Skip to main content

How to create a custom Windows Event Log view and email trigger

The filtering on Windows event logs can be slow, clunky and although you can do it on fields like event ID, it seems that many event IDs are shared amongst many different errors – the event ID may match but the body of the error (therefore the actual error) may be completely unrelated. Fortunately, it is possible to filter on the contents of the body of the error message but it requires creating a custom XML query. Also, it would be handy to send out a notification email when this event gets logged. Read on to find out how to work this magic….
This example is looking for a Warning event 1309 for ASP.NET 4.0.30319.0 on a web server. If you were to just filter the log on the criteria above today it would return 435 results because it is a fairly general error ID. If I filter it using XML for SqlException (what I’m really interested in) only 5 results are returned.
So the first step is go to the Application Log and choose Create Custom View… Select the XML tab, check Edit query manually and click Yes.


And edit the XML query, in this case we have added the line in bold below:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">
    *[EventData[Data and (Data='SqlException')]]
    </Select>
  </Query>
</QueryList>

Click OK, give the custom view a name (and folder if required) and click OK:

This will create a new folder with your custom view, select it and you will see it filter the results nice and quickly.

Send an email when an event is logged
Give it a name:
Click Next:
On Windows 2012R2 Send an e-mail (deprecated) doesn’t appear to work. Instead we will use a PowerShell script to send an email. Click Next.

Fill in the dialog as below with the path to your PowerShell script, in this case "C:\Scripts\SendEvtEmail.ps1"
This task is now save in Task Scheduler and can be further edited or delete from there. 

PowerShell script

Amend the script to suit your purposes:
# -------------------------------------
# Check Eventlog for a SqlException Message and send an email
if one is logged
#
# Paul Hewson 10/03/2017 v1.0
#
# This script is called every time an entry with an EventID of 1309 is generated
# -------------------------------------
#
# For testing try this:
# Write-EventLog –LogName Application –Source "ASP.NET 4.0.30319.0" –EntryType Warning –EventID 1309 –Message "SqlException"
# Get the latest log entry
$newEvent Get-EventLog -Newest -LogName "Application"
# If the newest log entry contains the text SqlException, fire off an email
if ($newEvent.Message -like"*SqlException*")
{   
    $EmailBody$newEventFormat-ListOut-String
    $EmailFrom "computer@company.com"
    $EmailTo "admin@company.com""user@company.com"
    $EmailSubject "New Eventlog SqlException on Web Server"
    $SMTPServer "SMTPSERVER"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer -Priority High
}

Comments

Popular posts from this blog

How to configure the SSAS service to use a Domain Account

NB Updating SPNs in AD is not for the faint hearted plus I got inconsistent results from different servers. Do so at your own risk! If you need the SSAS account on a SQL Server to use a domain account rather than the local “virtual” account “NT Service\MSSQLServerOLAPService”. You may think you just give the account login permissions to the server, perhaps give it sysadmin SQL permissions too. However, if you try and connect to SSAS  remotely  you may get this error: Authentication failed. (Microsoft.AnalysisService.AdomdClient) The target principal name is incorrect (Microsoft.AnalysisService.AdomdClient) From Microsoft: “A Service Principle Name (SPN) uniquely identifies a service instance in an Active Directory domain when Kerberos is used to mutually authenticate client and service identities. An SPN is associated with the logon account under which the service instance runs. For client applications connecting to Analysis Services via Kerberos authentication, th

How to move the Microsoft Assessment and Planning Toolkit (MAP) database to a different drive

The Microsoft Assessment and Planning Toolkit (MAP) is a very useful tool for scanning your network to find instances of SQL Server plus all manner of detailed information about the installed product, OS and hardware it sits on. <Click image to enbiggen> There is an issue with it the database it uses to store the data it collects, however. Assuming you don't have an instance called MAPS on your server, the product will install using LocalDB (a cut down version of SQL Server Express) and puts the databases on your C: drive. If you then scan a large network you could easily expand the database to 10GB which may cause issues on a server when that drive is often one of the smallest. However, there is a simple solution: connect to LocalDB using Management Studio, detach the databases, move to a different drive, set permissions on the new location if required and reattach the database. How do you connect to LocalDB? Here you go: Connect to (localdb)\MAPTOOLKIT The

SAN performance testing using SQLIO

Introduction This document describes how to use Microsoft’s SQLIO to test disk/SAN performance. It is biased towards SQL Server – which uses primarily 64KB and 8KB data pages so I am running the tests using those cluster sizes, however, other sizes can be specified.  Download SQLIO from https://www.microsoft.com/en-gb/download/details.aspx?id=20163   SQLIO is a command line tool with no GUI so you need to open a command prompt at  C:\Program Files (x86)\SQLIO  after you have installed it. Configuration First of all edit param.txt so that you create the test file we will be using. The file needs to be bigger than the combined RAID and on-board disk caches. In this case we are using a 50GB file. The “ 2”  refers to the number of threads to use when testing, you don’t need to change this now. The “ 0x0”  value indicates that all CPUs should be used, which you probably don’t want to change either, “ #”  is a comment. The only part you may want to change is 51200 (50GB) a