7

Is there an easy way to send an email when a particular severity of event from a particular service hits the Windows server event log? This is on Windows Server 2003, if it makes a difference.

n.b. we do have proper monitoring and alerting in place for production servers at my workplace, but we just a need quick solution for this service in development.

Matt Howells
  • 171
  • 1
  • 1
  • 4

6 Answers6

6

You could do this with OSSEC, a multi-platform open-source software:

OSSEC is a full platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a simple, powerful and open source solution.

And for Log Monitoring/Alerting:

Real-time and Configurable Alerts

OSSEC lets customers configure incidents they want to be alerted on which lets them focus on raising the priority of critical incidents over the regular noise on any system. Integration with smtp, sms and syslog allows customers to be on top of alerts by sending these on to e-mail and handheld devices such as cell phones and pagers.

[...]

Every operating system, application, and device on your network generate logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates these logs to let you know if something wrong is going on (attack, misuse, errors, etc).

Hereis an article about OSSEC on 360° Security.


Specialized, commercial alternative: EventTracker (Prism Microssystems):

EventTracker is a complete Security Information and Event Management (SIEM) solution that combines real-time Log Management with powerful Configuration and Change Management in one turnkey software package.

splattne
  • 28,348
  • 19
  • 97
  • 147
4

Here's another silly VBScript creation from me, cobbled together from a couple of other scripts.

Option Explicit

' Main
Dim objShell, objWMIService, objEventSink, dictEventsToMonitor, eventToMonitor

' =====================( Configuration )=====================

' Set to 0 to disable event log reporting of bans / unbans
Const USE_EVENTLOG = 1
Const EVENTLOG_SOURCE = "SimpleEventMonitor"

' SMTP configuration
Const EMAIL_SENDER = "EventLogMonitor@company.com"
Const EMAIL_RECIPIENT = "recipient@company.com"
Const EMAIL_SMTP_SERVER = "smtp-server"
Const EMAIL_SMTP_PORT = 25
Const EMAIL_TIMEOUT = 20

Set dictEventsToMonitor = CreateObject("Scripting.Dictionary")

' Define events that should be monitored. Matches are based on exact matches of all non-NULL fields

' Monitor our own startup and alert based on starting
PushEventToMonitor "100", "Application", EVENTLOG_SOURCE, NULL, NULL, NULL, NULL
PushEventToMonitor "7036", "System", "Service Control Manager", NULL, NULL, NULL, "Telnet service.*(running|stopped).*state"

' ===================( End Configuration )===================


Set objShell = CreateObject("WScript.Shell")

' Create event sink to catchevents
Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
Set objEventSink = WScript.CreateObject("WbemScripting.SWbemSink", "eventSink_")
objWMIService.ExecNotificationQueryAsync objEventSink, "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"

' Loop sleeping for one week, logging an event each week to say we're still alive
While (True)
    LogEvent 100, "INFORMATION", "Simple Event Log Monitor started"
    WScript.Sleep(7 * 24 * 60 * 60 * 1000)
Wend

' Fires each time new events are generated
Sub eventSink_OnObjectReady(objEvent, objWbemAsyncContext)
    Dim evt, field, boolAlert, regexpMessage

    For Each evt In dictEventsToMonitor.Keys
        boolAlert = True

        For Each field In dictEventsToMonitor.Item(evt).Keys
            If UCase(Field) = "MESSAGE" Then 
                Set regexpMessage = new Regexp
                regexpMessage.Pattern = dictEventsToMonitor.Item(evt).Item(Field)
                regexpMessage.IgnoreCase = True
                If NOT regexpMessage.Test(objEvent.TargetInstance.Properties_(Field)) then boolAlert = False
            Else
                If UCase(objEvent.TargetInstance.Properties_(Field)) <> UCase(dictEventsToMonitor.Item(evt).Item(field)) Then boolAlert = False
            End If
        Next ' field

    if boolAlert = True Then
        SendMessage "Simple Event Log Monitor notification from " & objEvent.TargetInstance.ComputerName, _
            "Event ID:       " & objEvent.TargetInstance.EventCode & VbCrLf _
            & "Date/Time:      " & Mid(objEvent.TargetInstance.TimeGenerated, 5, 2) & "/" & Mid(objEvent.TargetInstance.TimeGenerated, 7, 2) & "/" & Mid(objEvent.TargetInstance.TimeGenerated, 1, 4) & " " & Mid(objEvent.TargetInstance.TimeGenerated, 9, 2) & ":" & Mid(objEvent.TargetInstance.TimeGenerated, 11, 2) & ":" & Mid(objEvent.TargetInstance.TimeGenerated, 13, 2)   & VbCrLf _
            & "Computer:       " & objEvent.TargetInstance.ComputerName & vbCrLf _
            & "Event Log:      " & objEvent.TargetInstance.LogFile & vbCrLf _
            & "Event Source:   " & objEvent.TargetInstance.SourceName & vbCrLf _
            & "Event Category: " & objEvent.TargetInstance.CategoryString & vbCrLf _
            & "Event Type:     " & objEvent.TargetInstance.Type & vbCrLf _
            & "User Name:      " & objEvent.TargetInstance.User & vbCrLf _
            & "Message:" & vbCrLf & vbCrLF _
            & objEvent.TargetInstance.Message
        Exit Sub
    End If

