Getting event log contents by email on an event log trigger

This one was actually pretty simple to work out, but it did have me flummoxed to start with. Here’s the scenario, I wanted to get an email when an event log entry was triggered. But, I also wanted the contents of the event log entry. I’ve been meaning to document this for ages, but never seem to find the time!

So here’s an example of the in-box functionality vs. a simple bit of bolt-on customization. In this example, I’ll use Event 20274 for RemoteAccess on a Windows Server 2008 R2 box running TMG 2010. This particular event is logged when an inbound VPN connection is established, and the body of the message says who connected, on what port, and what IP address they have been allocated.

First, inbox functionality. Establish the VPN, and find the event in the event log.

RAS1

Down in the bottom right, choose “Attach Task To This Event….”, and walk through the wizard. On the first screen, give it an appropriate name such as “A user connected through VPN”. On the action page, select send an email. On the Send an email page, fill in the appropriate information for From/To/Subject/Text and SMTP Server. What you’ll notice is that there’s nowhere to specify what goes in the body. But you can include a static attachment, but that doesn’t serve our needs

RAS2
Finish the wizard, and connect again through VPN to see what email comes through. Not particularly useful. Not yet, anyway.

RAS3

Now if you go into task scheduler, and drill down through Task Scheduler Library then to Event Viewer Tasks, you’ll see a new item. If you go into the properties of the task, you’ll see there’s no way to include the text of the event log in the message.

So step back a second, and ask “what’s the easiest way to get the last instance of event 20274 firing in the System event log?”. The answer (or an answer) is wevtutil. Here’s a command that will do that (note all on one line):

wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1

Running that in a command prompt will yield the following:

ras4
Perfect, so that’s what I want emailed to me. So let’s create a quick batch file which will get the above information and put it in a file. I just called it query.cmd and saved it on my desktop for convenience (again, the wevtutil command is all on one line).

del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=20274)]]" /f:text /rd:true /c:1 > %temp%\query.txt

With that done, let’s revisit the properties of the task and look at the Actions tab. Let’s add an item to run this batch file, and put it top of the list.

ras5
Now we need to look at the properties of the “Send an e-mail” option. Remember there was an “Attachment” setting. Well conveniently, we have a file which contains the information we need, %temp%\query.txt now. Simply put “C:\Users\tmgadmin\AppData\Local\Temp\query.txt” in that box. (Obviously replace the username/location as appropriate). I’m also going to remove the body of the message.

So what does the email look like now if I establish a VPN?

ras6
Exactly what I wanted! Hope that helps someone.

(And before you ask, the only link this post has to Hyper-V is that my TMG and Email servers are Hyper-V VMs).

Cheers,
John.

PS – yes, I realize this may not be perfect if two users connect at exactly the same time, or in your use case that multiple events fire at the same time, but I’ll leave that as an exercise for the reader to solve :)