One of an administrator‘s main chores is the tedious task of having to go through server event logs and monitor them for any error, warning, or abnormal event. Naturally, many management and monitoring tools such as Microsoft MOM or System Center Operation Manager 2007 do just that – monitor these events for you. However, in some cases, you need to deal with a small company, one without any budget for buying expensive 3rd-party management tools. Yes, I know, there are cheap or even free alternatives to CA-Unicenter, but not everyone knows how to implement such management suits.
In Windows Server 2008 and Windows Vista, a new capability was introduced to Event Viewer. This feature, called Custom Tasks, can be used to assign a custom task such as running a batch file, sending an e-mail alert, or popping up a message – anytime a specific event it raised. You can read more about this on my “Assigning Custom Tasks to Events in Vista” article.
However, here‘s something many people are not aware of. The Eventtriggers.exe command-line tool. This tool is an integral part of Windows 2000, Windows Server 2003 and Windows XP.
Recently I got this awesome tip from one of my readers – Sarah Seftel which reminded me of this old and almost obscure command, and it was now added as an article to the site with her permission. Thanks Sarah for writing it!
By using Eventtriggers.exe, you can automatically start a batch file or VBS script which performs a custom action or captures useful information. You can also use a script to perform correction actions on the machine, preventing the problem from reoccurring. Sometimes you just need to be notified when certain events are created in the Event Viewer, so we can use a script to send an e-mail alert. For example, you can create a trigger that monitors the event logs for low disk space events and if such events occur, you can run a script that removes any temporary or unnecessary files to resolve the low disk space condition, and/or send an e-mail alert telling you about it. Another reason for using Eventtriggers is to help you identify application and service outages quickly, and to possibly restore normal operations.
Eventtriggers.exe can also help you maintain system security and integrity. When a system is under attack, if auditing was enabled events may be written to the log files that indicate failed logon attempts in the security logs as a malicious user attempts to gain access.
Eventtriggers.exe command has 3 switches:
The command itself is pretty simple to use. From a command prompt run:
eventtriggers.exe /create /eid /tr /ru /rp /tk
Event triggers are created and their associated tasks are run by default on the local computer with the permissions of the user who is currently logged on. Because this command is used primarily for administration, you will be prompted for a password before the event trigger is added. If the triggered task needs to run with different or specific user permissions, provide the Run As permissions using /ru [Domain]User [/rp Password] options.
See the links section below for some useful examples and a full syntax explanation of Eventtriggers.exe.
We can use the Eventtriggers.exe command and combine it with a 3rd-party tool that will send us the e-mail notifications. In order to send an e-mail based on Event ID trigger we‘ll use free mail software called BMAIL.exe which can be freely downloaded from the Beyond Logic website
Note: You can also use other methods of sending e-mails. If you read my “Send Mail from Script” article you‘ll get many more examples of methods to sending e-mail via scripts.
In order to configure the trigger, please follow these steps:
BMAIL.exe -s ExchangeServerName -p 25 -t
-m msg.txt -a "Disk is nearly full!!!" (insert in text box)
Replace ExchangeServerName with the name of your Exchange server.
Replace the e-mail addresses in the above batch file to those that fit your organizations and needs.
Duh note: “Disk is nearly full!!!” is just an example…
Use bmail.exe /? To get the complete syntax of the BMAIL.exe use.
"The disk is at or near capacity. You may need to delete some files. Please take care of this before things stop working."
eventtriggers /create /eid 2013 /tr EventID2013 /ru domainuser /rp password /tk C:Systembmailtrigger.bat
Replace C:Systembmailtrigger.bat with your path and file name. Also, replace /eid 2013. with whatever event number you need to monitor, as well as /tr EventID2013.
The /RU and /RP parameters hold the credentials you‘re going to use. Replace them with your own.
Got a question? Post it on our Exchange Server Forums!