    Next ' evt
End Sub

Sub LogEvent(ID, EventType, Message)
    ' Log an event to the Windows event log
    If USE_EVENTLOG Then objShell.Exec "EVENTCREATE /L APPLICATION /SO " & EVENTLOG_SOURCE & " /ID " & ID & " /T " & EventType & " /D """ & Message & """"
End Sub

Sub SendMessage(strSubject, strBody)
    Dim objCDOMessage
    Set objCDOMessage = CreateObject("CDO.Message")

    objCDOMessage.From = EMAIL_SENDER
    objCDOMessage.To = EMAIL_RECIPIENT
    objCDOMessage.Subject = strSubject
    objCDOMessage.Textbody = strBody
    objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = EMAIL_SMTP_SERVER
    objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = EMAIL_SMTP_PORT
    objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = EMAIL_TIMEOUT
    objCDOMessage.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
    objCDOMessage.Configuration.Fields.Update
    objCDOMessage.send
End Sub

Sub PushEventToMonitor(strID, strLog, strSource, strCategory, strType, strUser, strMessagePattern)
    Dim x

    x = dictEventsToMonitor.Count
    Set dictEventsToMonitor.Item(x) = CreateObject("Scripting.Dictionary")
    If NOT IsNull(strID) Then dictEventsToMonitor.Item(x).Add "EventCode", strID
    If NOT IsNull(strLog) Then dictEventsToMonitor.Item(x).Add "LogFile", strLog
    If NOT IsNull(strSource) Then dictEventsToMonitor.Item(x).Add "SourceName", strSource
    If NOT IsNull(strCategory) Then dictEventsToMonitor.Item(x).Add "CategoryString", strCategory
    If NOT IsNull(strType) Then dictEventsToMonitor.Item(x).Add "Type", strType
    If NOT IsNull(strType) Then dictEventsToMonitor.Item(x).Add "User", strUser
    If NOT IsNull(strMessagePattern) Then dictEventsToMonitor.Item(x).Add "Message", strMessagePattern
End Sub

You can run that as a Windows Service if you use something like the Non-Sucking Service Manager or SRVANY to install it. Using NSSM, the comamnd-line would be:

nssm install SimpleEventLogMonitor %SystemRoot%\System32\cscript.exe "\"Pull_path_and_filename_of_script\""

Be sure to substitute in your email recipient, sender, and SMTP server name.

You define the events you want to be alerted on with the "PushEventToMonitor" call. The arguments are: event ID, event log name, source, category, type, user, and a regular expression that can be matched against the log message. I have an example in there that matches the start / stop of the TELNET service, as well as one that will match the startup of the script itself (which logs an event out to the Application Log).

This is a first draft because the one that I wrote for a Customer that's actually "in production" was written on their dime and "belongs" to them. As such, I've re-coded this one (which is actually substantially different from the one used by the Customer) and it may well have stupid bugs lurking in it. I've run it for a little while tonight on some of my systems and I'm not seeing problems.

Maybe I'll eventually make this a little better. It would be nice if it pulled its configuration out of the registry (so it could be controlled with Group Policy) and if it was packaged as an MSI for easy deployment to groups of servers. Oh, well.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
3

You can do this with a Windows Task
See here http://www.vistax64.com/tutorials/67961-event-viewer-email-notification.html

Peter Gfader
  • 141
  • 6
  • The original question specified Windows Server 2003. Does this solution work with Windows Server 2003 or just Vista / Windows 7? – Ken Burkhardt Aug 13 '12 at 18:39
1

Servers alive can do this for you. The product is free for up to 10 events to monitor for.

The NT event log monitor is a plug in for free located here. Pretty easy to use and setup.

SpaceManSpiff
  • 2,547
  • 18
  • 19
0

GFI's Centralized Event Log Management tool (GFI EventsManager) does this, though isnt FOSS.

Real-time alerts, SNMPv2 traps alerting Included

The latest build of GFI EventsManager™ has improved alert level for key events or intrusions that are detected on the network. GFI EventsManager allows you to trigger actions such as scripts or to send an alert to one or more people by email, network messages, SMS notifications sent through an email-to-SMS gateway or service and now includes SNMPv2 traps. The generation of SNMP alerts will also allow administrators to integrate GFI EventsManager with pre-existing or generic monitoring mechanisms.

SirStan
  • 2,373
  • 15
  • 19
0

See https://serverfault.com/a/517457/75770 for a way to send emails based on custom event filters

Tested working on Server 2008, and even when SMTP authentication is required.

JeremyS
  • 93
  • 8