Skip to main content

How to create a custom Windows Event Log view and email trigger

The filtering on Windows event logs can be slow, clunky and although you can do it on fields like event ID, it seems that many event IDs are shared amongst many different errors – the event ID may match but the body of the error (therefore the actual error) may be completely unrelated. Fortunately, it is possible to filter on the contents of the body of the error message but it requires creating a custom XML query. Also, it would be handy to send out a notification email when this event gets logged. Read on to find out how to work this magic….
This example is looking for a Warning event 1309 for ASP.NET 4.0.30319.0 on a web server. If you were to just filter the log on the criteria above today it would return 435 results because it is a fairly general error ID. If I filter it using XML for SqlException (what I’m really interested in) only 5 results are returned.
So the first step is go to the Application Log and choose Create Custom View… Select the XML tab, check Edit query manually and click Yes.


And edit the XML query, in this case we have added the line in bold below:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">
    *[EventData[Data and (Data='SqlException')]]
    </Select>
  </Query>
</QueryList>

Click OK, give the custom view a name (and folder if required) and click OK:

This will create a new folder with your custom view, select it and you will see it filter the results nice and quickly.

Send an email when an event is logged
Give it a name:
Click Next:
On Windows 2012R2 Send an e-mail (deprecated) doesn’t appear to work. Instead we will use a PowerShell script to send an email. Click Next.

Fill in the dialog as below with the path to your PowerShell script, in this case "C:\Scripts\SendEvtEmail.ps1"
This task is now save in Task Scheduler and can be further edited or delete from there. 

PowerShell script

Amend the script to suit your purposes:
# -------------------------------------
# Check Eventlog for a SqlException Message and send an email
if one is logged
#
# Paul Hewson 10/03/2017 v1.0
#
# This script is called every time an entry with an EventID of 1309 is generated
# -------------------------------------
#
# For testing try this:
# Write-EventLog –LogName Application –Source "ASP.NET 4.0.30319.0" –EntryType Warning –EventID 1309 –Message "SqlException"
# Get the latest log entry
$newEvent Get-EventLog -Newest -LogName "Application"
# If the newest log entry contains the text SqlException, fire off an email
if ($newEvent.Message -like"*SqlException*")
{   
    $EmailBody$newEventFormat-ListOut-String
    $EmailFrom "computer@company.com"
    $EmailTo "admin@company.com""user@company.com"
    $EmailSubject "New Eventlog SqlException on Web Server"
    $SMTPServer "SMTPSERVER"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer -Priority High
}

Comments

Popular posts from this blog

How to move the Microsoft Assessment and Planning Toolkit (MAP) database to a different drive

The Microsoft Assessment and Planning Toolkit (MAP) is a very useful tool for scanning your network to find instances of SQL Server plus all manner of detailed information about the installed product, OS and hardware it sits on.


<Click image to enbiggen>
There is an issue with it the database it uses to store the data it collects, however. Assuming you don't have an instance called MAPS on your server, the product will install using LocalDB (a cut down version of SQL Server Express) and puts the databases on your C: drive. If you then scan a large network you could easily expand the database to 10GB which may cause issues on a server when that drive is often one of the smallest. However, there is a simple solution: connect to LocalDB using Management Studio, detach the databases, move to a different drive, set permissions on the new location if required and reattach the database. How do you connect to LocalDB? Here you go:

Connect to (localdb)\MAPTOOLKIT


The databases I move…

Fun and games with the Management Data Warehouse (MDW and Data Collectors)

The SQL Server Management Data Warehouse (when you first come across it) seems to promise so much if the verbiage from Microsoft and some other websites is to to believed. But when you install it you may find that it is not as useful as it could be. This is a shame but we are currently only on v2 of the product with SQL 2012 so one hopes it will improve in subsequent versions.

However, it probably is worth playing with if you have never used it before - at least you can show your boss some reports on general server health when he asks for it and you have nothing else in place.

There is one big problem with it though if you decide that you don't want to use it any more, uninstalling it is not supported! Mad, I know. But as usual some very helpful people in the community have worked out, what seems to me, a pretty safe way of doing it.

I had a problem with my MDW. The data collector jobs were causing a lot of deadlocking on some production servers and impacting performance. It looks…

SSIS Job fails when it calls Excel via the SQL Agent but succeeds from SSDT

If you have an SSIS package which fails when run on a schedule but succeeds when executed interactively in Visual Studio/BIDS/SSDT, it may produce an error like this:
Executed as user: DOMAIN\user. Microsoft (R) SQL Server Execute Package Utility  Version 12.0.4100.1 for 64-bit  Copyright (C) Microsoft Corporation. All rights reserved.    Started:  10:52:25  Error: 2017-02-06 10:52:26.26     Code: 0x00000001     Source: Open Spreadsheet and Run Macro      Description: Exception has been thrown by the target of an invocation.  End Error  DTExec: The package execution returned DTSER_FAILURE (1).  Started:  10:52:25  Finished: 10:52:26  Elapsed:  0.485 seconds.  The package execution failed.  The step failed.
The issue is a type of permissions error. Excel needs to have its permissions changed via the DCOM applet in Control Panel. By default it is on “The launching user.” This needs to be changed to a user with more permissions, in this case we have used the service account used by SQL A…