Seeking Tool to monitor event logs and send an email or raise an alert

Topic

I’ve recently experienced errors on an SSD that only manifested itself when running a Macrium Reflect image of a whole partition SSD. Looking at the Windows 10 Pro Event Logs I see that Windows was logging bad sectors as Critical errors yet MS in all its wisdom kept this to itself despite regularly popping up alerts to entice me to use it’s products <irony>.

The SSD Smart data does show no critical or media errors but does show 14% of the Available Spare used (I believe this is used to replace bad sectors). My understanding is that this means the SSD is not classed as defective but it just suffering wear and tear that the spare space is used to replace bad sectors.

SSD now recovered. Going forward I’m looking for a utility to monitor the event logs and send an email or raise an alert on a Critical error.

I’ve found a number of solutions that create a scheduled task that run a Powershell script that send an email when a specific event is spotted but I can’t get them to work. Issues to-date have included importing the PS script and defining the <query> string.

Does anyone know of a tool or solution that does this?

Thanks for reading

Alan

Replies

What’s your budget?

Pricing | EventSentry

Susan Bradley Patch Lady/Prudent patcher

Task Scheduler and PowerShell is the cheapest.

https://www.tenforums.com/performance-maintenance/190292-how-automatically-send-e-mail-when-error-occurs-event-viewer-post2367719.html?s=001cd88f5a36bda5da8158ce152e65fa#post2367719

cheers, Paul

1 user thanked author for this post.

Alan_uk

Alan_uk wrote:

I can’t get them to work

Why not let us help you configure the PS and EL?
Post details here.

cheers, Paul

1 user thanked author for this post.

Alan_uk

My guess is the email process isn’t working? As that’s always been the tricky part for me is getting authentication on the mail server.

Susan Bradley Patch Lady/Prudent patcher

I run a simple server on my NAS with no user password and no external access (not a relay). My email client is set to query the NAS mail.
This way I can even get alerts for internet outages.

Mail Alert Simple Mailer may do external email without having to save passwords in PS.

cheers, Paul

Paul T wrote:

Task Scheduler and PowerShell is the cheapest.

https://www.tenforums.com/performance-maintenance/190292-how-automatically-send-e-mail-when-error-occurs-event-viewer-post2367719.html?s=001cd88f5a36bda5da8158ce152e65fa#post2367719

cheers, Paul

Many thanks Paul. That solution is less convoluted than the 3 others I tried.

As user Admin I’ve implemented it with some changes:

The PS Script:

1. Set $EventId = 7,11,15,25,26,51,55,57,157,158,233,234,5038  – basically any related to disk problems
2. Set my email credentials

I tested this within PowerScript ISE and I get an email listing EventID: 158
Source: Microsoft-Windows-Time-Service

I then set up the Scheduled Task with the following changes:

1. Event filter: Critical, Error & Verbose
   1. Selected By Logs: Windows Logs/System & Applications & Service Logs/Hardware Events
   2. Include Event IDs: 7,11,15,25,26,51,55,57,157,158,233,234,5038
   3. Keywords left blank
2. Action:
   1. Program/script:
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
   2. Add arguments: H:\System\Event Log Monitor\CriticalEventV1.ps1
   3. Start in:<blank>
3. OK with password for Admin

For testing I added another Event Filter for Information & Event ID 7002 (logoff)

I also set on Task History

I then logoff Admin and switched to my User account and logged-in but got no email.

I inspected the History window for the schedule and saw:

Task Scheduler successfully completed task “\CriticalEventV1” , instance “{bfe1cfcf-9fa1-46a4-a249-b62650c02a35}” , action “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” with return code 2147942401.

I found lots of possible reasons for return code 2147942401. This web site https://www.delftstack.com/howto/batch/return-code-2147942401/ says that the error is defined as an incorrect function or illegal function. It lists 4 possible causes:

1. It may be due to a mistake in your Batch file or while scheduling a task.
2. A scheduled task will only run when the user who created and scheduled the task is logged on. However, you can change it to run when the user is not logged on by special privilege, Log on as a batch job.
3. If the user is logged in and it still shows the error, it may be because of not providing enough privileges.
4. Another possible reason for this error code may be the system path issue.

So:

1. As Administrator (not Admin) I ran Local Security Policy  and added to Log on as a batch job user Admin
2. Ensured the task was defined with Run with highest privileges and changed the Configure for: to Windows 10
3. Added the Batch file’s directory in the Start in (optional) textbox:
   H:\System\Event Log Monitor\

Again tested by switching to user Admin, log-in & log-off and log back as User.

But I still have the error. Can you spot what is wrong Paul?

Edit. Following another web suggestion I went to CriticalEventV1.ps1 then Properties and then Security

1. Added Admin and permission of Full
   Changed User to permission of Full

Tested – still error, so

1. Added Everyone and permission of Full

Still have the error.

Alan

Set up a simple job (write the time to a text file) to test the Scheduled Task settings. Set the job to run every minute.

Is there a reason you are running it as a different user? If you are the only user, run it as you.

As it’s running PowerShell it may be the executionpolicy. You can bypass it with this command line: powershell.exe -ExecutionPolicy Bypass -file H:\System\Event Log Monitor\CriticalEventV1.ps1

cheers, Paul

1 user thanked author for this post.

Alan_uk

Wow. That was quick response Paul   It works now! but I there was a more fundamental error.

I changed the argument to

-ExecutionPolicy Bypass -file H:\System\Event Log Monitor\CriticalEventV1.ps1

and got error 4294770688. A web page suggested adding “” around the file path/name – well I should have done this initially as the path has blanks <red face>. With the “” it works. I then removed -ExecutionPolicy Bypass and it still works.

So now it all works. To clean up I will:

1. try removing the Everyone permission
2. after a few days turn of Event History – the history option is on or off for all tasks
3. remove the testing event ID of 7002. I might replace this with say a power off event so that I only get a message once a day to reassure me the script is running & working.

Many thanks Paul for helping. Much appreciated.

Alan

1 user thanked author for this post.

Paul T