in the batch file with something like SLEEP.EXE.

Things you can specify in the call to DUMPEL:

 - Hostname
 - Eventlog (System, Application or Security)
 - Event source (eg. Application popup or DCOM)
 - Event number
 - Filter for reporting period
 - Output format

The batch file would look something like this:
-------------------------------------------------------
@echo off
setlocal ENABLEDELAYEDEXPANSION

dumpel -s \\servername -l system -d 1 -m Eventlog -e 6008|find "6008">alert.log
if not errorlevel 1 smtpsend -falert@mydomain.com -tops@mydomain.com -sAlert on Servername -aalert.log
-------------------------------------------------------

You could easily substitute 'servername' and the event id to be dynamic. I would normally run this on one server in the domain and get it to check all the servers every 5 or 10 minutes. If you run it locally you can omit the -s switch. You should also consider writing things to a log file so that they can be analyzed later.
You can build on this to do all sorts of nice things, as long as they can be called from within a batch file.

0
 
LVL 20

Author Comment

by:DVation191
ID: 13876102
Carlo-Giuliani,
Is that a .vbs script? If not, what kind of script is it and how (or where) do I put it?
Do I just put this .vbs in the startup folder so that it runs everytime windows starts? Or is this something that only checks once everytime it's run so it will need to be scheduled to run, say, every minute in the task scheduler?

LittleRed1 ,
That also looks promising although I don't particularly like the methods required to have to "watch" for events as you put it. I will try the vbs script first (since of course it was posted first) and I'll try the batch file if that doesn't work.

Thanks for the input so far guys...I've been really busy but will definitely try to run these today!
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13876872
Yes, it is a VBScript, using WMI.  More complete explanations are on the site I pointed to.

This script does exactly what you asked for....issues a message every time a specific event occurs....it is an endless loop...so it just needs to be started once each time you restart the machine.    It can be started using the cscript command, as a scheduled task, or even set up as a service (but how to do that is a whole other question).  The easiest method is probably the Scheduled Task method, using the "At System Startup" option.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13877014
Okay this is great...I jsut have a few questions about where and what I'm supposed to edit.


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _                  // 'Security' gets replaced with the log I want to monitor I'm guessing? (Application, System etc would be choices...)
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _                              // 'Win32_NTLogEvent' gets replaced with anything? The Source of the eventid I'm guessing?
            & "and TargetInstance.EventCode = '533' ")                              // '533' is obviously the event code that needs to be change to whatever is being monitored?

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
     strAlertToSend = objLatestEvent.TargetInstance.User _
         & " attempted to access DatabaseServer."
     Wscript.Echo strAlertToSend
Loop


>> Where do I change what computer the pop-up alert is sent to?
>> Also, do I need to run a separate script for every event I want to monitor?
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13877183
I don't actually know how to send a pop-up to a different computer.  You asked for how to send an email, and I pointed to a sample script for that in my first posting.

Yes, 533 is the event id, but 'Win32_NTLogEvent' is *not* the event source.  It is the WMI class, and is documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/win32_ntlogevent.asp

I think you could filter on event source by adding the following to the select string:
     TargetInstance.EventSource =  'whatever'
0
 
LVL 20

Author Comment

by:DVation191
ID: 13877362
My appologies, I was just under the impression that the original script you posted made a pop-up as it's alert...I just wanted to get the alert part of it working before I tried to integrate the email portion of it. Anyhow, this is now what my script looks like to monitor (as an example) a DNS event.



strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (System)}!\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '5781' ")

Do
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "exserver@domain.com"
objEmail.To = "administrator@domain.com"
objEmail.Subject = "CRITICAL EVENT LOGGED"
objEmail.Textbody = "There is a DNS Problem."
objEmail.Send

Loop



>> Unfortunately, when I run it I get an error.

Windows Script Host
Script: event_alert.vbs
Line: 2
Char: 1
Error: Unspecified Error
Code: 80004005
Source: (null)


Any idea?
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13878342
The "Security" string you changed to "System" is *not* the log type....it has something to do with WMI security context and should not be changed.

To specify what logfile you want to look in, I think you would add a qualifier to the SELECT statement, like this:
       TargetInstance.Logfile  = 'System' and TargetInstance.EventCode = '5781'

...but I'm not sure about this.  You will have to do some digging to get the query right.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13878547
I changed security back. It ran without errors this time.

