Getting event log contents by email on an event log trigger


This one was actually pretty simple to work out, but it did have me flummoxed to start with. Here’s the scenario, I wanted to get an email when an event log entry was triggered. But, I also wanted the contents of the event log entry. I’ve been meaning to document this for ages, but never seem to find the time!

So here’s an example of the in-box functionality vs. a simple bit of bolt-on customization. In this example, I’ll use Event 20274 for RemoteAccess on a Windows Server 2008 R2 box running TMG 2010. This particular event is logged when an inbound VPN connection is established, and the body of the message says who connected, on what port, and what IP address they have been allocated.

First, inbox functionality. Establish the VPN, and find the event in the event log.

RAS1

Down in the bottom right, choose “Attach Task To This Event….”, and walk through the wizard. On the first screen, give it an appropriate name such as “A user connected through VPN”. On the action page, select send an email. On the Send an email page, fill in the appropriate information for From/To/Subject/Text and SMTP Server. What you’ll notice is that there’s nowhere to specify what goes in the body. But you can include a static attachment, but that doesn’t serve our needs

RAS2
Finish the wizard, and connect again through VPN to see what email comes through. Not particularly useful. Not yet, anyway.

RAS3

Now if you go into task scheduler, and drill down through Task Scheduler Library then to Event Viewer Tasks, you’ll see a new item. If you go into the properties of the task, you’ll see there’s no way to include the text of the event log in the message.

So step back a second, and ask “what’s the easiest way to get the last instance of event 20274 firing in the System event log?”. The answer (or an answer) is wevtutil. Here’s a command that will do that (note all on one line):

wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1

Running that in a command prompt will yield the following:

ras4
Perfect, so that’s what I want emailed to me. So let’s create a quick batch file which will get the above information and put it in a file. I just called it query.cmd and saved it on my desktop for convenience (again, the wevtutil command is all on one line).

del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1 > %temp%\query.txt

With that done, let’s revisit the properties of the task and look at the Actions tab. Let’s add an item to run this batch file, and put it top of the list.

ras5
Now we need to look at the properties of the “Send an e-mail” option. Remember there was an “Attachment” setting. Well conveniently, we have a file which contains the information we need, %temp%\query.txt now. Simply put “C:\Users\tmgadmin\AppData\Local\Temp\query.txt” in that box. (Obviously replace the username/location as appropriate). I’m also going to remove the body of the message.

So what does the email look like now if I establish a VPN?

ras6
Exactly what I wanted! Hope that helps someone.

(And before you ask, the only link this post has to Hyper-V is that my TMG and Email servers are Hyper-V VMs).

Cheers,
John.

PS – yes, I realize this may not be perfect if two users connect at exactly the same time, or in your use case that multiple events fire at the same time, but I’ll leave that as an exercise for the reader to solve 🙂


Comments (46)

  1. Anonymous says:

    dear i m also facing a prblm…i  m not receiving any email on any event. even i have configure that..what can be the reason?

  2. Anonymous says:

    Exactly ,,,,that is what i needed..i just need this for event "4663", i will try and will let u know if succeded…..Thanks buddy

  3. Jai/Damitha – I don't believe this is possible using the mechanism described above, it will always be an attachment. You would have to probably write some code which uses one some email capability (eg CDO/MAPI/.NET) to construct the email yourself and use that rather than the send-an-email action.

    John.

  4. Steven – sorry, not sure on that one. If wevtutil isn't inbox, I don't have an answer. has been waaay too long since I've used XP 🙂

  5. Anonymous says:

    John, very helpful article, love the walkthrough, rated it five stars but for some reason it does not work for me.  What am I missing?  Running Windows 2008 R2 Standard:

    –  wevtutil qe Application "/q:*[Application [(EventID=28673)]]" /f:text /rd:true /c:1 (produces no text to screen)

    –  wevtutil qe Application "/q:*[Application [(EventID=28673)]]" /f:text /rd:true /c:1 > C:TempDupPIN.txt (produces empty file)

    Windows 7 produces the same results.  EventID and output location are both valid.  I could turn to our SCCM/SCOM team but would rather create email alerts as needed on the fly.

    – Left scratching a hole in my head.

