Share via

Getting event log contents by email on an event log trigger

  • Article

This one was actually pretty simple to work out, but it did have me flummoxed to start with. Here’s the scenario, I wanted to get an email when an event log entry was triggered. But, I also wanted the contents of the event log entry. I’ve been meaning to document this for ages, but never seem to find the time!

So here’s an example of the in-box functionality vs. a simple bit of bolt-on customization. In this example, I’ll use Event 20274 for RemoteAccess on a Windows Server 2008 R2 box running TMG 2010. This particular event is logged when an inbound VPN connection is established, and the body of the message says who connected, on what port, and what IP address they have been allocated.

First, inbox functionality. Establish the VPN, and find the event in the event log.

RAS1

Down in the bottom right, choose “Attach Task To This Event….”, and walk through the wizard. On the first screen, give it an appropriate name such as “A user connected through VPN”. On the action page, select send an email. On the Send an email page, fill in the appropriate information for From/To/Subject/Text and SMTP Server. What you’ll notice is that there’s nowhere to specify what goes in the body. But you can include a static attachment, but that doesn’t serve our needs

RAS2
Finish the wizard, and connect again through VPN to see what email comes through. Not particularly useful. Not yet, anyway.

RAS3

Now if you go into task scheduler, and drill down through Task Scheduler Library then to Event Viewer Tasks, you’ll see a new item. If you go into the properties of the task, you’ll see there’s no way to include the text of the event log in the message.

So step back a second, and ask “what’s the easiest way to get the last instance of event 20274 firing in the System event log?”. The answer (or an answer) is wevtutil. Here’s a command that will do that (note all on one line):

wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1

Running that in a command prompt will yield the following:

ras4
Perfect, so that’s what I want emailed to me. So let’s create a quick batch file which will get the above information and put it in a file. I just called it query.cmd and saved it on my desktop for convenience (again, the wevtutil command is all on one line).

del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1 > %temp%\query.txt

With that done, let’s revisit the properties of the task and look at the Actions tab. Let’s add an item to run this batch file, and put it top of the list.

ras5
Now we need to look at the properties of the “Send an e-mail” option. Remember there was an “Attachment” setting. Well conveniently, we have a file which contains the information we need, %temp%\query.txt now. Simply put “C:\Users\tmgadmin\AppData\Local\Temp\query.txt” in that box. (Obviously replace the username/location as appropriate). I’m also going to remove the body of the message.

So what does the email look like now if I establish a VPN?

ras6
Exactly what I wanted! Hope that helps someone.

(And before you ask, the only link this post has to Hyper-V is that my TMG and Email servers are Hyper-V VMs).

Cheers,
John.

PS – yes, I realize this may not be perfect if two users connect at exactly the same time, or in your use case that multiple events fire at the same time, but I’ll leave that as an exercise for the reader to solve :)

Comments

  • Anonymous
    January 01, 2003
    dear i m also facing a prblm...i  m not receiving any email on any event. even i have configure that..what can be the reason?

  • Anonymous
    January 01, 2003
    Exactly ,,,,that is what i needed..i just need this for event "4663", i will try and will let u know if succeded.....Thanks buddy

  • Anonymous
    January 01, 2003
    Jai/Damitha - I don't believe this is possible using the mechanism described above, it will always be an attachment. You would have to probably write some code which uses one some email capability (eg CDO/MAPI/.NET) to construct the email yourself and use that rather than the send-an-email action. John.

  • Anonymous
    January 01, 2003
    Steven - sorry, not sure on that one. If wevtutil isn't inbox, I don't have an answer. has been waaay too long since I've used XP :)

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Thanks for this post! Extremely helpful and great idea to solve the alert detail problem. Here's a working example to gather last three Hyper-V disk alerts. Hardest part was figuring out the search syntax. Note if you see 'ampersand'LT or something below it means the less-than symbol got escaped in this post. Working code has no escaped characters so put back in a real < symbol - as in: "/q:[System[TimeCreated[timediff(@SystemTime)<=86400000]]]" REM Script AlertScript.bat for Hyper-V disk space ECHO This script 7/24/2012 kf: %PUBLIC%DocumentsAlertScript.bat > %PUBLIC%DocumentsAlertMsg.txt ECHO Gathers Event detail for emails with Task Scheduler Event Trigger >> %PUBLIC%DocumentsAlertMsg.txt ECHO Reference: blogs.technet.com/.../getting-event-log-contents-by-email-on-an-event-log-trigger.aspx >> %PUBLIC%DocumentsAlertMsg.txt ECHO Query Time: %DATE% %TIME% >> %PUBLIC%DocumentsAlertMsg.txt ECHO Latest EventID=16050 "about to run out of disk space" or EventID=16060 "paused because it has run out of disk space": >> %PUBLIC%DocumentsAlertMsg.txt ECHO. >>  %PUBLIC%DocumentsAlertMsg.txt wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:[System[(EventID=16050 or EventID=16060)]]" /f:text /rd:true /c:3 >> %PUBLIC%DocumentsAlertMsg.txt REM More queries for events REM Enum Logs and find the source "Microsoft-Windows-Hyper-V-VMMS-Admin" wevtutil el |findstr Hyper REM Last 3 events with Warning, Error, or Critical wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:[System[(Level=1 or Level=2 or Level=3)]]" /f:text /rd:true /c:3 REM Last /C:50 events in Microsoft-Windows-Hyper-V-VMMS-Admin within 24 hours wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:[System[TimeCreated[timediff(@SystemTime)<=86400000]]]" /f:text /rd:true /c:50

