One of an administrator's main chores is the tedious task of having to go through server event logs and monitor them for any error, warning, or abnormal event. Naturally, many management and monitoring tools such as Microsoft MOM or System Center Operation Manager 2007 do just that – monitor these events for you. However, in some cases, you need to deal with a small company, one without any budget for buying expensive 3rd-party management tools. Yes, I know, there are cheap or even free alternatives to CA-Unicenter, but not everyone knows how to implement such management suits.
In Windows Server 2008 and Windows Vista, a new capability was introduced to Event Viewer. This feature, called Custom Tasks, can be used to assign a custom task such as running a batch file, sending an e-mail alert, or popping up a message – anytime a specific event it raised. You can read more about this on my "Assigning Custom Tasks to Events in Vista" article.
However, here's something many people are not aware of. The Eventtriggers.exe command-line tool. This tool is an integral part of Windows 2000, Windows Server 2003 and Windows XP.
Recently I got this awesome tip from one of my readers – Sarah Seftel which reminded me of this old and almost obscure command, and it was now added as an article to the site with her permission. Thanks Sarah for writing it!
By using Eventtriggers.exe, you can automatically start a batch file or VBS script which performs a custom action or captures useful information. You can also use a script to perform correction actions on the machine, preventing the problem from reoccurring. Sometimes you just need to be notified when certain events are created in the Event Viewer, so we can use a script to send an e-mail alert. For example, you can create a trigger that monitors the event logs for low disk space events and if such events occur, you can run a script that removes any temporary or unnecessary files to resolve the low disk space condition, and/or send an e-mail alert telling you about it. Another reason for using Eventtriggers is to help you identify application and service outages quickly, and to possibly restore normal operations.
Eventtriggers.exe can also help you maintain system security and integrity. When a system is under attack, if auditing was enabled events may be written to the log files that indicate failed logon attempts in the security logs as a malicious user attempts to gain access.
Eventtriggers.exe command has 3 switches:
- Eventtriggers /create - Creates a new event trigger and sets the action to take.
- Eventtriggers /query - Displays the event triggers currently configured on a specified system.
- Eventtriggers /delete - Removes an event trigger when it is no longer needed.
The command itself is pretty simple to use. From a command prompt run:
eventtriggers.exe /create /eid /tr /ru /rp /tk
- /create - is used to create an event trigger,
- /delete can be used to delete the trigger
- /eid - is the event id number you wish to track
- /tr - is the name you would like to give to the event trigger
- /ru - is the user name to run under userdomain or firstname.lastname@example.org are both acceptable
- /rp - is the user password
- /tk - is the action you would like performed when triggered
Event triggers are created and their associated tasks are run by default on the local computer with the permissions of the user who is currently logged on. Because this command is used primarily for administration, you will be prompted for a password before the event trigger is added. If the triggered task needs to run with different or specific user permissions, provide the Run As permissions using /ru [Domain]User [/rp Password] options.
See the links section below for some useful examples and a full syntax explanation of Eventtriggers.exe.
We can use the Eventtriggers.exe command and combine it with a 3rd-party tool that will send us the e-mail notifications. In order to send an e-mail based on Event ID trigger we'll use free mail software called BMAIL.exe which can be freely downloaded from the Beyond Logic website
In order to configure the trigger, please follow these steps:
- Create a folder in which we'll place the BMAIL.exe, a batch file that calls the BMAIL.exe application, and a text file that contains the e-mail body.
- Create a batch file that will call the BMAIL.exe with the following syntax:
- The text file will contain the e-mail body. You can safely skip this stage and only create an e-mail subject in the batch file mentioned above. Here is an example of such a file. Save it as msg.txt in the working folder from step 1:
- Open a Command Prompt window by clicking on Start > Run, typing CMD and pressing Enter.
- To create a new event ID (in this case event ID 2013 – alerting us whenever a disk is ) we'll use the following syntax:
- Type eventtriggers /create /? In order to get the complete syntax of the commands.
- Once the above Eventtriggers command is run, you can use eventtriggers /query to see if your trigger is ready.
- Make sure that the Exchange server you are using the Eventtriggers command has relay permissions in the SMTP Virtual Server. Otherwise – you'll get no e-mails…
- I got an e-mail…
BMAIL.exe -s ExchangeServerName -p 25 -t email@example.com -f Event576@domain.com -m msg.txt -a "Disk is nearly full!!!" (insert in text box)
Replace ExchangeServerName with the name of your Exchange server.
Replace the e-mail addresses in the above batch file to those that fit your organizations and needs.
Duh note: "Disk is nearly full!!!" is just an example…
Use bmail.exe /? To get the complete syntax of the BMAIL.exe use.
"The disk is at or near capacity. You may need to delete some files. Please take care of this before things stop working."
eventtriggers /create /eid 2013 /tr EventID2013 /ru domainuser /rp password /tk C:Systembmailtrigger.bat
Replace C:Systembmailtrigger.bat with your path and file name. Also, replace /eid 2013. with whatever event number you need to monitor, as well as /tr EventID2013.
The /RU and /RP parameters hold the credentials you're going to use. Replace them with your own.
Got a question? Post it on our Exchange Server Forums!