Select Page

Required Files: None


This handy script can monitor for keywords or eventids in a specified time period. Easily run this daily to catch windows events you want to be alerted for.


 

Import-Module $env:SyncroModule
 
# put in queries like "query1","query2" to search the eventlog
# you can reference a ton of good windows events to monitor here https://gist.github.com/theinventor/f621987e638728653107d3299a4fb966
$queryWords = @("has a bad block","The driver detected a controller error",'The file system structure on the disk is corrupt and unusable')
# you can use eventids here like; $queryEventIds = 7,51
$queryEventIds = 51,29,50,55,7101
# [DateTime]::Now is "Now", then addMinutes "negative" 1440 is saying "subtract 1 day"
#  this is getting events for the last 24 hours. Run this daily.
$startTime = [DateTime]::Now.AddMinutes(-1440)
#For the levels below, add them with a comma
#Verbose 5
#Informational 4
#Warning 3
#Error 2
#Critical 1
#LogAlways  0
$level=2,1
 
 
foreach ($query in $queryWords) {
  $results = Get-WinEvent -FilterHashtable @{logname='application','system';starttime=$startTime;level=$level} | where-object  { $_.Message -like "*$query*" -or $_.id -in $queryEventIds }
 
  if(!$results){
    write-host "Yay, no events for that query ($query)"
  }
 
  if($results.count > 3){
    write-host "You have some serious issues here to look at!"
    write-host $results | Out-String
    Rmm-Alert -Category "windows_event_multiple" -Body "You have some serious issues here to look at!`n$($results | Out-String)"
  } else {
    foreach ($event in $results) {
      write-host "EventLog: $event.message ocurred at $event.TimeCreated"
      Rmm-Alert -Category "windows_event_$event.id" -Body "EventLog: $event.message ocurred at $event.TimeCreated"
    }
  }
}