Solved

Event log mail forwarding 2012 R2

Posted on 2014-09-04
18
356 Views
Last Modified: 2014-09-09
Hi All

Was looking to use the script below to trigger events within the event log 2012 R2.  Is there anyway that I can either:

Attach a copy of the log entry
Or copy the content inside the message.

The current script is below - has anyone done this?

Send-MailMessage -to <recipient email address> -Subject "Backup Success" -body "The server backup job on server1 completed successfully" -smtpserver <your mail server> -from <sender email addreess>
0
Comment
Question by:BYRONJACKSON
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 40303819
Here is a simple TechNet article on how to create a event log trigger, this should work for Windows Server 2012 also. Please check and let me know if you have any questions.

http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
0
 

Author Comment

by:BYRONJACKSON
ID: 40303908
I actually attempted this but could not complete the 1st stage as email functions have been depreciated in 2012 R2.  I was attempting to do this in Powershell and forward out using SMTP.  Any suggestions?
0
 
LVL 18

Accepted Solution

by:
Steven Harris earned 100 total points
ID: 40303962
In regards to the Article Response:

Start by experimenting with the following and verifying the output in the console, or ISE:

$Event = Get-EventLog -LogName System -InstanceId 4740 -Newest 1
$Event | format-list -property *

Open in new window


Can you tell me what type of output you receive?
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 400 total points
ID: 40303983
In that case you can create event trigger to start a program (in this scenario a PowerShell script). Use the following code to get the event and mail it to your email ID.
$event =  Get-eventlog -LogName Application -Source "Your Event source here" -Newest 1
#get-help get-eventlog will give you other options available for selecting the log entry you want.
if ($event -ne $null)
{   $EmailBody = ($event | FL * | Out-String)
    $EmailFrom = "Your Email Address <$PCName@yourdomain.com>"
    $EmailTo = "youremail@yourdomain.com" 
    $EmailSubject = "The server backup job on server1 completed successfully"
    $SMTPServer = "mail.yourdomain.com"
    
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer
}

Open in new window

Ref : http://technet.microsoft.com/en-us/library/hh849834.aspx
0
 

Author Comment

by:BYRONJACKSON
ID: 40305429
Hi both,

If I run Get-EventLog -LogName Security -Newest 1 with the format out string all is great and the output was given correctly.  However if I run this $Event = Get-EventLog etc all runs but the mail is sent without content - no errors are given.

I have used both ideas and combined them - Why did they get rid of the email function Grr? lol

Any ideas?

#PowerShell must run with elevated permissions:
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{  
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
#Powershell is now elevated

$Event = Get-EventLog -LogName Security -Newest 1
$MailBody= Format-list * | Out-String

$MailSubject= "User Lockout Notification"

$SmtpClient = New-Object system.net.mail.smtpClient
Send-MailMessage -SmtpServer mysmtpserver -From myadminemail  -to myadmingroupemaill -Subject "TEST"
  -Body $Event.Message + "`r`n`t" + $Event.TimeGenerated

$MailMessage.IsBodyHtml = 0
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40305441
What if you try my code?
0
 

Author Comment

by:BYRONJACKSON
ID: 40305469
It fails  Subsun - hang on will run again and post the errors
0
 

Author Comment

by:BYRONJACKSON
ID: 40305483
This is what I get

Get-eventlog : No matches found
At line:1 char:11
+ $event =  Get-eventlog -LogName Application -Source 1001 -Newest 1
+           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-EventLog], ArgumentException
    + FullyQualifiedErrorId : GetEventLogNoEntriesFound,Microsoft.PowerShell.Commands.GetEventLogCommand

No mail is sent
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40305602
probably your source is wrong..

-Source 1001
SourceCorrect..
$event =  Get-eventlog -LogName Application -Source "windows Error Reporting" -Newest 1

Open in new window

0
 

Author Comment

by:BYRONJACKSON
ID: 40305823
Hi - Thank you it is inserting data now .  Is there a way that I can improve the data format.  At the moment the string is not readable. Would like to send in a vertical list or table format is this possible?

Also with the source should this be change per event type - ie; Security etc.  Sorry if this sounds vague - not that experienced with Powershell
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40305836
You can get it in any format.. :-)..  In what format you need? pls give a sample..
0
 

Author Comment

by:BYRONJACKSON
ID: 40305850
Hi Subsun - a table? or

Data 1
Data 2
Data 3 etc

Also with the source will this need to be changed per event type? ie Security - Application etc?  I will probably only be looking at GPO audit events....

Thanks for your help - Appreciated!
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40305857
So are you trying to report more than one event in same mail?
0
 

Author Comment

by:BYRONJACKSON
ID: 40305896
Actually all I want to do is to fire and email to some selected events within the security log of the event viewer.  The PS script will be attached to a task that triggers on the event arriving in the log,  As for multiple events - no not in a single mail - just a single event per mail  but it just needs to be formatted in a tabular way .

Hope this explains?

Byron
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40305945
Try..
$event =  Get-eventlog -LogName Application -Source "Your Event source here" -Newest 1
#get-help get-eventlog will give you other options available for selecting the log entry you want.
if ($event -ne $null)
{   
		$a = "<style>"
		$a = $a + "BODY{background-color:white;}"
		$a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
		$a = $a + "TH{border-width: 1px;padding: 1px;border-style: solid;border-color: black;background-color:White}"
		$a = $a + "TD{border-width: 1px;padding: 5px;border-style: solid;border-color: black;background-color:white}"
		$a = $a + "</style>"

    $EmailBody = ($event | Select-Object TimeGenerated,EntryType,Source,InstanceID,Message | ConvertTo-HTML -head $a | Out-String)
    $EmailFrom = "Your Email Address <$PCName@yourdomain.com>"
    $EmailTo = "youremail@yourdomain.com" 
    $EmailSubject = "The server backup job on server1 completed successfully"
    $SMTPServer = "mail.yourdomain.com"
    
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -BodyAsHtml $EmailBody -SmtpServer $SMTPServer
}

Open in new window

0
 

Author Comment

by:BYRONJACKSON
ID: 40306203
Ahhh I see where I went wrong! so if I do this:

$event =  Get-eventlog -LogName Security -Source "Microsoft Windows security" -InstanceId 4720 -Newest 1

would this work for me in order to pull specific events?  It is just hanging at the moment
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40306221
Try with

-Source "Microsoft-Windows-Security-Auditing"

Open in new window

1
 

Author Closing Comment

by:BYRONJACKSON
ID: 40312109
Thank you both for your solutions - really helped me out!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question