Skip to main content

How to create a custom Windows Event Log view and email trigger

The filtering on Windows event logs can be slow, clunky and although you can do it on fields like event ID, it seems that many event IDs are shared amongst many different errors – the event ID may match but the body of the error (therefore the actual error) may be completely unrelated. Fortunately, it is possible to filter on the contents of the body of the error message but it requires creating a custom XML query. Also, it would be handy to send out a notification email when this event gets logged. Read on to find out how to work this magic….
This example is looking for a Warning event 1309 for ASP.NET 4.0.30319.0 on a web server. If you were to just filter the log on the criteria above today it would return 435 results because it is a fairly general error ID. If I filter it using XML for SqlException (what I’m really interested in) only 5 results are returned.
So the first step is go to the Application Log and choose Create Custom View… Select the XML tab, check Edit query manually and click Yes.


And edit the XML query, in this case we have added the line in bold below:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">
    *[EventData[Data and (Data='SqlException')]]
    </Select>
  </Query>
</QueryList>

Click OK, give the custom view a name (and folder if required) and click OK:

This will create a new folder with your custom view, select it and you will see it filter the results nice and quickly.

Send an email when an event is logged
Give it a name:
Click Next:
On Windows 2012R2 Send an e-mail (deprecated) doesn’t appear to work. Instead we will use a PowerShell script to send an email. Click Next.

Fill in the dialog as below with the path to your PowerShell script, in this case "C:\Scripts\SendEvtEmail.ps1"
This task is now save in Task Scheduler and can be further edited or delete from there. 

PowerShell script

Amend the script to suit your purposes:
# -------------------------------------
# Check Eventlog for a SqlException Message and send an email
if one is logged
#
# Paul Hewson 10/03/2017 v1.0
#
# This script is called every time an entry with an EventID of 1309 is generated
# -------------------------------------
#
# For testing try this:
# Write-EventLog –LogName Application –Source "ASP.NET 4.0.30319.0" –EntryType Warning –EventID 1309 –Message "SqlException"
# Get the latest log entry
$newEvent Get-EventLog -Newest -LogName "Application"
# If the newest log entry contains the text SqlException, fire off an email
if ($newEvent.Message -like"*SqlException*")
{   
    $EmailBody$newEventFormat-ListOut-String
    $EmailFrom "computer@company.com"
    $EmailTo "admin@company.com""user@company.com"
    $EmailSubject "New Eventlog SqlException on Web Server"
    $SMTPServer "SMTPSERVER"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer -Priority High
}

Comments

Post a Comment

Popular posts from this blog

How to configure the SSAS service to use a Domain Account

NB Updating SPNs in AD is not for the faint hearted plus I got inconsistent results from different servers. Do so at your own risk! If you need the SSAS account on a SQL Server to use a domain account rather than the local “virtual” account “NT Service\MSSQLServerOLAPService”. You may think you just give the account login permissions to the server, perhaps give it sysadmin SQL permissions too. However, if you try and connect to SSAS  remotely  you may get this error: Authentication failed. (Microsoft.AnalysisService.AdomdClient) The target principal name is incorrect (Microsoft.AnalysisService.AdomdClient) From Microsoft: “A Service Principle Name (SPN) uniquely identifies a service instance in an Active Directory domain when Kerberos is used to mutually authenticate client and service identities. An SPN is associated with the logon account under which the service instance runs. For client applications connecting to Analysis Services via Kerberos authentication, th
Post a Comment
Read more

How to import a large xml file into SQL Server

(Or how to import the StackOverflow database into SQL Server) Introduction NB  This process can be generalised to import any large (>2G) xml file into SQL Server. Some SQL Server training you can find online including that by Brent Ozar uses the StackOverflow database for practice. The tables from it are available online for download in xml format. In the past it was possible to use the scripts found here, https://www.toadworld.com/platforms/sql-server/w/wiki/9466.how-to-import-the-stackoverflow-xml-into-sql-server , to import them but as each xml file is now over 2GB you will get an error like this when you try to execute them: Brent Ozar, has a link to SODDI.exe, https://github.com/BrentOzarULTD/soddi , which can import the files (I haven’t tried it) but it means downloading and importing eight tables: Badges, Comments, PostHistory, PostLinks, Posts, Tags, Users, and Votes tables which amounts to >30GB of compressed xml increasing to ~200GB when decompre
Post a Comment
Read more