2. Triggering
System Events with the EventTriggers Utility
One of the problems with
the event log is that it can quickly become clogged with
information—more information than many network administrators want to
wade through to locate a particular event of importance. Starting with
Windows XP, you can set an event trigger on the event log. When an event
log entry matching the criteria you specify appears, you can tell the
EventTriggers utility to perform any number of tasks—anything from
sending an email message to running a particular application (batch
files included).
The interesting part
about using event triggers is that you can track problems occurring on
any system (local or remote) with greater ease. Although you might want
to look at all of those informational messages in the event log at some
point, the SQL Server error message is the one that you really want to
know about the second it occurs. The SQL Server message is an example of
an event log entry that you want to track using an event trigger. Of
course, the entry could just as easily be from any other application.
For example, you might want to know when the Windows Time Service fails
to find an online time synchronization source.
The EventTriggers utility
provides three modes of operation: Create, Delete, and Query. Each one
of these modes controls a particular aspect of working with event
triggers. The following sections discuss these three modes of operation
and show how you use them to manage event triggers on your system.
2.1. Create
Before you can use event
triggers, you have to create them. The Create mode helps you add new
event triggers. Each event trigger reacts to a separate event in the
event log, so you need one event trigger for each event log entry that
you want to monitor. This mode uses the following syntax:
EVENTTRIGGERS /Create [/S system [/U username [/P [password]]]] /TR
triggername /TK taskname [/D description] [/L log] { [/EID id]
\[/T type] [/SO source] } [/RU username [/RP password]]
The following list
describes each of the command line arguments.
/S
system
Specifies a remote
system. You can use any connected system to store the event log entries.
Some administrators send event log entries to a central location to
ensure someone sees them. The remote system must allow the required
access.
/U
[domain\] user
Defines the user
context for executing the command. The user context is important because
not every user has access to the event log. In addition, the user
context appears as part of the event log entry.
/P
[password]
Provides a
password for the user context. The utility prompts you for the password
(when necessary) if you don't include it on the command line. In most
cases, supplying the password when prompted is safer from a security
perspective than including this information on the command line or as
part of a batch file entry.
/TR
triggername
Defines a
human-readable name to associate with the event trigger. Using names
such as MyTrigger probably won't work well. It's important to create a
descriptive name that you'll recognize easily. Make sure you make the
name unique by adding some elements for the event log entry that it
monitors. For example, WinMgmtWarning63 would be a good name for an
event generated by the Windows management service at the warning level
for event identifier number 63.
/L
log
Specifies the
Windows event log to monitor. The three common logs include Application,
System, and Security. The DNS Server and Directory logs commonly appear
on servers. You can also specify any custom log. You can use wildcard
characters to define the log name. The default value is "*" (without the
quotes), which is all of the event logs on the specified machine.
/EID
id
Specifies which
Event ID to monitor in the event log. This value is application
specific, so you need to know which Event ID an application will use for
a particular requirement.
/T
type
Specifies the
Event Type to monitor in the event log. The valid values include ERROR,
INFORMATION, WARNING, SUCCESSAUDIT, and FAILUREAUDIT. The
SUCCESSAUDIT and FAILUREAUDIT only appear in security
logs.
/SO
source
Specifies the
Event Source to monitor in the event log. The Event Source varies by
application and by entity performing a task. For example, the system can
just as easily generate an event that a user can generate. Unless you
want to monitor the activities of a specific entity, you should refrain
from supplying this command line switch.
/D
description
Specifies the
Description to monitor in the event log. Using this command line switch
makes the event trigger very specific. In fact, the event trigger
becomes so specific that you might miss events. Use this particular
command line switch with caution and only in cases where you know
exactly which message you want to receive.
/TK
taskname
Defines the name of
the task to perform when the event trigger fires. Generally, this is the
name of an application (including any required command line switches),
batch file, script, or other executable entity. For example, you can
tell Outlook to send you a message about the event using Outlook's
command line switches to generate an email.
/RU
username
Defines the user
account to use to run the task. Use "" (two quotes) for the system
account. The default username is the current username or the name used
to access the remote system with the /U command line switch.
/RP
password
Defines
the password for the task user account. The EventTriggers utility
ignores this value when working with the system account. Supply a value
of "*" (without the quotes) or none when you want the EventTriggers
utility to prompt for a password.
2.2. Delete
Use the Delete mode to
remove any event triggers you no longer need. This mode uses the
following syntax:
EVENTTRIGGERS /Delete [/S system [/U username [/P [password]]]] /TID id
[/TID id1 [...[/TID idn]]]
The following list
describes each of the command line arguments.
/S
system
Specifies a remote
system. You can use any connected system to store the event log entries.
Some administrators send event log entries to a central location to
ensure someone sees them. The remote system must allow the required
access.
/U
[domain\]user
Defines the
user context for executing the command. The user context is important
because not every user has access to the event log. In addition, the
user context appears as part of the event log entry.
/P
[password]
Provides a
password for the user context. The utility prompts you for the password
(when necessary) if you don't include it on the command line. In most
cases, supplying the password when prompted is safer from a security
perspective than including this information on the command line or as
part of a batch file entry.
/TID
id
Specifies the
Trigger Identifier to remove from the list of event triggers. Every time
you create a new event trigger, the system assigns it an identifier.
You can see this identifier by using the Query mode. This command line
switch accepts the * wildcard, which deletes all of the event triggers
on the system.
2.3. Query
The Query mode displays a
list of all of the event triggers on a system. You can use this list for
real-time work with the event triggers. However, by changing the
format, you can also use this mode to add the event triggers to a
database for later reference. This mode uses the following syntax:
EVENTTRIGGERS /Query [/S system [/U username [/P [password]]]] [/FO
{TABLE | LIST | CSV}] [/NH] [/V]
The following list
describes each of the command line arguments.
/S
system
Specifies a remote
system. You can use any connected system to store the event log entries.
Some administrators send event log entries to a central location to
ensure someone sees them. The remote system must allow the required
access.
/U
[domain\] user
Defines the user
context for executing the command. The user context is important because
not every user has access to the event log. In addition, the user
context appears as part of the event log entry.
/P
[password]
Provides a
password for the user context. The utility prompts you for the password
(when necessary) if you don't include it on the command line. In most
cases, supplying the password when prompted is safer from a security
perspective than including this information on the command line or as
part of a batch file entry.
/FO {TABLE | LIST | CSV}
Defines the
output format for this mode. The default output is a tabular view. The
table columns define the values for output, while each row contains one
event trigger entry. The CSV output provides the best method for
preparing the data for entry in a database. Use redirection to output the CSV data to a
file and then import it to your database. The list format provides one
data element per line. Each group of data elements defines one event
trigger. The utility separates each event trigger by one blank line.
Some people find the list format more readable when working in verbose
mode since the table format requires multiple lines for each entry (the
lines wrap).
/NH
Specifies
that the EventTriggers utility shouldn't display the column headers. You
can use this option when creating pure content for reports or other
needs. The EventTriggers utility accepts this command line switch only
when using the table and CSV formats.
/V
Outputs
additional information about each event trigger. The default output
includes the trigger identifier, event trigger name, and the name of the
task the event trigger performs. The additional information includes
the hostname, the event trigger query (the arguments used to trigger
it), the description information, and the username used to run the task.
