How to Include Event Log Details in Server 2008 Email Notifications Using XML and ValueQuery


4 views

When configuring email notifications for Windows Server 2008 event logs, many administrators want to include the actual event details in the message body. The standard task scheduler actions don't provide straightforward access to event-specific variables like EventID or Description.

Each Windows event contains rich XML data that we can leverage. Here's a more complete example of how to access different parts of the event:

$eventXml = [xml](Get-WinEvent -LogName "Application" -MaxEvents 1).ToXml()
$eventId = $eventXml.Event.System.EventID
$description = $eventXml.Event.EventData.Data | ForEach-Object { $_.'#text' }

For a complete solution, you'll need to combine PowerShell scripting with scheduled tasks. Here's an example script that captures all event details:

param(
    [Parameter(Mandatory=$true)]
    [string]$LogName,
    [Parameter(Mandatory=$true)]
    [int]$EventID
)

$event = Get-WinEvent -FilterHashtable @{LogName=$LogName; ID=$EventID} -MaxEvents 1
$eventXml = [xml]$event.ToXml()

$body = @"
Event ID: $($event.Id)
Level: $($event.LevelDisplayName)
Time Created: $($event.TimeCreated)
Computer: $($event.MachineName)
Message: $($event.Message)

Event Data:
$($eventXml.Event.EventData.Data | ForEach-Object { $_.'#text' -join "n" })
"@

Send-MailMessage -From "alerts@domain.com" -To "admin@domain.com" 
    -Subject "Event $($event.Id) occurred" -Body $body -SmtpServer "smtp.domain.com"

To trigger this script automatically:

  1. Create a basic task that triggers on event ID
  2. Set action to "Start a program"
  3. Point to PowerShell.exe with arguments: -File "C:\scripts\event_notification.ps1" -LogName "Application" -EventID 4412

For simpler cases where you just need basic event information, you can use the built-in task scheduler variables:

  • %EventID% - The numeric event identifier
  • %EventLevel% - The severity level (1-5)
  • %EventRecordID% - The unique record number
  • %EventChannel% - The log name where the event was recorded

These variables can be used directly in the email action's subject or body when creating the task.

When configuring event-triggered email notifications in Windows Server 2008, I ran into a frustrating limitation. While the basic email functionality works perfectly through SMTP, the default setup doesn't provide an easy way to include the actual event details in the notification message body.

The event logs in Windows Server 2008 store information in a specific XML format. Here's a typical event structure we're working with:

[Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"]
  [System]
    [Provider Name="DFSR" /]
    [EventID Qualifiers="16384"]4412[/EventID]
    [Level]4[/Level]
    [Task]0[/Task]
    [Keywords]0x80000000000000[/Keywords]
    [TimeCreated SystemTime="2009-05-14T18:18:09.000Z" /]
    [EventRecordID]45692[/EventRecordID]
    [Channel]DFS Replication[/Channel]
    [Computer]servername.domain.com[/Computer]
    [Security /]
  [/System]
  [EventData]
    [Data]9046C3F4-843E-4A53-B941-4B20764072E5[/Data]
    [Data]D:\departments\Geomatics\Plan Quality\Data Processing\CG3533017 2009-05-13 KT FIXED[/Data]
    [Data]D:\departments[/Data]
  [/EventData]
[/Event]

Through experimentation, I discovered that some event properties can be accessed using ValueQuery expressions in the task action configuration. For example:

Event/System/EventRecordID
Event/System/Level
Event/System/Channel

However, critical elements like EventID and the event description remained inaccessible through this method.

When the built-in task actions proved insufficient, I developed a PowerShell script solution that provides complete access to all event details. Here's the core implementation:

$event = Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ID = 4412
    ProviderName = 'DFSR'
} -MaxEvents 1

$emailBody = @"
Event ID: $($event.Id)
Level: $($event.LevelDisplayName)
Time: $($event.TimeCreated)
Computer: $($event.MachineName)
Message: $($event.Message)
"@

Send-MailMessage -To "admin@domain.com" -From "noreply@domain.com" 
    -Subject "Event Notification: $($event.Id)" -Body $emailBody 
    -SmtpServer "smtp.domain.com"

To make this work with event triggers:

  1. Create a basic scheduled task triggered by your target event
  2. Set the action to "Start a program" and point to PowerShell.exe
  3. Add arguments: -File "C:\Scripts\EventEmailNotification.ps1"
  4. Configure the task to run whether user is logged on or not

For more complex event data extraction, you can directly parse the event XML:

$eventXML = [xml]$event.ToXml()
$eventData = $eventXML.Event.EventData.Data | ForEach-Object { $_.'#text' }
$emailBody += "Event Data: " + ($eventData -join ", ")