Skip to main content

How to create a custom Windows Event Log view and email trigger

The filtering on Windows event logs can be slow, clunky and although you can do it on fields like event ID, it seems that many event IDs are shared amongst many different errors – the event ID may match but the body of the error (therefore the actual error) may be completely unrelated. Fortunately, it is possible to filter on the contents of the body of the error message but it requires creating a custom XML query. Also, it would be handy to send out a notification email when this event gets logged. Read on to find out how to work this magic….
This example is looking for a Warning event 1309 for ASP.NET 4.0.30319.0 on a web server. If you were to just filter the log on the criteria above today it would return 435 results because it is a fairly general error ID. If I filter it using XML for SqlException (what I’m really interested in) only 5 results are returned.
So the first step is go to the Application Log and choose Create Custom View… Select the XML tab, check Edit query manually and click Yes.

And edit the XML query, in this case we have added the line in bold below:

  <Query Id="0" Path="Application">
    <Select Path="Application">
    *[EventData[Data and (Data='SqlException')]]

Click OK, give the custom view a name (and folder if required) and click OK:

This will create a new folder with your custom view, select it and you will see it filter the results nice and quickly.

Send an email when an event is logged
Give it a name:
Click Next:
On Windows 2012R2 Send an e-mail (deprecated) doesn’t appear to work. Instead we will use a PowerShell script to send an email. Click Next.

Fill in the dialog as below with the path to your PowerShell script, in this case "C:\Scripts\SendEvtEmail.ps1"
This task is now save in Task Scheduler and can be further edited or delete from there. 

PowerShell script

Amend the script to suit your purposes:
# -------------------------------------
# Check Eventlog for a SqlException Message and send an email
if one is logged
# Paul Hewson 10/03/2017 v1.0
# This script is called every time an entry with an EventID of 1309 is generated
# -------------------------------------
# For testing try this:
# Write-EventLog –LogName Application –Source "ASP.NET 4.0.30319.0" –EntryType Warning –EventID 1309 –Message "SqlException"
# Get the latest log entry
$newEvent Get-EventLog -Newest -LogName "Application"
# If the newest log entry contains the text SqlException, fire off an email
if ($newEvent.Message -like"*SqlException*")
    $EmailFrom ""
    $EmailTo """"
    $EmailSubject "New Eventlog SqlException on Web Server"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer -Priority High


Popular posts from this blog

How to move the Microsoft Assessment and Planning Toolkit (MAP) database to a different drive

The Microsoft Assessment and Planning Toolkit (MAP) is a very useful tool for scanning your network to find instances of SQL Server plus all manner of detailed information about the installed product, OS and hardware it sits on.

<Click image to enbiggen>
There is an issue with it the database it uses to store the data it collects, however. Assuming you don't have an instance called MAPS on your server, the product will install using LocalDB (a cut down version of SQL Server Express) and puts the databases on your C: drive. If you then scan a large network you could easily expand the database to 10GB which may cause issues on a server when that drive is often one of the smallest. However, there is a simple solution: connect to LocalDB using Management Studio, detach the databases, move to a different drive, set permissions on the new location if required and reattach the database. How do you connect to LocalDB? Here you go:

Connect to (localdb)\MAPTOOLKIT

The databases I move…

Generate scripts to attach multiple databases

There is a handy little "by product", if you like, when running queries which means you can quickly generate scripts to do different things. Below is an example of generating multiple "attach" commands that you can copy from the results pane into the main SSMS window for execution. I have found this very handy in the past:

SELECT 'CREATE DATABASE ['+name+'] ON ( FILENAME = N''F:\MSSQL\Data\'+name+'.mdf'' ), ( FILENAME = N''E:\MSSQL\Log\'+name+'_log.ldf'' )  FOR ATTACH GO ' FROMmaster.dbo.sysdatabases WHEREnamenotin('master','msdb','model','tempdb')

The AcquireConnection method call to the connection manager failed with error code 0xC0202009

I had one of those annoying problems with executing a SSIS package that took up most of the morning today (and a couple of hours yesterday) where you get an error which many people have had, but none of their solutions work. I guess it is such a generic error code it can relate to many different issues hence dozens of different (wrong) suggestions. What confused matters was that although it completed successfully in SSDT, it failed when being validated on our newly created SSISDB Catalog. I didn't know whether it was a problem with the package and/or its parameters or the SSISDB Catalog installation or Environment.

If you haven't set up an Integration Services Catalog (a new feature of SQL 2012) yet I definitely think it is worth looking at. I found an excellent guide here that takes you through it all.

In our case we had two connection managers, the source was a table in a SQL Server 2012 database and the destination a table in an Access 2010 database. The server with the Int…