13

One of the new features of Server 2008 is the ability to attach a task to a specific event in the event logs. One of the actions available is to send an email through a SMTP server.

This is working great, however it would be ideal if in the message body, the Event contents could be placed. I have tried using $eventdescription and %eventdescription%, but those are just shots in the dark. Any amount of googling produces no results.

Does anyone know if this is possible?

Update: Sparks' suggestion below is a step in the right direction I believe, however that method doesn't seem to work for all values. For example, I can pull the RecordID, Severity and Channel as shown, but I can't use the same method to retreive the EventID, or most importantly the description.

Here's the raw XML from one event:

[Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"]
  [System]
    [Provider Name="DFSR" /] 
    [EventID Qualifiers="16384"]4412[/EventID] 
    [Level]4[/Level] 
    [Task]0[/Task] 
    [Keywords]0x80000000000000[/Keywords] 
    [TimeCreated SystemTime="2009-05-14T18:18:09.000Z" /] 
    [EventRecordID]45692[/EventRecordID] 
    [Channel]DFS Replication[/Channel] 
    [Computer]servername.domain.com[/Computer] 
    [Security /] 
    [/System]
  [EventData]
    [Data]9046C3F4-843E-4A53-B941-4B20764072E5[/Data] 
    [Data]D:\departments\Geomatics\Plan Quality\Data Processing\CG3533017 2009-05-13 KT FIXED[/Data] 
    [Data]D:\departments[/Data] 
    [Data]{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] 
    [Data]Departments[/Data] 
    [Data]domain.ca\files\departments[/Data] 
    [Data]B8242CE2-F5EB-47DA-BA5B-1DD2F7EE3AB9[/Data] 
    [Data]DFAA7A54-66CB-4C31-81A0-0F861382C32C[/Data] 
    [Data]CG3533017 2009-05-13-{26D5F604-E603-4F87-8EC3-DE9A945DA8FD}-v927199[/Data] 
  [/EventData]
 [/Event]

I have tried using a ValueQuery for EventData, but it returns no data.

Jeff Miles
  • 2,020
  • 2
  • 19
  • 26
  • +1 - we use this to send alerts from our web server, and I for one would like more information in the email! I'll keep an eye on this thread... – Keith Williams Jul 31 '09 at 08:54

6 Answers6

3

I went about this a bit differently, but this approach generates emails on new events that match a custom filter, with all the event details included in the email body.

1) Create a 'Custom View' in the Event Viewer with your desired filter.

2) Once you have the view, you should see a link to 'Attach Task to This Custom View...'.

I chose to use sendMail.exe from here (http://caspian.dotconf.net/menu/Software/SendEmail/) which I extracted to C:\sendmail. The reason is Microsoft's 'Send an email' action has issues with SMTP authentication and also apparently isn't even present in Server 2012.

So in my case I selected 'Start a program' while attaching the task to the Custom View. But we're going to edit it as XML so don't worry about filling it in via the GUI.

3) Export the new Task to XML, we'll be editing it later.

4) Create a 'mail-event.bat' file under C:\sendmail folder with the following 3 lines:

C:\Windows\system32\wevtutil.exe qe Application /f:text /q:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(EventRecordID=%1)]]</Select></Query></QueryList>" > C:\sendmail\%1.log
C:\sendmail\sendEmail.exe -s <smtp_server> -f <from> -xu <user> -xp <pass> -t <to> -u "<subject>" -o message-file=c:\sendmail\%1.log
del C:\sendmail\%1.log

Obviously, replace 'smtp_server', 'from', 'user', 'pass', 'to', 'subject' with the desired values.

This will create a '$(EventRecordID).log' file under C:\sendmail with all the details for that event, mail it, and then delete it.

You can test if the batch file works by going into Event Viewer, opening an event in your Applications log, switching to Details tab, selecting 'XML View' and then look for EventRecordID. Copy that integer, and then run from the command line:

C:\sendmail> log-event.bat 53522

Of course, replacing 53522 with the value from the EventRecordID node. If you receive the email, go to your happy place.

NOTE WELL: You might have noticed the string 'Application' shows up a couple times in the command line for wevtutil.exe -- that's because I couldn't seem to get it to work by pointing it directly at the Custom View, and my Custom View happened to be a sub-set of events that are all inside the Application log. You might have to adjust that to make it work in your case if your trying to mail events from the System log, for example.