Unfortunately after about 3500 emails dumped into the administrator account I couldn't seem to stop the script and ended up having to reboot. wow that sucked.

I don't know why but the emails were being generated so fast I couldn't stop it. Don't know what went wrong...
0
 
LVL 20

Author Comment

by:DVation191
ID: 13878691
i deleted the vbs script and rebooted...and i'm still getting the emails...help!!!
0
 
LVL 20

Author Comment

by:DVation191
ID: 13878721
somebody help me stop this thing! it's going to take down my entire server!!!
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13878795
Look for a process called wscript (or cscript, depending on how you started it).
Cancel that process.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13878830
wscript was running when I initially ran the script. i end tasked it and the emails kept coming. thats when i deleted it and rebooted.

now that i've rebooted, and the emails are still coming, neither wscript or cscript show up in the task manager and the email flood continues!
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13879007
Looking at the script you pasted into this forum, the Do loop includes only the code to generate a message.  It does not include the line "Set objLatestEvent = colMonitoredEvents.NextEvent", which is what would tie it to an event.  So it simply sent the message endlessly.

I think the CDO.Message object communicates directly with the message server...I don't think there is any local queue.  So the mails must have piled up in a queue on your message server.   If you executed this on the message server itself, it would have been able to create a *lot* of messages in a short time.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13879119
Yea well, it definitely sent the messages endlessly.

I suppose all these messages are now just piling up in the queue and I keep trying to delete them all but they keep coming back. i've even emptied the event log thinking maybe it kept looking there.

This is bad...really really bad....especially since i did run it on the actual exchange server....

any idea how i can stop this?
0
 
LVL 20

Author Comment

by:DVation191
ID: 13879392
ok its under control now...

the script generated about 20,000 emails...i deleted them all...now back to the task at hand...lol.

Carlo I appreciate your endless patience in this matter. would you mind revising the script for me so that it actually does what it's supposed to since I have no idea what i'm doing apparently? =) thanks
0
 
LVL 4

Expert Comment

by:LittleRed1
ID: 13879847
My but you are having fun.

This is one of the reasons I prefer using batch files, you have much more control over the functions and little or no dependencies on system configurations or versions.

A couple of things you should consider:

Do you really want a process to endlessly watch (there's that word again) for events?
What impact does this process have on the system?
What impact does this process have on the network?
When an event does occur, how many emails are sent?
Does this allow for monitoring of remote servers?
What alerts do you get when the computer crashes? - None.

You should also put some thought into how you will get alerted if the monitor itself is not running.

You can actually send a popup message to a specific user from a batch file if in a domain.
0
 
LVL 12

Expert Comment

by:Carlo-Giuliani
ID: 13895922
I am suprised you prefer the batch polling method proposed by LittleRed1.  As far as I can tell, the batch code suggested will produce multiple messages (one every time the batch file is run) for a single event log entry.  

As for the above list of "things you should consider", it seems to be based on ignorance about WMI.
- to monitor remotely, all you have to do is specify a computer name (instead of ".") for strComputer.
- the event-trigged method generates one and only one event for each log entry.
  The number of messages that results depends on your code, of course.
- one process waiting for an event will have much less impact than launching a new process every 5 or 10 minutes.



 
0
 
LVL 4

Expert Comment

by:LittleRed1
ID: 13898395
Carlo-Giuliani, I am aware of the merits of wmi, but in reality the process is the same. At the end of the day the outcome is only as good as your ability to code, whether in batch script or vb. If you are really serious about this sort of thing there are also commandline utilities that use wmi, and they are very useful, providing wmi itself is working properly.

If you would like some 'real' examples of what can be achieved with batch scripting, let me know and I will point you in the right direction. I have done scripts that not only alert on events, but on services that have stopped, nodes that have crashed, critical disk space levels, critical CPU usage levels etc. etc. I have also done daily  and monthly reporting on server status, disk utilisation and forecasting etc. etc...... all with batch script. Oh, and sometimes I call cscript from my batch files to do tasks that require it, but generally only if there isn't a dependable commandline utility available.
0
 
LVL 20

Author Comment

by:DVation191
ID: 13908614
Carlo,
In defense of the batch file method, I never got the WMI method working properly. At this time I am currently investigating a paid solution anyhow. I found that the details involved in properly setting up such a script wasn't worth the time or effort.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, (http://www.experts-exchange.com/articles/18084/Upgrading-to-Android-5-0-Lollipop.html) because one time I did this and I essentially had a bricked …
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question