  6. Karl says:

    Thanks for this post! Extremely helpful and great idea to solve the alert detail problem. Here's a working example to gather last three Hyper-V disk alerts. Hardest part was figuring out the search syntax. Note if you see 'ampersand'LT or something below it means the less-than symbol got escaped in this post. Working code has no escaped characters so put back in a real < symbol – as in:

    "/q:*[System[TimeCreated[timediff(@SystemTime)<=86400000]]]"

    REM Script AlertScript.bat for Hyper-V disk space

    ECHO This script 7/24/2012 kf: %PUBLIC%DocumentsAlertScript.bat > %PUBLIC%DocumentsAlertMsg.txt

    ECHO Gathers Event detail for emails with Task Scheduler Event Trigger >> %PUBLIC%DocumentsAlertMsg.txt

    ECHO Reference: blogs.technet.com/…/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx >> %PUBLIC%DocumentsAlertMsg.txt

    ECHO Query Time: %DATE% %TIME% >> %PUBLIC%DocumentsAlertMsg.txt

    ECHO Latest EventID=16050 "about to run out of disk space" or EventID=16060 "paused because it has run out of disk space": >> %PUBLIC%DocumentsAlertMsg.txt

    ECHO. >>  %PUBLIC%DocumentsAlertMsg.txt

    wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:*[System[(EventID=16050 or EventID=16060)]]" /f:text /rd:true /c:3 >> %PUBLIC%DocumentsAlertMsg.txt

    REM More queries for events

    REM Enum Logs and find the source "Microsoft-Windows-Hyper-V-VMMS-Admin"

    wevtutil el |findstr Hyper

    REM Last 3 events with Warning, Error, or Critical

    wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:*[System[(Level=1 or Level=2 or Level=3)]]" /f:text /rd:true /c:3

    REM Last /C:50 events in Microsoft-Windows-Hyper-V-VMMS-Admin within 24 hours

    wevtutil qe Microsoft-Windows-Hyper-V-VMMS-Admin "/q:*[System[TimeCreated[timediff(@SystemTime)<=86400000]]]" /f:text /rd:true /c:50

  7. The sequence is the event log is written which starts the task automatically. The task runs a script which causes wevtutil to run getting the last instance of the event written into a text file which is what gets emailed.

    Thanks,

    John.

  8. Robert – you are correct. However Outlook 2010 displays text attachments if there is an empty email body in this way.

    Thanks,

    John.

  9. Tejas – I haven't been able to do this using the mechanism above. You could probably rather than use the send email action, start another script which sends an email manually using something like CDO. Not something I've investigated though.

  10. Yadunandan – not my area of expertise, but it doesn't appear that this is possible.

    Thanks,

    John.

  11. James – not in my case. I have a seperate Exchange machine which I'm using as the target.

  12. Anonymous says:

    Thanks for this post. I have followed the above steps and mails are sending successfully.

    But the text file is sending as an attachment. It doesn't appear in message body. I am using outlook 2010.

    Is it possible to send the email as plain text instead of html?

    Thanks.

  13. Anonymous says:

    I  have a small confusion, Mail  alert will trigger on time the of the event.  Also we are  taking the attachment of the mail  from "wevtutil" . But how does "wevtutil" knows the time it  need to  trigger ?

  14. Anonymous says:

    (Stupid manager trick: Trying to wear a SysAdmin hat that's too big)

    What am I missing?

    Running Windows 2008 R2 Standard

    wevtutil qe Application "/q:*[Application [(EventID=28673)]]" /f:text /rd:true /c:1 (produces no text to screen)

    wevtutil qe Application "/q:*[Application [(EventID=28673)]]" /f:text /rd:true /c:1 > C:TempDupPIN.txt (produces empty text file)

    EventID and output location are both valid.  I could turn to our SCCM/SCOM team but would rather create email alerts as needed on the fly.

  15. Babak Ramak says:

    Dears,

    Please check the following link in this regard and let me know the result.

    social.technet.microsoft.com/…/18227.getting-event-log-contents-by-email-on-an-event-log-trigger.aspx

    Best Reagrd,

  16. Yadunandan says:

    Nice. Will give it a shot 🙂

    Is it possible to generate an email on every "warning" or "error" message without specifying the Event ID? That would save time to monitor and filter the events of Hyper-V R2 without going through MOM and sending emails through MOM. Currently my MOM sends email alerts for Forefront only.

  17. Robert says:

    This is a great way to get the information you need.

    I do have a question…In the screen shot you have above, the text from the event log appears to be inside the E-Mail, however when following the steps outlined, it arrives as an attachment rather than in the message body.  Did I miss a step somewhere?

  18. james says:

    I've been trying this but do not get any email. Does this require that SMTP be loaded on the event server in order to send it? The event history shows that it launched OK.

