Mar 02 2021 05:55 PM
Dear All,
Please help me. I've tried to create PS script in order to get event log when file is either deleted or created by somebody on ShareFile Server. It's working if they just create or delete only 1 file notification will be sent via email but when they delete or create more than 1 file at the same time the notification will be sent only the latest event not all event. Anyone please help me. Please see my PS script below.
$EventId = 4663
##$A = Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId}
$A = Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = $EventId} | Where {$_.properties[10].value -eq "0x4"}
##Get-WinEvent -MaxEvents 1 -FilterHashTable @{Logname = "Security" ; ID = 4663} | Where {$_.properties[10].value -eq "0x4"} | select *
foreach($event in $A){
$EventIDA = $event.Id
$MachineNameA = $event.MachineName
$TimeA = $event.TimeCreated
$TaskDisplayName = $event.TaskDisplayName
$RecordID = $event.RecordId
$AccountName = $event.Properties[1].value
$AccountDomain = $event.Properties[2].value
$ObjectName = $event.Properties[6].value
$Access = $event.Properties[12].value
$test = $event.Properties
}
#Write-Output $ObjectName'.evtx'
##Get date and time to create event log file --Comment
$logfile = get-date -Format yyyyMMdd_hhmmsstt
##Export event log to .evtx file
$EventSession = New-Object System.Diagnostics.Eventing.Reader.EventLogSession
#$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
$EventSession.ExportLog('Security','LogName',"*[System[EventRecordID = $RecordID]]", "E:\BackupEventLog\RecordID.evtx")
Rename-Item -Path "E:\BackupEventLog\RecordID.evtx" -NewName "$logfile.evtx"
$EmailFrom = "MyShareFileServer"
$EmailTo = "My Email", "My Colleague Email"
$Subject ="Alert From $MachineNameA"
$MessageA = $A.Message
$BodyA = "Event log URL: \\Server IP Address\E$\BackupEventLog
`nNotification message
`----------------------------------------------
`EventID: $EventIDA`nMachineName: $MachineNameA `nTime: $TimeA `nTask Display Name: $TaskDisplayName `nLogin Name: $AccountDomain\$AccountName `nPath: $ObjectName `nMessage: $MessageA"
##$BodyB = "EventID: $EventIDB`nSource: $SourceB`nMachineName: $MachineNameB `nTime: $TimeB `nMessage: $MessageB"
$SMTPServer = "SMTP IP Address"
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587)
$SMTPClient.EnableSsl = $true
Send-MailMessage -SmtpServer $SMTPServer -From $EmailFrom -To $EmailTo -Subject $Subject -Body "$BodyA" -Attachments "E:\BackupEventLog\$logfile.evtx"
Mar 03 2021 03:35 AM
SolutionHi
You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.
The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.
What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone
Mar 03 2021 06:44 PM
Mar 04 2021 08:01 PM
Mar 04 2021 09:52 PM
Mar 04 2021 10:30 PM
Mar 04 2021 11:11 PM
Mar 03 2021 03:35 AM
SolutionHi
You can check the schedule history and see what happens and how the task was executed, probably you will find something like Task Scheduler did not launch task "\MyScriptName" because instance "{317256a8-7ddf-4cf8-8267-90ab66c84907}" of the same task is already running.
The Delete event log are listed one each another and I think that the Task Scheduler won't start the script as another instance is running.
What you can do is add a small delay to the script and let the script read multiple events and send them in one report, instead of having each event sent alone