I worked on the following PowerShell Script to email event log content (for example, event ID 4720 that shows the user creation on DCs) which is already triggered by event viewer with "running program" option (you must run "powershell -filter "<script path>""). Please check the following script and let me know if you have any issues with this. I hope that it will be useful. FYI, Please change the following variables in the script before using it on Test/Production environment. -$strFrom = "<insert your email address which you want send from>" -$strTo = "<insert your email address which you want send to>" -$strSMTPServer = "<insert your smtp address which is already configured to send bulk mails.>" Best Regard, Babak Ramak
Clear-Host
# ======================== # Collection Data Section # ========================
Function EventID-To-HTML($ComputerName = $env:COMPUTERNAME) { $EventResult = wevtutil qe Security /rd:true /c:1 /f:renderedxml /q:"*[System[(EventID=4720)]]" if ($EventResult -eq $null){exit} $xmlEventResult = [xml]$EventResult
$EventDate = $xmlEventResult.Event.System.TimeCreated.SystemTime $EventDate = Get-Date $EventDate -format ('MM-dd-yyyy hh:mm:ss') $htmlStart = "<HTML> <HEAD> <style> body {background-color:rgb(238, 238, 238);} body, table, td, th {font-family:Calibri; color:Black; Font-Size:11pt} th {font-weight:bold; background-color:rgb(78, 227, 48);} td {background-color:rgb(255, 190, 0);} </style> </HEAD> <BODY><div align=center> <h2><b><br><br>Security Alert: <span Style='font-style:normal; color:Blue'>A user account was created</span></b></h2> <p><b><br>This event occurred at: <span Style='font-style:italic; color:Blue'>$EventDate on $ComputerName</span></b></p>" $htmlEnd = '' $htmlStart
$xmlEventResult.Event.EventData.Data | Select-Object Name, @{Label = "Value"; Expression={$_."#Text"}} | Group-Object -Property __Class | ForEach-Object {$_.Group | Select-Object -Property * | ConvertTo-HTML -Body ('' -f "$_.Name")} $htmlStart = '' $htmlStart = $htmlStart + "<br><i><span Style='color:red'>This report has been generated by software</i> <br><i>Please DO NOT reply.</i></div>" $htmlStart $htmlEnd = '' $htmlEnd }
# ====================== # Sending Email Section # ======================
$strFrom = "<insert your email address which you want send from>" $strTo = "<insert your email address which you want send to>" $strSubject = "*** Event Listener - User Creation ***" $strSMTPServer = "<insert your smtp address which already configured to send bulk mails.>"
$objEmailMessage = New-Object system.net.mail.mailmessage $objEmailMessage.From = ($strFrom) $objEmailMessage.To.Add($strTo) $objEmailMessage.Subject = $strSubject $objEmailMessage.IsBodyHTML = $true $objEmailMessage.Body = EventID-To-HTML
$objSMTP = New-Object Net.Mail.SmtpClient($strSMTPServer) $objSMTP.Send($objEmailMessage)
Richard Mueller edited Revision 5. Comment: Changed tags "Windows 2008" and "Windows 2008 R2" to "Windows Server 2008" and "Windows Server 2008 R2"
Maheshkumar S Tiwari edited Revision 4. Comment: Added Tag
Fantastic man, you helped me. Thanks
This is a great script. I have it working to send notification of account intruder lockout. I would like to add the TargetUserName value to the subject line of the email. How can I capture that value into a variable and add it to the subject line?