Monitoring Windows Event Logs

Details

Category: Opinion

Published on Sunday, 28 July 2013 00:58

Written by Christian Dunn

As a system engineer there are always problems, issues or activities on a server that you need to monitor, fix or be notified about. This could be a failing application pool in IIS affecting your web application, backup failures, auditing user account changes. It could also be an unexplained error you want to monitor.

Not many system administrators realise there is a built in feature in windows servers designed just for this purpose.

Let's look at some great examples:

• When a print spooler error is reported restart the print spooler
• When a backup failure is reported restart the backup or send an email
• When IIS stops send an IISRESET command

All of these can be easily done in a few simple steps.

In 2003 servers the Eventtriggers application allows you to trigger another application when a certain event is logged in the event log.

To find out all of the options run 'Eventtriggers /?' at the command prompt.

The following example runs an email notification vb script when a success audit is reported for AD changes:

Eventtriggers /Create /TR "Event Triggers for AD Account Changes" /EID "642" /T "Success Audit" /TK C:\E-mail.vbs

In 2008 servers this functionality is built into the task scheduler. 

From the command line use the schtasks /create command to configure these event triggers. The following command will launch wevtvwr.msc whenever event 101 occurs in the System Event Log.

SCHTASKS /Create /TN EventLog /TR wevtvwr.msc /SC ONEVENT /EC System /MO *[System/EventID=101]

Alternatively you can use the Task Scheduler interface to create a new task and in the trigger section select 'On an Event'.

Happy Monitoring!!