  19. JG says:

    John this has been working perfect for me, thanks so much!

    Starting today the text attachment no longer shows so conveniently in the body with OL2010. Is that in your case too? Maybe that security windows update overnight killed that feature…

  20. Matt Chatterley says:

    You can achieve this for a set of tasks by creating a custom view (in Win2008), I believe – just right click on subscriptions in event viewer, create a custom view and then select the custom view and attach a task to it as above.

  21. stephen says:

    Thanks John, works great on Windows 7. What is the equivalent of wevtutil in Windows XP?

  22. Tejas Kunte says:

    is there any way to get contents of the event log in the text of the email without running any script ?

  23. EricE says:

    Thanks for the ideas.  I can't believe that SBS 2011 doesn't have something that was a few click in SBS 2003 – so far this is the first thing with SBS 2011 I am completly un-impressed with.  SBS 2003 had much better built-in alert monitoring.  I'm still hoping I'm just missing something obvious…

  24. Jai says:

    Hi,

    I have the same problem , ia m already using the mail attachement but i dnt want in attachment any more. i want that in mail body. could any one please hlp me

  25. Minty says:

    When i run the batch file it does not output anything to the temp folder.The wevutil command runs fine…how can i pause the query.cmd to see if there is an error

  26. Dan_el says:

    Use blat.exe for sending eMails (www.blat.net)

    Greets

  27. Jonathan says:

    I got this one, but don't work, anybody can help me?

    del c:pruebaspru.txt

    wevtutil qe System "/q:*[System [(EventID=5136)]]" /f:text /rd:true /c:1 > c:pruebaspru.txt

  28. rahul says:

    hi

    i need this for event id 22 in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

    Actually i need this setup for the remote event  log.

    If somebody connected via rdp then server automatically send one mail. I did this setting but problem is that i cannot found any txt in the txt file, mean event was not copied to txt file.

    but when i fire this command there is nothing come up.but when i check event there is new event with 22 id.

    event like below in the event viwer

    Remote Desktop Services: Shell start notification received:

    User: LPMDUBAIlpmadmin

    Session ID: 2

    Source Network Address: (ip address of remote session)

  29. T. Kennis says:

    Very nice solution.

    There is an alternative, if you don't want an external program to collect the information.

    Export your scheduled task to XML, change the XML by querying the values you need, re-import your task and use the parameters as arguments for the action.

    more information: http://www.buit.org/…/event-based-triggered-tasks

  30. Horinius says:

    I'm trying to make the server send me a mail on O/S reboot.  I tried to attach the task to "System, Event ID: 6005" but the mail is never sent.  I suppose that's because network is not yet ready at the moment event 6005 is generated.  Is there any solution with this "event-attached task" trick?  Thanks in advance.

  31. sluisejuice says:

    Hi All,

    Its relatively easy to make it a bit cleaner by creating a powershell (or vbscript) script to run wevtutil to create a file with the event info, then parse the file into an email's body, and send it. No attachment required that way. And you would only need one action "start a program" that would call your script.

  32. Max says:

    Hi,

    this shows always an old event entry not the last event.

    wevtutil qe System "/q:*[System [(EventID=1116)]]" /f:text /rd:false /c:1 >C:Tempmyfile.txt

    for example the event 1116 comes up more then one time a day i will send only the last event but i receive always an old event from yesterday or older

  33. lg says:

    figured it out.

    it was not running elevated

  34. mike says:

    I know these are old… but for others searching who may not have found the answers:

    @u2_boy

    try:  wevtutil qe Application "/q:*[System[(EventID=28673)]]" /f:text /rd:true /c:1

    I was having similar problems.  the answer I found (for server 2012) was to apply filter in the event viewer and then copy the query out of the XML tab for the command line. (but not the xml pieces)

    for example:  in my case I wanted to know the last deduplication result the xml line was:

       <Select Path="Microsoft-Windows-Deduplication/Operational">*[System[(EventID=6153)]]</Select>

    my command then became:

     wevtutil qe Microsoft-Windows-Deduplication/Operational "/q:*[System[(EventID=6153)]]" /f:text /rd:true /c:1

    the query section appears to be case and spacing sensitive.

    @Max

    change your /rd:false to /rd:true  (true sorts by most recent events)

  35. chinnu says:

    Hello,

    How can we get the details of the error in an email.

    When I say attach task to the event and fill in the details , we do not get the details of the error message.

    We just get the text saying "text" …How can we get the inner details of the error.

