How to get eventlog information in a scheduled task email?
Solution 1:
The only way to accomplish this is a bit of a workaround (in my opinion). You will need to create two actions for your task. The steps are as follows:
- Event is triggered
- The first action runs a query for the event details you're interested in and saves them to a file.
- The second action attaches the event details saved in Step 2 to an e-mail and sends it off.
The process is detailed here: http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
Solution 2:
That is not the only way to accomplish it. There's actually a much better way that works in windows server 2008 at the very least:
https://web.archive.org/web/20121106034308/http://www.buit.org/2009/07/16/event-based-triggered-tasks/
To summarize, you need to export the task definition to xml, add some xpath queries for the data you want in a text editor, update your commandline, and then import your updated task definition back into task scheduler.
Once exported open xml file and find the <EventTrigger> node.
Create child node <ValueQueries>
<ValueQueries>
<Value name="EventID">Event/System/EventRecordID</Value>
<Value name="Channel">Event/System/Channel</Value>
</ValueQueries>
You can then reference this value query data in your commandline with $(EventID) and $(Channel). From my testing email events do not substitute these values correctly. Instead you need to execute a commandline. Of course you can add xpath queries to any data in the event, and these are just examples.
You may also experience some challenges in passing certain data from these data queries to a commandline (various characters including quote, slashes, etc... may conflict with the special characters in your command interpreter). To mitigate this i have taken to using the two parameters defined above, and then retrieving the remaining event data using wevtutil:
wevtutil qe "$(Channel)" /q:"*[System[(EventREcordID=$(EventID)]]" /f:xml
you can then do what you want with the full xml text of the event record that generated the alert (such as send an email, parse the xml, etc...)
for example you may define the following action in your task to write the event xml to disk:
<Exec>
<Command>powershell.exe</Command>
<Arguments>start-transcript -path C:\alertlog.log -append; add-content -path C:\output.txt -value (wevtutil qe "$(Channel)" /q:"*[System[(EventRecordID=$(EventID))]]" /f:xml); stop-transcript;</Arguments>
</Exec>
The referenced blog post goes into greater detail.