Smith and Andersen
asked on
PowerShell scripts to email event log entry
I have a task attached to an event the runs a powershell script to send an email when ever an event is logged
For actions I have start a program, entered powershell.exe with and path to script in arguments
It all works well except when ever the task runs I get an email with the event details and a 2nd email like below
can anyone tell me how to prevent the 2nd email>>
SubjectUserSid S-1-5-21-2560493146-139777 9600-21504 19373-2289
SubjectUserName service account name
SubjectDomainName AD
SubjectLogonId 0x585dd7
ObjectServer Security
ObjectType Key
ObjectName \REGISTRY\MACHINE\SOFTWARE \Microsoft \Windows\C urrentVers ion\WSMAN
HandleId 0x304
TransactionId {00000000-0000-0000-0000-0 0000000000 0}
AccessList %%1538 %%4432 %%4435 %%4436
AccessReason -
AccessMask 0x20019
PrivilegeList -
RestrictedSidCount 0
ProcessId 0xc9c
ProcessName C:\Windows\System32\Window sPowerShel l\v1.0\pow ershell.ex e
For actions I have start a program, entered powershell.exe with and path to script in arguments
It all works well except when ever the task runs I get an email with the event details and a 2nd email like below
can anyone tell me how to prevent the 2nd email>>
SubjectUserSid S-1-5-21-2560493146-139777
SubjectUserName service account name
SubjectDomainName AD
SubjectLogonId 0x585dd7
ObjectServer Security
ObjectType Key
ObjectName \REGISTRY\MACHINE\SOFTWARE
HandleId 0x304
TransactionId {00000000-0000-0000-0000-0
AccessList %%1538 %%4432 %%4435 %%4436
AccessReason -
AccessMask 0x20019
PrivilegeList -
RestrictedSidCount 0
ProcessId 0xc9c
ProcessName C:\Windows\System32\Window
We'd need to look at your script to determine what needs to be changed.
ASKER
Hi Adam
here you go!!
Clear-Host
# ========================
# Collection Data Section
# ========================
Function EventID-To-HTML($ComputerN ame = $env:COMPUTERNAME)
{
$EventResult = wevtutil qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=4656 )]]"
if ($EventResult -eq $null){exit}
$xmlEventResult = [xml]$EventResult
$EventDate = $xmlEventResult.Event.Syst em.TimeCre ated.Syste mTime
$EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')
$htmlStart = "<HTML>
<HEAD>
<style>
body {background-color:rgb(238, 238, 238);}
body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
th {font-weight:bold; background-color:rgb(78, 227, 48);}
td {background-color:rgb(255, 190, 0);}
</style>
</HEAD>
<BODY><div align=center>
<h2><b><br><br>Security Alert: <span Style='font-style:normal; color:Blue'>Access to a HoneyPot Share</span></b></h2>
<p><b><br>This event occurred at: <span Style='font-style:italic; color:Blue'>$EventDate on $ComputerName</span></b></ p>"
$htmlEnd = ''
$htmlStart
$xmlEventResult.Event.Even tData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body ('' -f "$_.Name")}
$htmlStart = ''
$htmlStart = $htmlStart + "<br><i><span Style='color:red'>This report has been generated by software</i> <br><i>Please DO NOT reply.</i></div>"
$htmlStart
$htmlEnd = ''
$htmlEnd
}
# ======================
# Sending Email Section
# ======================
$strFrom = "honeypot@ourdomain.com"
$strTo = "myemail.com"
$strSubject = "*** Honey Pot Share Access ***"
$strSMTPServer = "relayserver.com"
$objEmailMessage = New-Object system.net.mail.mailmessag e
$objEmailMessage.From = ($strFrom)
$objEmailMessage.To.Add($s trTo)
$objEmailMessage.Subject = $strSubject
$objEmailMessage.IsBodyHTM L = $true
$objEmailMessage.Body = EventID-To-HTML
$objSMTP = New-Object Net.Mail.SmtpClient($strSM TPServer)
$objSMTP.Send($objEmailMes sage)
here you go!!
Clear-Host
# ========================
# Collection Data Section
# ========================
Function EventID-To-HTML($ComputerN
{
$EventResult = wevtutil qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=4656
if ($EventResult -eq $null){exit}
$xmlEventResult = [xml]$EventResult
$EventDate = $xmlEventResult.Event.Syst
$EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')
$htmlStart = "<HTML>
<HEAD>
<style>
body {background-color:rgb(238,
body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
th {font-weight:bold; background-color:rgb(78, 227, 48);}
td {background-color:rgb(255,
</style>
</HEAD>
<BODY><div align=center>
<h2><b><br><br>Security Alert: <span Style='font-style:normal; color:Blue'>Access to a HoneyPot Share</span></b></h2>
<p><b><br>This event occurred at: <span Style='font-style:italic; color:Blue'>$EventDate on $ComputerName</span></b></
$htmlEnd = ''
$htmlStart
$xmlEventResult.Event.Even
ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body ('' -f "$_.Name")}
$htmlStart = ''
$htmlStart = $htmlStart + "<br><i><span Style='color:red'>This report has been generated by software</i> <br><i>Please DO NOT reply.</i></div>"
$htmlStart
$htmlEnd = ''
$htmlEnd
}
# ======================
# Sending Email Section
# ======================
$strFrom = "honeypot@ourdomain.com"
$strTo = "myemail.com"
$strSubject = "*** Honey Pot Share Access ***"
$strSMTPServer = "relayserver.com"
$objEmailMessage = New-Object system.net.mail.mailmessag
$objEmailMessage.From = ($strFrom)
$objEmailMessage.To.Add($s
$objEmailMessage.Subject = $strSubject
$objEmailMessage.IsBodyHTM
$objEmailMessage.Body = EventID-To-HTML
$objSMTP = New-Object Net.Mail.SmtpClient($strSM
$objSMTP.Send($objEmailMes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.