eventidwiki.com

Ok, I think I’ve got it!  I’ve been looking for a way of getting email alerts of Event Log events, without having to buy lots of fancy (and expensive) monitoring software.  I’ve edited a script from Paul van der Elst that should do the job.  And it adds a link to the email for searching on eventidwiki.com which is handy

First things first, install the SMTP service on the server.  (See Here).

Then create a directory called C:\Script.  Paste the script below into a file called ’MailErrorEvent.vbs’.

Follow the instructions in the script and you should be done!

‘ MailErrorEvent.vbs
‘ Author: ing. P.J.M. van der Elst (c) 2004
‘ eMail: paul_van_der_elst@hotmail.com
‘
‘ Purpose: Main purpose of this script is to function as an Eventtrigger handler for the system Event log. From
‘ this script the most recent Error event from the System Eventlog is send as eMail message (through CDO).
‘ script notes:
‘    replace “YourEMailAddress@YourDomain” with an valid eMail address (see below)
‘    You must have the SMTP Virtual Server installed and correctly configured to allow CDO.Message to work. For internet
‘    connected systems: PLEASE set the SMTP Virtual Server Relay restrictions as secure as possible to avoid (spam) abuse.
‘
‘ Eventtrigger install command (from Command Prompt):
‘ eventtriggers /create /tr “eMail Error Event” /l * /t ERROR /tk “%SystemRoot%\System32\wscript.exe C:\Script\MailErrorEvent.vbs” /ru YourDomain\Administrator
‘ install command notes:
‘    replace “C:\Script\” with the path you’ve placed this script in
‘    replace “YourDomain\Administrator” with an appropriate privileged username. This script cannot run using the SYSTEM account.
‘    you will be prompted for the password.
‘
‘ general notes:
‘    The actual events that are triggered, depent upon what you specify with the /l switch (I use it for System events only)
‘    and the /t switch (I use it for ERRORs only). So with the above command, only ERROR events in the SYSTEM log will trigger
‘    starting the script. Further, in this script, explicitly ERRORs in the SYSTEM eventlog are queried. Please review the line:
‘    (”Select * from Win32_NTLogEvent Where Type = ‘error’ And Logfile = ‘System’
‘
‘ ===================
‘
Option Explicit
Dim dtmStart, SearchEventStart
Dim objWMIService, colEvents, objEvent, EventTime
Dim objMessage, eventCounted
‘
Const eMailAddress = “YourEMailAddress@YourDomain” ‘ must be a valid eMail address!!
Const MinutesToSearchWithin = -2 ‘ look for the event that triggered me within the last 2 minutes
‘
‘ ——————-
‘
Set objMessage = CreateObject(”CDO.Message”)
objMessage.Sender = eMailAddress
objMessage.To = eMailAddress
Set dtmStart = CreateObject(”WbemScripting.SWbemDateTime”)
SearchEventStart = DateAdd(”n”, MinutesToSearchWithin, Now())
dtmStart.SetVarDate SearchEventStart, True
Set objWMIService = GetObject(”winmgmts:” _
& “{impersonationLevel=impersonate}!\\.\root\cimv2″)
Set colEvents = objWMIService.ExecQuery _
(”Select * from Win32_NTLogEvent Where Type = ‘error’ And TimeWritten >= ‘” _
& dtmStart & “‘”)
‘ Because we go through all recent events, in case of multiple events within the last 2 minutes, we might mis
‘ events. That is: within multiple events that occur within the last 2 minutes, not for all these events an eMail message
‘ may be generated. This is a trade-off to avoid generating multiple eMail messages for one particular event within a
‘ series of events that occured within the last 2 minutes.
For each objEvent in colEvents
‘ On Error Resume Next ‘ Maybe you should uncomment this line…
objMessage.TextBody = “Category: ” & objEvent.Category
EventTime = Mid(objEvent.TimeWritten, 5, 2) & “/” & Mid(objEvent.TimeWritten, 7, 2) & “/” & _
    Mid(objEvent.TimeWritten, 1, 4) & ” ” & Mid(objEvent.TimeWritten, 9, 2) & “:” & _
    Mid(objEvent.TimeWritten, 11, 2) & “.” & Mid(objEvent.TimeWritten, 13, 2)
objMessage.TextBody = objMessage.TextBody & vbCrLf & “Time: ” & EventTime
objMessage.Subject = “Error Event in ” & objEvent.SourceName & ” on ” & objEvent.ComputerName & ” at ” & EventTime
objMessage.TextBody = objMessage.TextBody & vbCrLf & “EventCode: ” & objEvent.EventCode
objMessage.TextBody = objMessage.TextBody & vbCrLf & “Message: ” & objEvent.Message
objMessage.TextBody = objMessage.TextBody & vbCrLf & “RecordNumber: ” & objEvent.RecordNumber
objMessage.TextBody = objMessage.TextBody & vbCrLf & “SourceName: ” & objEvent.SourceName
objMessage.TextBody = objMessage.TextBody & vbCrLf & “Type: ” & objEvent.Type
objMessage.TextBody = objMessage.TextBody & vbCrLf & “User: ” & objEvent.User
objMessage.TextBody = objMessage.TextBody & vbCrLf & “http://www.eventidwiki.com/index.php?search=” & objEvent.EventCode
Next
objMessage.Send

One of my edits means that you get more than just the errors from the event log (not the informational events).  If you want to restrict it to just the ‘error’ events etc, use the following line instead of my shortened version :

 (”Select * from Win32_NTLogEvent Where Type = ‘error’ And Logfile = ‘System’ And TimeWritten >= ‘” _
& dtmStart & “‘”) 
 

Thanks to Paul for the script

Well, I’ve come up with a basic organisation for this site, and it goes a little something like this….

For the front page, just put the event id number using the format :

[[Event ID : 1234]]

Then for the following page use the event id number followed by the ’source’. ie :

[[1234, DNS]]

This should create a page where we can list the details at the top and the ‘Possible Solutions’ as a section under that.

I’m not sure if this is the best was to organise the wiki, but it will do for a start.  If you have any comment or suggestion, feel free to post

Thanks to the guys from Casting from the Server Room for mentioning the site on the latest podcast.  It’s great to hear someone else being so enthusiastic about the idea, and setting it as an assignment was a bonus!

For those of you who don’t know, the podcast is by a bunch of sysadmin’s for a school district in the US.  It’s really worth a listen if you haven’t already come across it, they have some great tips etc.

Ok, first things first, whats this thing about?

 Well the idea is to create a wiki where people can post up details of Event Id’s that appear in the Windows event logs, and possible solutions they have found etc.

There are various different causes and solutions to the events that get logged, and the information in the event log is often pretty useless.

That’s about it really.  So feel free to add pages and details etc.  Oh and feel free to comment!