  • Anonymous
    January 01, 2003
    The sequence is the event log is written which starts the task automatically. The task runs a script which causes wevtutil to run getting the last instance of the event written into a text file which is what gets emailed. Thanks, John.

  • Anonymous
    January 01, 2003
    Robert - you are correct. However Outlook 2010 displays text attachments if there is an empty email body in this way. Thanks, John.

  • Anonymous
    January 01, 2003
    Tejas - I haven't been able to do this using the mechanism above. You could probably rather than use the send email action, start another script which sends an email manually using something like CDO. Not something I've investigated though.

  • Anonymous
    January 01, 2003
    Yadunandan - not my area of expertise, but it doesn't appear that this is possible. Thanks, John.

  • Anonymous
    January 01, 2003
    James - not in my case. I have a seperate Exchange machine which I'm using as the target.

  • Anonymous
    January 01, 2003
    Thanks for this post. I have followed the above steps and mails are sending successfully. But the text file is sending as an attachment. It doesn't appear in message body. I am using outlook 2010. Is it possible to send the email as plain text instead of html? Thanks.

  • Anonymous
    January 01, 2003
    I  have a small confusion, Mail  alert will trigger on time the of the event.  Also we are  taking the attachment of the mail  from "wevtutil" . But how does "wevtutil" knows the time it  need to  trigger ?

  • Anonymous
    January 01, 2003
    (Stupid manager trick: Trying to wear a SysAdmin hat that's too big) What am I missing? Running Windows 2008 R2 Standard wevtutil qe Application "/q:[Application [(EventID=28673)]]" /f:text /rd:true /c:1 (produces no text to screen) wevtutil qe Application "/q:[Application [(EventID=28673)]]" /f:text /rd:true /c:1 > C:TempDupPIN.txt (produces empty text file) EventID and output location are both valid.  I could turn to our SCCM/SCOM team but would rather create email alerts as needed on the fly.

  • Anonymous
    January 01, 2003
    Dears, Please check the following link in this regard and let me know the result. social.technet.microsoft.com/.../18227.getting-event-log-contents-by-email-on-an-event-log-trigger.aspx Best Reagrd,

  • Anonymous
    June 23, 2010
    Nice. Will give it a shot :) Is it possible to generate an email on every "warning" or "error" message without specifying the Event ID? That would save time to monitor and filter the events of Hyper-V R2 without going through MOM and sending emails through MOM. Currently my MOM sends email alerts for Forefront only.

  • Anonymous
    June 25, 2010
    This is a great way to get the information you need. I do have a question...In the screen shot you have above, the text from the event log appears to be inside the E-Mail, however when following the steps outlined, it arrives as an attachment rather than in the message body.  Did I miss a step somewhere?

  • Anonymous
    July 08, 2010
    I've been trying this but do not get any email. Does this require that SMTP be loaded on the event server in order to send it? The event history shows that it launched OK.

  • Anonymous
    January 14, 2011
    John this has been working perfect for me, thanks so much! Starting today the text attachment no longer shows so conveniently in the body with OL2010. Is that in your case too? Maybe that security windows update overnight killed that feature...

  • Anonymous
    February 11, 2011
    You can achieve this for a set of tasks by creating a custom view (in Win2008), I believe - just right click on subscriptions in event viewer, create a custom view and then select the custom view and attach a task to it as above.

  • Anonymous
    February 28, 2011
    Thanks John, works great on Windows 7. What is the equivalent of wevtutil in Windows XP?

  • Anonymous
    March 04, 2011
    is there any way to get contents of the event log in the text of the email without running any script ?

  • Anonymous
    June 25, 2011
    Thanks for the ideas.  I can't believe that SBS 2011 doesn't have something that was a few click in SBS 2003 - so far this is the first thing with SBS 2011 I am completly un-impressed with.  SBS 2003 had much better built-in alert monitoring.  I'm still hoping I'm just missing something obvious...

