Need to trigger e-mail when Event ID comes


This topic contains 6 replies, has 5 voices, and was last updated by Profile photo of Venkata Kalyan Venkata Kalyan 3 months, 2 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
  • #42409
    Profile photo of Venkata Kalyan
    Venkata Kalyan

    I wrote a script in powershell which will trigger a mail, when it has an event ID:

    # ========================
    # Collection Data Section
    # ========================
    Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME)
    $EventResult = wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
    if ($EventResult -eq $null){exit}
    $xmlEventResult = [xml]$EventResult

    $EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime
    $EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')

    $htmlStart = "

    body {background-color:rgb(238, 238, 238);}
    body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
    th {font-weight:bold; background-color:rgb(78, 227, 48);}
    td {background-color:rgb(255, 190, 0);}

    Security Alert: A user account was created
    This event occurred at: $EventDate on $ComputerName"
    $htmlEnd = "

    $xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
    ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body (" -f "$_.Name")}

    $htmlStart = "

    $htmlStart = $htmlStart + "This report has been generated by software Please DO NOT reply."

    $htmlEnd = "

    # ======================
    # Sending Email Section
    # ======================

    $strFrom = ""
    $strTo = ""
    $strSubject = "*** Event ID- Exchange server down ***"
    $strSMTPServer = ""

    $objEmailMessage = New-Object
    $objEmailMessage.From = ($strFrom)
    $objEmailMessage.Subject = $strSubject
    $objEmailMessage.IsBodyHTML = $true
    $objEmailMessage.Body = EventID-To-HTML

    $objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer)

    But Iam getting error:
    The term 'wevtutil.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Documents and Settings\Administrator\Desktop\cool\test.ps1:9 char:38
    + $EventResult = wevtutil.exe <<<< qe Security /rd:true /c:1 /f:rend eredxml /q:"*[System[(EventID=1014)]]" + CategoryInfo : ObjectNotFound: (wevtutil.exe:String) [], Comman dNotFoundException + FullyQualifiedErrorId : CommandNotFoundExceptionCan someone please help me where exactly the error is?Thanks, Kalyan

    Profile photo of Jack Neff
    Jack Neff

    Try adding the full path to wvetutil.exe

    $EventResult = $env:SystemRoot\System32\wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
    Profile photo of Dan Potter
    Dan Potter

    scom does that?

    Profile photo of Venkata Kalyan
    Venkata Kalyan

    I try that, but same error.
    I had gone to c:\windows\system32 and could not find wevtutil.exe


    Profile photo of Vin Watt
    Vin Watt

    It is easier to Export event logs with Windows PowerShell when Windows Log Explorer used. Read this

    Profile photo of Curtis Smith
    Curtis Smith

    Hey Venkata,
    Just wanted to offer some alternatives to the way you are trying to handle this today.

    1) Attach a task that is triggered by the event, then use that task to send the email.

    2) Have your Powershell Register a WMI event to be alerted when the event is generated. A sample of this is below. Note that currently writes to an output file, but could be easily adapted to send an email alert.

    # Define event Query
    $query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = '5145'"
    # Register for event - also specify an action that
    # writes the event to the log when the event fires.
    Register-WmiEvent -ComputerName server1-SourceIdentifier server1-5145 -Query $query -Action {
        $event.SourceEventArgs.NewEvent.TargetInstance | Out-File Log.txt -Append

    You can see where you have Events Registered by using

    And you can unregister for events by:
    Unregister-Event -SourceIdentifier server1-5145

    Profile photo of Venkata Kalyan
    Venkata Kalyan

    Hi All,
    Thanks for the alternative solutions. Let me try.


Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.