Required Files: None
This handy script can monitor for keywords or eventids in a specified time period. Easily run this daily to catch windows events you want to be alerted for.
Import-Module $env:SyncroModule # put in queries like "query1","query2" to search the eventlog # you can reference a ton of good windows events to monitor here https://gist.github.com/theinventor/f621987e638728653107d3299a4fb966 $queryWords = @("has a bad block","The driver detected a controller error",'The file system structure on the disk is corrupt and unusable') # you can use eventids here like; $queryEventIds = 7,51 $queryEventIds = 51,29,50,55,7101 # [DateTime]::Now is "Now", then addMinutes "negative" 1440 is saying "subtract 1 day" # this is getting events for the last 24 hours. Run this daily. $startTime = [DateTime]::Now.AddMinutes(-1440) #For the levels below, add them with a comma #Verbose 5 #Informational 4 #Warning 3 #Error 2 #Critical 1 #LogAlways 0 $level=2,1 foreach ($query in $queryWords) { $results = Get-WinEvent -FilterHashtable @{logname='application','system';starttime=$startTime;level=$level} | where-object { $_.Message -like "*$query*" -or $_.id -in $queryEventIds } if(!$results){ write-host "Yay, no events for that query ($query)" } if($results.count > 3){ write-host "You have some serious issues here to look at!" write-host $results | Out-String Rmm-Alert -Category "windows_event_multiple" -Body "You have some serious issues here to look at!`n$($results | Out-String)" } else { foreach ($event in $results) { write-host "EventLog: $event.message ocurred at $event.TimeCreated" Rmm-Alert -Category "windows_event_$event.id" -Body "EventLog: $event.message ocurred at $event.TimeCreated" } } } |