Need to trigger e-mail when Event ID comes

Tagged: 

This topic contains 6 replies, has 5 voices, and was last updated by Profile photo of Venkata Kalyan Venkata Kalyan 3 months, 2 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #42409
    Profile photo of Venkata Kalyan
    Venkata Kalyan
    Participant

    Hi,
    I wrote a script in powershell which will trigger a mail, when it has an event ID:

    Clear-Host
    # ========================
    # Collection Data Section
    # ========================
    Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME)
    {
    $EventResult = wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
    if ($EventResult -eq $null){exit}
    $xmlEventResult = [xml]$EventResult

    $EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime
    $EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')

    $htmlStart = "

    body {background-color:rgb(238, 238, 238);}
    body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
    th {font-weight:bold; background-color:rgb(78, 227, 48);}
    td {background-color:rgb(255, 190, 0);}

    Security Alert: A user account was created
    This event occurred at: $EventDate on $ComputerName"
    $htmlEnd = "
    $htmlStart

    $xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
    ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body (" -f "$_.Name")}

    $htmlStart = "

    $htmlStart = $htmlStart + "This report has been generated by software Please DO NOT reply."
    $htmlStart

    $htmlEnd = "
    $htmlEnd
    }

    # ======================
    # Sending Email Section
    # ======================

    $strFrom = ""
    $strTo = ""
    $strSubject = "*** Event ID- Exchange server down ***"
    $strSMTPServer = "smtp.office365.com"

    $objEmailMessage = New-Object system.net.mail.mailmessage
    $objEmailMessage.From = ($strFrom)
    $objEmailMessage.To.Add($strTo)
    $objEmailMessage.Subject = $strSubject
    $objEmailMessage.IsBodyHTML = $true
    $objEmailMessage.Body = EventID-To-HTML

    $objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer)
    $objSMTP.Send($objEmailMessage)

    But Iam getting error:
    The term 'wevtutil.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At C:\Documents and Settings\Administrator\Desktop\cool\test.ps1:9 char:38
    + $EventResult = wevtutil.exe <<<< qe Security /rd:true /c:1 /f:rend eredxml /q:"*[System[(EventID=1014)]]" + CategoryInfo : ObjectNotFound: (wevtutil.exe:String) [], Comman dNotFoundException + FullyQualifiedErrorId : CommandNotFoundExceptionCan someone please help me where exactly the error is?Thanks, Kalyan

    #42422
    Profile photo of Jack Neff
    Jack Neff
    Participant

    Try adding the full path to wvetutil.exe

    $EventResult = $env:SystemRoot\System32\wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
    #42424
    Profile photo of Dan Potter
    Dan Potter
    Participant

    scom does that?

    #42519
    Profile photo of Venkata Kalyan
    Venkata Kalyan
    Participant

    Hi,
    I try that, but same error.
    I had gone to c:\windows\system32 and could not find wevtutil.exe

    -Kalyan

    #42625
    Profile photo of Vin Watt
    Vin Watt
    Participant

    It is easier to Export event logs with Windows PowerShell when Windows Log Explorer used. Read this http://eventlogxp.com/blog/exporting-event-logs-with-windows-powershell/

    #42668
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Hey Venkata,
    Just wanted to offer some alternatives to the way you are trying to handle this today.

    1) Attach a task that is triggered by the event, then use that task to send the email.
    https://blogs.technet.microsoft.com/wincat/2011/08/25/trigger-a-powershell-script-from-a-windows-event/

    2) Have your Powershell Register a WMI event to be alerted when the event is generated. A sample of this is below. Note that currently writes to an output file, but could be easily adapted to send an email alert.

    # Define event Query
    $query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = '5145'"
    
    # Register for event - also specify an action that
    # writes the event to the log when the event fires.
    Register-WmiEvent -ComputerName server1-SourceIdentifier server1-5145 -Query $query -Action {
        $event.SourceEventArgs.NewEvent.TargetInstance | Out-File Log.txt -Append
    }
    

    You can see where you have Events Registered by using
    Get-EventSubscriber

    And you can unregister for events by:
    Unregister-Event -SourceIdentifier server1-5145

    #42673
    Profile photo of Venkata Kalyan
    Venkata Kalyan
    Participant

    Hi All,
    Thanks for the alternative solutions. Let me try.

    -Kalyan

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.