As a Windows network administrator, you have limited time on your hands. If you can automate a task it means that you have saved yourself some money! Well, the Event Viewer and the associated logs have for years been a "pain in the neck" for Windows administrators. The Event Viewer did not provide any method for associating automation to specific events when they are generated. You know what I mean... "When Event ID 4022 is logged, send me an email immediately!" Well, that time has arrived. The new Windows Vista, 7, and Server 2008 Event Viewers all have the ability to link a scheduled task to either an entire log or a specific event.
You only need one of these computers to take advantage of this, even if you have something else (Windows Server 2003 and XP), it will still work! Keep reading.
Overview of Events and Logs
Within each Event Viewer on your desktops and servers you have pre-defined logs. These logs are designed to track the typical actions that you would want to know about on your computer in order to see what is occurring during a troubleshooting situation. The default logs for Windows 2000/XP and Windows Server 2000/2003 are:
- Application Log
- Security Log
- System Log
Windows Vista/7 and Server 2008 add an additional log, which is the Setup Log.
Your domain controllers are a bit different, as they contain logs for the following:
- Application Log
- DFS Replication (2008)
- Directory Service
- DNS Service
- File Replication Service
- Security Log
- System Log
As you can see, each type of computer has a different configuration of logs. These logs can get very large and difficult to manage, especially when you are remotely trying to analyze events on a server over a slow connection.
Not only do the logs differ from operating system to operating system, so do the events. The structure of the events from Windows 2000/2003/XP to Windows Vista/7/2008 differ greatly. The good news is that the events are easier to read, have better descriptions, and are easier to move between in the interface. The typical event entry will contain the following details:
These entries vary slightly in Windows Server 2008/7, but not by much. Figure 1 illustrates what a typical event looks like in Windows 2008/7.
Figure 1: Standard event format in Windows Server 2008/7
If you have 10,000 desktops and 1,000 servers in your organization, today you do not have a solution to easily sift through the logs on each computer, looking for the event(s) you need in an efficient manner. The only way you really have to get through all of these events today is to manually go through each log, create a script to do the analysis for you, or buy a third party product that can analyze and report when specific events are found.
Scheduled Tasks and the Event Viewer
In Windows Vista/7/2008 Microsoft added some amazing new features to the Event Viewer. One of these options is the ability to associate a task to a log or an event. You can configure two levels of tasks to associate with events in the Event Viewer. There is a standard "Create Task" option and a streamlined "Create a Basic Task" option.
From within Event Viewer you can only access the Create a Basic Task option. In order to do this, follow these steps:
- Open Event Viewer
- Expand the list of logs on the left side of the Window
- Click on the desired log on the left side of the Window
- Click on the "Attach Task To This Event..." on the right side of the Window
- This should launch the "Create Basic Task Wizard", as shown in Figure 2.
Figure 2: Create Basic Task Wizard associates a task to an event in Event Viewer
If you are running Windows Server 2008, you will also be able to associate a task to the log. The steps are the same for this option, all you need to do is select the "Attach a Task To this Log..." option on the right hand side of the Window for step 4.
To setup these tasks within the Task Scheduler, the actions are much easier. You simply right-click on the Event Viewer Tasks node, then select either "Create Basic Task" or "Create Task". Both options will associate tasks to the Event Viewer. It is clear that the Basic Task is much easier, but the standard Task provides ultimate control over what you want to pivot upon.
Creating a Basic Task
The basic task is just that, basic. It provides an easy and simple way to associate a task to an event or schedule with little other definitions. For the Basic task, you will simply define the following:
- Task Name
- Task Description
- Task frequency
- Event trigger (if not on frequency)
- Task action (email, program, message)
This is wizard driven and very easy to setup. You can see the Basic Wizard in Figure 3, where it is asking you to define the event ID.
Figure 3: The Basic Task Wizard allows you to trigger the task based on an event ID
Creating a Task (Standard, which is more detailed!)
The steps to get to a standard task are the same as a basic task, but the options within are dramatically different. When you launch the Create Task dialog box, you have many options to configure.
First, you will need to fill out the General tab, which is shown in Figure 4.
Figure 4: Create Task General tab
Then, you will need to make decisions for the triggers by filling out the Triggers tab. To do this, you must add in new triggers by selecting the New button. When you do this, you will have the New Trigger dialog box show up, which is shown in Figure 5.
Figure 5: New Trigger dialog box, accessed from Triggers tab
Next, you will need to define actions for your task. On the Actions tab you will select the New button and the New Action dialog box will appear, as shown in Figure 6.
Figure 6: New Action dialog box for your task
Almost done, you need to fill out the Conditions tab. Here you configure whether the task should run based on the other criteria you have configured. The Conditions tab is shown in Figure 7.
Figure 7: Conditions tab for your task
Finally, you have the Settings tab. This tab allows you to configure more details behavior of your task and actions for your Event Viewer events. You can see these options in Figure 8.
Figure 8: Settings tab for your task
As you can see, you have plenty of options when configuring tasks to be associated with Event Viewer. You can opt for the basic task, which is very easy to setup and the standard task, which is slightly more complicated but gives you the ability to set up a detailed and granular task to be associated with nearly any activity in your Event Viewer. Don't forget, if you only run Windows Server 2003 and XP for your network, you can use the forwarding and subscriptions to forward your events to a Windows Server 2008/7 computer and still leverage these tasks! To read more follow this link.