    I have an application and whenever an error is thrown in that application , an email should be triggered so that the inner details of the exception should also be triggered within the email. How can this be done..Do we need to run the batch file for getting the inner exception as well ?

  36. Jason says:

    I'm querying the :

    Microsoft-Windows-Small Business Server_Operational_Windows Small Business Server 2011 Standard

    Log for failures in the POP3 connector (event 212), but I can't seem to fashion an alternative command to search through a Log that has a space in the name.

  37. Paul Kelly says:

    nice but its easier to do this by sending an snmp trap to a program that will email for you

  38. Eric says:

    Is there any way to do something similar on Windows Server 2003?   There is no overt option in the Event View to tie a particular event to a scheduled task as far as I can tell.    Is there a method in this environment to mimic the 2008 features?

  39. Menyailo Konstantin says:

    There is another approach. to use Powershell and create tasks manually or via cmd. It helps to minimize your actions and helps to automate your administration.

    Example:

    nitificator.ps1

    param ($EventID="4726")

    $wmi = Get-WmiObject Win32_OperatingSystem

    $result = wevtutil qe Security "/q:*[System[(EventID=$EventID)]]" /f:text /rd:true /c:1 | Out-String

    $CompName =$wmi.PSComputerName

    $From = $CompName+"@mail.com"

    $MailSubject="Security Event Log: "

    switch($EventID)

    {

    "4720" {$MailSubject+= "User Account Created HOST: "+$CompName}

    "4723" {$MailSubject+= "Attemt to Change User Password HOST: "+$CompName}

    "4724" {$MailSubject+= "Attemt to Reset User Password HOST: "+$CompName}

    "4726" {$MailSubject+= "User Account Deleted HOST: "+$CompName}

    "4738" {$MailSubject+= "User Account Changed HOST: "+$CompName}

    "4740" {$MailSubject+= "User Account Locked HOST: "+$CompName}

    "4625" {$MailSubject+= "Account Failed to logon HOST: "+$CompName}

    default {}

    }

    Send-MailMessage -to "reciever@mail.com" -From $From -Subject $MailSubject -SmtpServer "smtp.mail.com" -Body

    $result

    Put this script {somewhere} and use command

    schtasks.exe /CREATE /TN AccountCreated /RU SYSTEM /SC ONEVENT /EC Security /MO *[System[EventID=4720]] /RL HIGHEST /TR "C:WindowsSystem32WindowsPowerShellv1.0powershell.EXE -ExecutionPolicy Unrestricted -file "{somewhere}notificator.ps1" -EventID 4720"

    You can combine any event you need, by creating additional task and modifying PowerShell script for your needs.

    Best Regard

  40. Hello, great post!

    I can't found the event ID: 20274. I can find events with incorrect logins. I can't find events with correct logins.

    How can I find the events with correct logins?

    Thanks in advance.-

  41. KG says:

    Who ever posted to use blat to get the text into the email is working perfectly and with a few outlook 2010 rules gets rid of some unwanted mail I was receiving. blat -bodyF C:apps4663eventTEMPQueryquery.txt -to Someone@nnn.com -try 25 -server 10.10.10.xx
    -f Filesvr_Delet@nnn.com In the task scheduler I had to enter the startup dir before the *.cmd would work. ThanX for all the info here.

  42. Talkboxjosh says:

    John, I am on a Server 2008 DC, and was hoping to adapt you scenario to monitor event 4740 (the user account is locked out event). This way SpiceWorks (our helpdesk program) will notify use when a user locks their domain account. I followed all the step but my query does not return any information. Does my syntax need to be different since this is a different event code? I found a site that explain how to build a WEVTUTIL query, but it’s a bit over my head. (http://www.windowsecurity.com/articles-tutorials/windows_os_security/WEVTUTIL-Manage-Event-Logs.html) Any help or insight that you could provide would be appreciated. Thanks.

  43. terry says:

    I wouldn't spend too much time getting used to this functionality. It's been deprecated in Server 2012, which means MS has found a better method for this.

  44. Vijred says:

    One quick tip: I spent lot of time for similar result. There is an option to include Event data into the mail by editing task XML. You can verify http://vijredblog.wordpress.com/2014/03/21/task-scheduler-event-log-trigger-include-event-data-in-mail/ for more information!

  45. jeremy says:

    Any way to pull this off without an internal SMTP server?

  46. Clay says:

    Talkboxjosh, try this:

    wevtutil qe Security "/q:*[System [(EventID=4740)]]" /f:text /rd:true /c:1