I have event which is with event id =0, thus makes create the email alert with event id not feasible, how can I create email alert using the message content (in Eventdata/data attributes)? can use PowerShell or other method?
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<Provider Name="Test Portal"/>
<EventID Qualifiers="0">0</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2023-02-03"/>
<EventRecordID>336</EventRecordID>
<Channel>Application</Channel>
<Computer></Computer>
<Security/>
</System>
<EventData>
<Data>Message: Your Service is not available.</Data>
</EventData>
</Event>
You can use PowerShell to find and parse the Windows Eventlog like below. In this case, it will look for events in the 'Application' log with an ID of 0
For demo I have limited the search to a maximum of 50 items, but you can set your own value of course.
$result = Get-WinEvent -FilterHashtable @{LogName='Application';ID=0} -MaxEvents 50 | ForEach-Object {
# convert the event to XML and grab the Event node
$eventXml = ([xml]$_.ToXml()).Event
# output the values from the XML representation
[PsCustomObject]@{
Provider = $eventXml.System.Provider.Name
Message = $eventXml.EventData.Data #.'#text'
Date = [DateTime]$eventXml.System.TimeCreated.SystemTime
}
}
Now in variable $result you have objects you can use in your email.
When output on screen you will see something like
$result | Format-Table -AutoSize
Provider Message Date
-------- ------- ----
edgeupdate Service stopped 4-3-2023 11:38:52
gupdate Service stopped 4-3-2023 11:38:32
Test Portal Message: Your Service is not available. 4-3-2023 11:38:32