Need to trigger e-mail when Event ID comes

This topic contains 6 replies, has 5 voices, and was last updated by  Venkata Kalyan 2 years, 1 month ago.

  • Author
  • #42409

    Venkata Kalyan

    I wrote a script in powershell which will trigger a mail, when it has an event ID:

    # ========================
    # Collection Data Section
    # ========================
    Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME)
    $EventResult = wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
    if ($EventResult -eq $null){exit}
    $xmlEventResult = [xml]$EventResult

    $EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime
    $EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')

    $htmlStart = "

    body {background-color:rgb(238, 238, 238);}
    body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
    th {font-weight:bold; background-color:rgb(78, 227, 48);}
    td {background-color:rgb(255, 190, 0);}

    Security Alert: A user account was created
    This event occurred at: $EventDate on $ComputerName"
    $htmlEnd = "

    $xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
    ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body (" -f "$_.Name")}

    $htmlStart = "

    $htmlStart = $htmlStart + "This report has been generated by software Please DO NOT reply."

    $htmlEnd = "

    # ======================
    # Sending Email Section
    # ======================

    $strFrom = ""
    $strTo = ""
    $strSubject = "*** Event ID- Exchange server down ***"
    $strSMTPServer = ""

    $objEmailMessage = New-Object
    $objEmailMessage.From = ($strFrom)
    $objEmailMessage.Subject = $strSubject
    $objEmailMessage.IsBodyHTML = $true
    $objEmailMessage.Body = EventID-To-HTML

    $objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer)

    But Iam getting error:
    The term 'wevtutil.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Documents and Settings\Administrator\Desktop\cool\test.ps1:9 char:38
    + $EventResult = wevtutil.exe <<<< qe Security /rd:true /c:1 /f:rend eredxml /q:"*[System[(EventID=1014)]]" + CategoryInfo : ObjectNotFound: (wevtutil.exe:String) [], Comman dNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Can someone please help me where exactly the error is? Thanks, Kalyan

  • #42422

    Jack Neff

    Try adding the full path to wvetutil.exe

    $EventResult = $env:SystemRoot\System32\wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
  • #42424

    Dan Potter

    scom does that?

  • #42519

    Venkata Kalyan

    I try that, but same error.
    I had gone to c:\windows\system32 and could not find wevtutil.exe


  • #42625

    Vin Watt

    It is easier to Export event logs with Windows PowerShell when Windows Log Explorer used. Read this

  • #42668

    Curtis Smith

    Hey Venkata,
    Just wanted to offer some alternatives to the way you are trying to handle this today.

    1) Attach a task that is triggered by the event, then use that task to send the email.

    2) Have your Powershell Register a WMI event to be alerted when the event is generated. A sample of this is below. Note that currently writes to an output file, but could be easily adapted to send an email alert.

    # Define event Query
    $query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = '5145'"
    # Register for event - also specify an action that
    # writes the event to the log when the event fires.
    Register-WmiEvent -ComputerName server1-SourceIdentifier server1-5145 -Query $query -Action {
        $event.SourceEventArgs.NewEvent.TargetInstance | Out-File Log.txt -Append

    You can see where you have Events Registered by using

    And you can unregister for events by:
    Unregister-Event -SourceIdentifier server1-5145

  • #42673

    Venkata Kalyan

    Hi All,
    Thanks for the alternative solutions. Let me try.


You must be logged in to reply to this topic.