Weekly quickTIP
Event Log in Reverse
When you need something done, Eventtriggers can make it happen.
- By Greg Shields
- 07/30/2007
Last time we discussed how to use the native Eventcreate tool to create an event from within a script or from the command line. So, what if you want to do the reverse? Instead of creating an event when an activity occurs, what if you want an activity to occur when a particular event appears in the log?
For Windows XP and 2003, say hello to Eventtriggers. This tool, also run from the command line, will configure a database of triggers that fire when certain events appear in the event log of the machine. Like scheduled tasks, the triggers created with Eventtriggers survive a reboot. So if you create a trigger, you need to specifically remove it if you want it to stop doing its function.
Let's say you have an employee that somehow keeps getting inappropriate software installed on their computer and you suspect that they're doing the install themselves. Administrator rights notwithstanding, you can create an event trigger to notify you when the MsiInstaller source logs an Event ID 11707, which indicates a successful installation of software. To do this, use the following syntax:
Eventtriggers /create /tr "Installation Alert" /eid 11707 /l application /t information /tk "net send gshields There he goes again with another install!"
In the example above, the /tr switch identifies the name of the trigger. The /eid switch identifies the Event ID to watch for while the /l and /t instruct the trigger which event log and event type to monitor. Use /tk to tell the trigger what application or script to run when the trigger occurs.
To query for the database of triggers, use the command eventtriggers /query. You'll also need to use this:
eventtriggers /delete /tid {TriggerNumber}
to remove any triggers once you're done.
Tech Help—Just An
E-Mail Away |
|
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at [email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.) |
|
|
Interestingly enough, eventtriggers is deprecated in Windows Vista and 2008. So you won't be able to use the command-line tool to create them. But the functionality lives on in Windows 2008's upgraded Task Scheduler, which includes a GUI interface making much easier the creation and management of triggers.
If you create a new task, click the "triggers" tab and create a new task that begins "on an event." You'll be able to access the same functionality as the command-line tool. Where this new GUI access gets really cool is in the ability to create custom event filters that allow you to very specifically define your event of interest.
About the Author
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.