In first part of this article I cover how to edit the existing Task to send Event Details but I will skip basics of Task creation.
Step-1: Create a Job which will trigger on an Event during specific condition
Step-2: Right Click on the job and Export it, save it as test.xml
Step-3: Open test.xml File in notepad to Edit, Find (Event Trigger)
Step-4: Include ValueQueries as shown below, save the file. In below example, I have added (Event/EventData/Data) as (EventData) which will be used as $EventData while sending a mail.
Tip:
You can include any values in the event (Example: Event/System/Computer will include your Server Name). You can open the event -> Go to Details Tab -> Select XML view to see more details:
Step-5:
Delete the existing task and import the new task using modified XML file.
Step-6:
Edit Actions -> Send an e-mail option, include $(EventData) as appropriate
Background:
I had a situation to trigger an alert for any error logged by FailoverCluster. I had no option to use SCOM, Sitescope or any other monitoring tools. Decided to create a custom monitor!
First option is SQL job or Scheduled task which monitors for specific errors in event viewer once every 10 minutes and send a mail but the challenge is the delay and very frequent event viewer scans.
I have chosen an option to trigger a Scheduled task when a specific event occurred (Log=System, Source=FailoverClustering). Now the bigger challenge is to include the error message in mail!
This feature is not enabled through UI but this can be achieved with some simple steps. Export the job, editing XML file, add
<ValueQueries><Value name="EventData">Event/EventData/Data</Value> </ValueQueries> in <EventTrigger></EventTrigger>
import the job again and use $(EventData) while sending the Email!
For detailed process, refer to http://myitforum.com/cs2/blogs/jmassardo/archive/2011/05/26/event-log-triggers.aspx
If you need to edit the criteria when the event should be triggered, refer to http://blogs.msdn.com/b/davethompson/archive/2011/10/25/running-a-scheduled-task-after-another.aspx
–
VijRed
How to include event information in scheduled task (On an Event)
Blog for reference - Vijred 
my $(EventData) does not actually show the eventdata information
it just comes out as “$(EventData)” in my body text.
————————–
My Event Triggers:
true
<QueryList><Query Id=”0″ Path=”Application”><Select Path=”Application”>*[System[Provider[@Name=’Service Optimization’] and EventID=129]]</Select></Query></QueryList>
PT30S
Event/System/Channel
Event/System/Computer
Event/EventData/Data
Event/System/EventID
Event/System/EventRecordID
Event/System/Level
Event/RenderingInfo/Message
——————————–
My Actions:
xxx
[ALERT] Errors on xxx
xxx
xxx
$(EventData)
$(Message)
—————–
can you help please?
Thanks
Anita
opps, its taken the xml code…
”
xxx
[ALERT] Errors on x server
x
xxx
$(EventData)
$(Message)
”
”
true
<QueryList><Query Id=”0″ Path=”Application”><Select Path=”Application”>*[System[Provider[@Name=’Service Optimization’] and EventID=129]]</Select></Query></QueryList>
PT30S
Event/System/Channel
Event/System/Computer
Event/EventData/Data
Event/System/EventID
Event/System/EventRecordID
Event/System/Level
Event/RenderingInfo/Message
“
Same problem as anita’s comment, but I do not see what she’s talking about if she is trying to say she solved it? I put the $(EventData) in the body, but it comes out just as that, not replacing the actual data from the error. I’ve followed the steps exactly, so what is the trick to go from the screenshot of “Text:” as entered in Step 6 to an email result that actually shows the error text and not just “$(EventData)”?
Maybe it has to do with the missing image for Step 5, but something’s missing, above (besides another omission that you cannot do this as the system Administrator, but have to set the user as SYSTEM to get the email to send at all).
Anyone?
The missing image is the Tip of Step 4, actually…
Corrected the image in Step-4!
OK, so anita makes sense to me now that I found the typo in my XML “Event Data” vs. “EventData”, but how do I get the actual text shown in Event Viewer (for example, a canceled WSB backup is Event ID 8 and the text is “The backup operation was canceled.” – that’s the text that we want to show in our email!) and not what we got, which was this useless info.:
“”
Event Viewer uses a Messages DB, so that is likely next t impossible. Instead my email just shows the EventID # and then gives a link to relevant Event IDs…all is well enough!
Any tip on how to send the eventData as a prameter to a Powershell script instead for E-mailing it?
I would like to know how to properly implement this as part of a Group Policy Preference. Instead of manually creating the task on each server, I’d love to know if there is a way of doing it via GPO. I’ve tried the above and attempted to edit the Scheduled Task.xml file that appears in the corresponding folder for the GPO in SysVol, but the event log reports errors upon GPO refresh on the servers in question.
Pingback: Monitoring Event ID with Powershell or SCOM | Jacques DALBERA's IT world
Hello Please me help someone i am not able to import extracted event id after edit it. my errors is “The format of the task is not valid. The following error was reported:(12,7):ValueQueries:” . Please let me know where am making mistake.
Hi Vijred,
I am also looking to capture Tableau application event logs from Windows. I have seen below line in the discussion.
Event/EventData/Data in
Can you give a example of the above line. I am little confused where to add above line in XML and what could the value in fields
Do you know how to do this exact same thing on a Windows 2012 R2 server since MS decided to remove the email option from task scheduler? Would love to hear some ideas on how to do this. Thanks.
It’s worth noting that case matters for the “name” attribute. Make it “Name” and the import will generate annoyingly vague errors.
Hello,
I was able to implement this solution for me and it is working perfectly till i found out if i got the 2 events generated in the same time i receive the e-mail only for the first what for me it is a big issue, can you help me how to solve this?
Hi Ervin,
Check if there is any setting to change the action to be performed if the task is already running. Change it from ‘Do not start new instance’ to ‘Run a new instance in parallel’.
Let me know if it works…
-Vijred
Hello Vijred,
I found the option “Run a new instance in parallel” will se it tomorrow if all the logs will appear.
thanks
Ervin
anyone know how to include the “TimeCreated” value?
Event/System/TimeCreated/@SystemTime
Here’s an interesting piece to get Event Data into your email. For instance, to get the Client Name from the event data, add the following line to your ValueQueries section:
Event\EventData\Data[@Name=’ClientName’]
This technique will let you get to any “Data Name” pair under the EventData section.
This totally is not working for me, I have the issue of getting an email that says $EventData instead of the actual information. What is the deal? I have no typos in my XML. I am about to pull my hair out.
When I implment this, I get error code 2147942487. Anyone know what this means?
Pingback: Client Hyper-V: Automatische Checkpoints abschalten | faq-o-matic.net