Author Posts

June 9, 2016 at 10:52 am

Hi,
I wrote a script in powershell which will trigger a mail, when it has an event ID:

Clear-Host
# ========================
# Collection Data Section
# ========================
Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME)
{
$EventResult = wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"
if ($EventResult -eq $null){exit}
$xmlEventResult = [xml]$EventResult

$EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime
$EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')

$htmlStart = "

body {background-color:rgb(238, 238, 238);}
body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
th {font-weight:bold; background-color:rgb(78, 227, 48);}
td {background-color:rgb(255, 190, 0);}

Security Alert: A user account was created
This event occurred at: $EventDate on $ComputerName"
$htmlEnd = "
$htmlStart

$xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body (" -f "$_.Name")}

$htmlStart = "

$htmlStart = $htmlStart + "This report has been generated by software Please DO NOT reply."
$htmlStart

$htmlEnd = "
$htmlEnd
}

# ======================
# Sending Email Section
# ======================

$strFrom = ""
$strTo = ""
$strSubject = "*** Event ID- Exchange server down ***"
$strSMTPServer = "smtp.office365.com"

$objEmailMessage = New-Object system.net.mail.mailmessage
$objEmailMessage.From = ($strFrom)
$objEmailMessage.To.Add($strTo)
$objEmailMessage.Subject = $strSubject
$objEmailMessage.IsBodyHTML = $true
$objEmailMessage.Body = EventID-To-HTML

$objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer)
$objSMTP.Send($objEmailMessage)

But Iam getting error:
The term 'wevtutil.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Documents and Settings\Administrator\Desktop\cool\test.ps1:9 char:38
+ $EventResult = wevtutil.exe <<<< qe Security /rd:true /c:1 /f:rend eredxml /q:"*[System[(EventID=1014)]]" + CategoryInfo : ObjectNotFound: (wevtutil.exe:String) [], Comman dNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Can someone please help me where exactly the error is? Thanks, Kalyan

June 9, 2016 at 12:23 pm

Try adding the full path to wvetutil.exe

$EventResult = $env:SystemRoot\System32\wevtutil.exe qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=1014)]]"

June 9, 2016 at 12:23 pm

scom does that?

June 10, 2016 at 5:30 am

Hi,
I try that, but same error.
I had gone to c:\windows\system32 and could not find wevtutil.exe

-Kalyan

June 12, 2016 at 4:54 pm

It is easier to Export event logs with Windows PowerShell when Windows Log Explorer used. Read this http://eventlogxp.com/blog/exporting-event-logs-with-windows-powershell/

June 13, 2016 at 5:09 am

Hey Venkata,
Just wanted to offer some alternatives to the way you are trying to handle this today.

1) Attach a task that is triggered by the event, then use that task to send the email.
https://blogs.technet.microsoft.com/wincat/2011/08/25/trigger-a-powershell-script-from-a-windows-event/

2) Have your Powershell Register a WMI event to be alerted when the event is generated. A sample of this is below. Note that currently writes to an output file, but could be easily adapted to send an email alert.

# Define event Query
$query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = '5145'"

# Register for event - also specify an action that
# writes the event to the log when the event fires.
Register-WmiEvent -ComputerName server1-SourceIdentifier server1-5145 -Query $query -Action {
    $event.SourceEventArgs.NewEvent.TargetInstance | Out-File Log.txt -Append
}

You can see where you have Events Registered by using
Get-EventSubscriber

And you can unregister for events by:
Unregister-Event -SourceIdentifier server1-5145

June 13, 2016 at 5:43 am

Hi All,
Thanks for the alternative solutions. Let me try.

-Kalyan