Share via

Getting Event Log Contents by Email on an Event Log Trigger

  • Article

I worked on the following PowerShell Script to email event log content (for example, event ID 4720 that shows the user creation on DCs) which is already triggered by event viewer with "running program" option (you must run "powershell -filter "<script path>""). Please check the following script and let me know if you have any issues with this. I hope that it will be useful.

FYI,
Please change the following variables in the script before using it on Test/Production environment.

-$strFrom = "<insert your email address which you want send from>"
-$strTo = "<insert your email address which you want send to>"
-$strSMTPServer  = "<insert your smtp address which is already configured to send bulk mails.>"

Best Regard,
Babak Ramak

Clear-Host

# ========================
# Collection Data Section
# ========================

Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME)
         {
          $EventResult = wevtutil qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=4720)]]"
   if ($EventResult -eq $null){exit}
          $xmlEventResult = [xml]$EventResult

          $EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime
          $EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss')
         
          $htmlStart = "<HTML>
                          <HEAD>
                            <style>
                              body {background-color:rgb(238, 238, 238);}
                              body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt}
                                               th {font-weight:bold; background-color:rgb(78, 227, 48);}
                                               td {background-color:rgb(255, 190, 0);}
                            </style>
                          </HEAD>
                        <BODY><div align=center>
                        <h2><b><br><br>Security Alert: <span Style='font-style:normal; color:Blue'>A user account was created</span></b></h2>
                        <p><b><br>This event occurred at: <span Style='font-style:italic; color:Blue'>$EventDate on $ComputerName</span></b></p>"
          $htmlEnd = ''
          $htmlStart

          $xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class |
          ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body ('' -f "$_.Name")}
         
          $htmlStart = ''
         
          $htmlStart = $htmlStart + "<br><i><span Style='color:red'>This report has been generated by software</i> <br><i>Please DO NOT reply.</i></div>"
          $htmlStart
         
          $htmlEnd = ''
          $htmlEnd
         }

# ======================
# Sending Email Section
# ======================

$strFrom = "<insert your email address which you want send from>"
$strTo = "<insert your email address which you want send to>"
$strSubject = "*** Event Listener - User Creation ***"
$strSMTPServer = "<insert your smtp address which already configured to send bulk mails.>"

$objEmailMessage = New-Object system.net.mail.mailmessage
$objEmailMessage.From = ($strFrom)
$objEmailMessage.To.Add($strTo)
$objEmailMessage.Subject = $strSubject
$objEmailMessage.IsBodyHTML = $true
$objEmailMessage.Body = EventID-To-HTML

$objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer)
$objSMTP.Send($objEmailMessage)