Monitoring windows event logs to cancel each other

Hey guys,
I need to be able to alert when a certain windows event log ID 139 is produced and alert when another ID 149 is produced it cancels the alert.

Is there a proper way to monitor these 2 event logs like this?i though about while loop but it was not successful

Netanelp,
Welcome to the forum. :wave:t4:

There is always a way. :wink:

Please show what you have so far and share your code and why it was not sucessful and the error messages you might have got. I’m pretty sure we can find a solution together.

(When you post code or error messages please format it as code using the preformatted text button </>. Simply place your cursor on an empty line, click the button and paste your code)

Thanks in advance

Hey,
Thanks for the welcome.
I’m stuck with this code, trying it with if/else this time.

-I’m retrieving the latest event of each of the event IDs
-As it sometimes resumes automatically I gave it a time buffer of 5 minutes and measured it so I won’t get CRITICAL status if it recovered.
-I’m trying to figure a way to set status to CRITIAL if only event 139 is displayed AND event 149 is not present.

$Event139 = Get-EventLog Service -After (Get-Date).AddMinutes(-30) | where {($_.InstanceID -eq 139) -and ($_.Message -match "stopped")} | select TimeGenerated,InstanceID,Message -First 1
$Event149 = Get-EventLog Service -After (Get-Date).AddMinutes(-30) | where {($_.InstanceID -eq 149) -and ($_.Message -match "resumed")} | select TimeGenerated,InstanceID,Message -First 1
$tdiff = $Event149.TimeGenerated - $Event139.TimeGenerated

if($Event139 -and $Event149 -and $tdiff.TotalMinutes -lt 5){
write-host "Status Ok"
}elseif($Event139 -and !$Event149){
Write-Host "Status Critical"
}

I wouldn’t use Get-Eventlog anymore as it is deprecated. Use Get-WinEvent instead. :wink:

When you run this in a loop and there is one loop iteration without an event 149 the variable will exist and probably be filled in from an earlier loop iteration. So you should remove the variable for each loop iteration. … maybe like this:

(I don’t know what provider produces the events you’re after so I used System to show how it works)

Remove-Variable -Name 'Event139', 'Event149'

$ThirtyMinutesAgo = (Get-Date).AddMinutes(-30)

$FilterHashTable = @{
    LogName   = 'System'
    StartTime = $ThirtyMinutesAgo
    Id        = 139
}
$Event139 = Get-WinEvent -FilterHashtable $FilterHashTable -MaxEvents 1

$FilterHashTable = @{
    LogName   = 'System'
    StartTime = $ThirtyMinutesAgo
    Id        = 149
}
$Event149 = Get-WinEvent -FilterHashtable $FilterHashTable -MaxEvents 1

$TimeDiff = New-TimeSpan -Start $Event149.TimeCreated -End $Event139.TimeCreated

if ($Event139 -and $Event149 -and $TimeDiff.TotalMinutes -lt 5) {
    'Status Ok'
}
elseif ($Event139 -and -not $Event149) {
    'Status Critical'
}

Hey,
I actually didn’t know that get-winevent was the better options as I saw people’s examples using only get-eventlog.

This seems to work well for the tests I preformed.

Thanks you very much for the quick and details response!