5) Edit the XML you exported, we're going to make two changes:

First, add the following 'ValueQueries' node into the XML under the 'EventTrigger' node:

<EventTrigger>
  <Enabled>true</Enabled>
  <Subscription>...snip...</Subscription>
  <ValueQueries>
    <Value name="EventRecordID">Event/System/EventRecordID</Value>
  </ValueQueries>  
</EventTrigger>

NOTE: In the above, I snipped the 'Subscription' info which will have been filled in based on the Custom View you created. Don't copy my 'Subscription' into your XML!

Second, replace the Actions node with the following:

<Actions Context="Author">
   <Exec>
     <Command>C:\sendmail\mail_event.bat</Command>
     <Arguments>$(EventRecordID)</Arguments>
   </Exec>
</Actions>

Now, cause a new event to appear in your Custom View, and you should automatically get the email notification! Woohoo!

JeremyS
  • 93
  • 8
1

Are you after the event data?

My requirement was to send an email whenever an IIS Application Pool shut down due to idle time out. I wanted the name of the app pool that was being shut down to appear in the email message.

This worked for me:

<Value name="appPoolId">Event/EventData/Data[@Name='AppPoolID']</Value>

1

I never did end up getting this to work, and it looks like for Server 2012 this email functionality has been removed completely. A dead end unfortunately.

Jeff Miles
  • 2,020
  • 2
  • 19
  • 26
1

I don't have access to a Server 2008 or Vista machine to try this myself and get the variable for you but this article should be of use.

If you create a basic task and then view the XML of the task you should see all the values available.

http://blogs.technet.com/otto/archive/2007/11/09/find-the-event-that-triggered-your-task.aspx

sclarson
  • 3,624
  • 21
  • 20
1

Using the documentation in the link provided by Sparks, add this additional line to the XML exported from Task Scheduler to get your event text:

<Value name="eventData">Event/EventData/Data</Value>

Also interesting (and hopefully self-explanatory):

<Value name="eventTimeCreated">Event/System/TimeCreated/@SystemTime</Value>

I found this Googling "Event/System/EventRecordID"

You can then reference the $(eventData) and $(eventTimeCreated) variables in your task.

It looks as though the values are specified by stepping through the XML hierarchy. I would expect you to be able to specify most any parts of the event by decomposing the raw XML dump to create a slash delimited expression.

It looks as though '/@' is shorthand for a space character in this syntax.

  • Just added this to my events, we'll see if it works next time there's a DFSR conflict. Thanks for the answer, I'll keep you posted. – Jeff Miles Nov 03 '09 at 23:36
0

I guess I finished developing your ideas

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2013-02-07T17:30:20.8644895</Date>
    <Author>QA\TimT</Author>
  </RegistrationInfo>
  <Triggers>
    <EventTrigger>
      <Enabled>true</Enabled>
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="ForwardedEvents"&gt;&lt;Select Path="ForwardedEvents"&gt;*&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
      <ValueQueries>
        <Value name="EventChannel">Event/System/Channel</Value>
        <Value name="EventComputer">Event/System/Computer</Value>
        <Value name="EventData">Event/EventData/Data</Value>
        <Value name="EventID">Event/System/EventID</Value>
        <Value name="EventRecordID">Event/System/EventRecordID</Value>
        <Value name="EventSeverity">Event/System/Level</Value>
        <Value name="Message">Event/RenderingInfo/Message</Value>
      </ValueQueries>
    </EventTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>QA\Administrator</UserId>
      <LogonType>Password</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <SendEmail>
      <Server>mail.nowhere.com</Server>
      <Subject>$(EventComputer) reports event $(EventID) in $(EventChannel), record $(EventRecordID), severety $(EventSeverity)</Subject>
      <To>admin@nowhere.com</To>
      <From>reporter@nowhere.com</From>
      <Body>$(EventData)
$(Message)</Body>
      <HeaderFields />
      <Attachments />
    </SendEmail>
  </Actions>
</Task>
j0k
  • 401
  • 9
  • 16
Tim Tsyganko
  • 1
  • Please, don't just drop some code dump (on a three year old question), but explain what you did. – Sven Feb 21 '13 at 18:43