  • Anonymous
    August 08, 2011
    Hi, I have the same problem , ia m already using the mail attachement but i dnt want in attachment any more. i want that in mail body. could any one please hlp me

  • Anonymous
    October 04, 2011
    When i run the batch file it does not output anything to the temp folder.The wevutil command runs fine...how can i pause the query.cmd to see if there is an error

  • Anonymous
    November 06, 2011
    Use blat.exe for sending eMails (www.blat.net) Greets

  • Anonymous
    February 06, 2012
    I got this one, but don't work, anybody can help me? del c:pruebaspru.txt wevtutil qe System "/q:*[System [(EventID=5136)]]" /f:text /rd:true /c:1 > c:pruebaspru.txt

  • Anonymous
    April 18, 2012
    hi i need this for event id 22 in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Actually i need this setup for the remote event  log. If somebody connected via rdp then server automatically send one mail. I did this setting but problem is that i cannot found any txt in the txt file, mean event was not copied to txt file. but when i fire this command there is nothing come up.but when i check event there is new event with 22 id. event like below in the event viwer Remote Desktop Services: Shell start notification received: User: LPMDUBAIlpmadmin Session ID: 2 Source Network Address: (ip address of remote session)

  • Anonymous
    October 17, 2012
    Very nice solution. There is an alternative, if you don't want an external program to collect the information. Export your scheduled task to XML, change the XML by querying the values you need, re-import your task and use the parameters as arguments for the action. more information: www.buit.org/.../event-based-triggered-tasks

  • Anonymous
    October 29, 2012
    I'm trying to make the server send me a mail on O/S reboot.  I tried to attach the task to "System, Event ID: 6005" but the mail is never sent.  I suppose that's because network is not yet ready at the moment event 6005 is generated.  Is there any solution with this "event-attached task" trick?  Thanks in advance.

  • Anonymous
    January 09, 2013
    Hi All, Its relatively easy to make it a bit cleaner by creating a powershell (or vbscript) script to run wevtutil to create a file with the event info, then parse the file into an email's body, and send it. No attachment required that way. And you would only need one action "start a program" that would call your script.

  • Anonymous
    January 29, 2013
    Hi, this shows always an old event entry not the last event. wevtutil qe System "/q:*[System [(EventID=1116)]]" /f:text /rd:false /c:1 >C:Tempmyfile.txt for example the event 1116 comes up more then one time a day i will send only the last event but i receive always an old event from yesterday or older

  • Anonymous
    April 08, 2013
    figured it out. it was not running elevated

  • Anonymous
    April 16, 2013
    The comment has been removed

  • Anonymous
    May 14, 2013
    Hello, How can we get the details of the error in an email. When I say attach task to the event and fill in the details , we do not get the details of the error message. We just get the text saying "text" ...How can we get the inner details of the error. I have an application and whenever an error is thrown in that application , an email should be triggered so that the inner details of the exception should also be triggered within the email. How can this be done..Do we need to run the batch file for getting the inner exception as well ?

  • Anonymous
    May 17, 2013
    I'm querying the : Microsoft-Windows-Small Business Server_Operational_Windows Small Business Server 2011 Standard Log for failures in the POP3 connector (event 212), but I can't seem to fashion an alternative command to search through a Log that has a space in the name.

  • Anonymous
    June 24, 2013
    nice but its easier to do this by sending an snmp trap to a program that will email for you

  • Anonymous
    July 08, 2013
    Is there any way to do something similar on Windows Server 2003?   There is no overt option in the Event View to tie a particular event to a scheduled task as far as I can tell.    Is there a method in this environment to mimic the 2008 features?

  • Anonymous
    August 01, 2013
    The comment has been removed

  • Anonymous
    August 07, 2013
    Hello, great post! I can't found the event ID: 20274. I can find events with incorrect logins. I can't find events with correct logins. How can I find the events with correct logins? Thanks in advance.-

  • Anonymous
    February 04, 2014
    The comment has been removed

  • Anonymous
    March 11, 2014
    The comment has been removed

  • Anonymous
    March 18, 2014
    I wouldn't spend too much time getting used to this functionality. It's been deprecated in Server 2012, which means MS has found a better method for this.

  • Anonymous
    March 20, 2014
    One quick tip: I spent lot of time for similar result. There is an option to include Event data into the mail by editing task XML. You can verify http://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/ for more information!

  • Anonymous
    March 24, 2014
    Any way to pull this off without an internal SMTP server?

  • Anonymous
    March 31, 2014
    Talkboxjosh, try this:

    wevtutil qe Security "/q:*[System [(EventID=4740)]]" /f:text /rd:true /c:1