Kill A Process Based on Event Log

I have a service that is hanging. I can identify a event log entry that shows the error exists. I need an eventlog montior that can kill a process and then start a service when the event arrises. I would also like to be able to recycle an application pool on a different error. It should also send an email when the event happens.

It is only going to run on one server and it seems that all of the program are designed to consolidate hundreds of logs and make them readable. I haven't been able to get past that marketing hype to find a program that does what I want.

Is there a program that will do this?

Thanks
randymillerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ashutosh_kumarCommented:
I don't think any such application exist. :(
0
Matthew MillersCommented:
You could write a batch file...

use psloglist to watch the event log (say poll every 5 mins for the last 5mins of events)
then use pskill to kill the process
the net start the service
0
oBdACommented:
You can try to use the "Recover" tab in the service's properties to start a batch file that will kill the process in question with taskkill.exe (default in XP and W2k3) and restart the service:

@echo off
taskkill /im "TheProcess.exe"
net start "TheService"

If the SCM doesn't notice that the service hangs (you didn't say what event is logged), and the above doesn't work (note that you can *not* test the Recover function by stopping the service; the service actually has to fail!), you can use eventtriggers.exe to define an event that fires the batch file on the certain event.
You can use eventtriggers.exe as well for the other problem, but you'll have to figure out a way to recycle the application pool form the command line.
blat.exe can be used to send an email from the command line.

@echo off
<Recycle Application Pool with whatever command>
blat.exe -server Your.Mail.Server -f eventalert@your.domain.com -t randymiller@your.domain.com -s "Some Event happened"

Taskkill
http://technet.microsoft.com/en-us/library/bb491009.aspx

Eventtriggers
http://technet2.microsoft.com/windowsserver/en/library/e33bcf4c-dece-4b47-9bb7-31ecfcbc76d51033.mspx?mfr=true

Blat
http://www.blat.net/
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

randymillerAuthor Commented:
So far the EventTrigger seems to be working and the batch files are able to kill the process and reset the application pool without problem.

The EventTrigger is too agressive however. I have it setup to trigger on a 1309 event with a description. It is triggering on all 1309 events. I used a batch file to create the eventtriggers. Here is the line.

eventtriggers /create /tr ResetTGAppPool /l Application /eid 1309 /d "Exception message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." /tk c:\batch\ResetTGAppPool.bat

As you see I am using the /d syntax. I was afraid that since the message body is much bigger that the text provided and has date and time information it wouldn't match, but it seems to be ignoring it. Do you have any experience with using the /d syntax?

Also here is the line to reset an application pool incase anybody needs it.

@Echo Off
cscript c:\windows\system32\iisapp.vbs /a "YourPoolName" /r
EventCreate /l Application /t INFORMATION /id 1 /d "Application Pool Recycled"

Thanks
Randy

PS: Even though it is too agressive, the extra resets are causing less problems then not enough.


0
oBdACommented:
The "/d" is only the description of the trigger itself, to make things easier for you; you can only use the /SO[urce] and /T[ype] arguments for further checks.
Is that your own application that's creating this message, that is, can it be changed?
Can you check in the script for the error condition?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
randymillerAuthor Commented:
Thanks for your help. I was hoping to be able to filter the event a little better, but it seams that windows doesn't allow that.
Thanks for the direction
Randy
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.