Skip to main content

How to create a custom Windows Event Log view and email trigger

The filtering on Windows event logs can be slow, clunky and although you can do it on fields like event ID, it seems that many event IDs are shared amongst many different errors – the event ID may match but the body of the error (therefore the actual error) may be completely unrelated. Fortunately, it is possible to filter on the contents of the body of the error message but it requires creating a custom XML query. Also, it would be handy to send out a notification email when this event gets logged. Read on to find out how to work this magic….
This example is looking for a Warning event 1309 for ASP.NET 4.0.30319.0 on a web server. If you were to just filter the log on the criteria above today it would return 435 results because it is a fairly general error ID. If I filter it using XML for SqlException (what I’m really interested in) only 5 results are returned.
So the first step is go to the Application Log and choose Create Custom View… Select the XML tab, check Edit query manually and click Yes.


And edit the XML query, in this case we have added the line in bold below:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">
    *[EventData[Data and (Data='SqlException')]]
    </Select>
  </Query>
</QueryList>

Click OK, give the custom view a name (and folder if required) and click OK:

This will create a new folder with your custom view, select it and you will see it filter the results nice and quickly.

Send an email when an event is logged
Give it a name:
Click Next:
On Windows 2012R2 Send an e-mail (deprecated) doesn’t appear to work. Instead we will use a PowerShell script to send an email. Click Next.

Fill in the dialog as below with the path to your PowerShell script, in this case "C:\Scripts\SendEvtEmail.ps1"
This task is now save in Task Scheduler and can be further edited or delete from there. 

PowerShell script

Amend the script to suit your purposes:
# -------------------------------------
# Check Eventlog for a SqlException Message and send an email
if one is logged
#
# Paul Hewson 10/03/2017 v1.0
#
# This script is called every time an entry with an EventID of 1309 is generated
# -------------------------------------
#
# For testing try this:
# Write-EventLog –LogName Application –Source "ASP.NET 4.0.30319.0" –EntryType Warning –EventID 1309 –Message "SqlException"
# Get the latest log entry
$newEvent Get-EventLog -Newest -LogName "Application"
# If the newest log entry contains the text SqlException, fire off an email
if ($newEvent.Message -like"*SqlException*")
{   
    $EmailBody$newEventFormat-ListOut-String
    $EmailFrom "computer@company.com"
    $EmailTo "admin@company.com""user@company.com"
    $EmailSubject "New Eventlog SqlException on Web Server"
    $SMTPServer "SMTPSERVER"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer -Priority High
}

Comments

Post a Comment

Popular posts from this blog

How to configure the SSAS service to use a Domain Account

NB Updating SPNs in AD is not for the faint hearted plus I got inconsistent results from different servers. Do so at your own risk! If you need the SSAS account on a SQL Server to use a domain account rather than the local “virtual” account “NT Service\MSSQLServerOLAPService”. You may think you just give the account login permissions to the server, perhaps give it sysadmin SQL permissions too. However, if you try and connect to SSAS  remotely  you may get this error: Authentication failed. (Microsoft.AnalysisService.AdomdClient) The target principal name is incorrect (Microsoft.AnalysisService.AdomdClient) From Microsoft: “A Service Principle Name (SPN) uniquely identifies a service instance in an Active Directory domain when Kerberos is used to mutually authenticate client and service identities. An SPN is associated with the logon account under which the service instance runs. For client applications connecting to Analysis Services via Kerberos authentication, th
Post a Comment
Read more

Fun and games with the Management Data Warehouse (MDW and Data Collectors)

The SQL Server Management Data Warehouse (when you first come across it) seems to promise so much if the verbiage from Microsoft and some other websites is to to believed. But when you install it you may find that it is not as useful as it could be. This is a shame but we are currently only on v2 of the product with SQL 2012 so one hopes it will improve in subsequent versions. However, it probably is worth playing with if you have never used it before - at least you can show your boss some reports on general server health when he asks for it and you have nothing else in place. There is one big problem with it though if you decide that you don't want to use it any more, uninstalling it is not supported! Mad, I know. But as usual some very helpful people in the community have worked out, what seems to me, a pretty safe way of doing it. I had a problem with my MDW. The data collector jobs were causing a lot of deadlocking on some production servers and impacting performance. I
1 comment
Read more

SAN performance testing using SQLIO

Introduction This document describes how to use Microsoft’s SQLIO to test disk/SAN performance. It is biased towards SQL Server – which uses primarily 64KB and 8KB data pages so I am running the tests using those cluster sizes, however, other sizes can be specified.  Download SQLIO from https://www.microsoft.com/en-gb/download/details.aspx?id=20163   SQLIO is a command line tool with no GUI so you need to open a command prompt at  C:\Program Files (x86)\SQLIO  after you have installed it. Configuration First of all edit param.txt so that you create the test file we will be using. The file needs to be bigger than the combined RAID and on-board disk caches. In this case we are using a 50GB file. The “ 2”  refers to the number of threads to use when testing, you don’t need to change this now. The “ 0x0”  value indicates that all CPUs should be used, which you probably don’t want to change either, “ #”  is a comment. The only part you may want to change is 51200 (50GB) a
2 comments
Read more