Recently in Tips & Tricks Category
Automatic Windows Updates are a wonderful thing when they are working as expected, and many organizations employ WSUS or patch management software to keep their infrastructure up to date with the latest Microsoft hot fixes and service packs.
While this works for many, not everybody can afford patch management software, and, while free, managing the disk-hungry WSUS can be a daunting task as well. This leaves some sysadmins to use the old-fashioned Windows Updates to install all the regular and out-of-band patches Microsoft releases.
If you don't feel comfortable installing patches automatically however, configuring Windows Update to "download updates for later manual installation" is often safer and more predictable. But, if you're not logging on to the server(s), you won't know whether one or more updates are ready for installation or not. Even if you're just managing one server, checking in on a regular basis can be a waste of time.
This is where EventSentry and its log file monitoring feature comes in. It turns out that Windows, like a diligent ship captain, logs all activity to a log file. And with all, I really do mean ALL. The file I'm talking about is windowsupdate.log, and it tells you just about everything that's going on with Windows Update. In 3-4 steps that don't take longer than 5 minutes, you can setup real-time monitoring of the WindowsUpdate.log file, and be notified when updates are about to be downloaded to a monitored computer.The screenshot below shows what such an email from EventSentry would look like:
From then on, you can either get email notifications when patches are downloaded, or use the web-based reporting to view a report from all of your monitored hosts. On a high level, the configuration works like this:
1. Setup a log file (%systemroot%\windowsupdate.log in this case)
2. Create & assign a new log file package
3. Define a log file filter (this tells EventSentry what to look for in the file, and where to send it)
4. Setup an email action (this is usually already setup)
5. Optionally setup an event log filter to forward alerts to email (the default filter setup should automatically forward warnings)
The WindowsUpdate.log is useful for troubleshooting as well, and you can consolidate the content of this file from all of your servers in the central EventSentry database. This makes searching for text and/or comparing the log from multiple servers a breeze. Having the log file accessible through the web reports is also useful when a patch caused problems and the server is offline. You can view the most recent activity from the log file through the web-based reporting even when the server is unavailable.
So how do you set this up? Assuming you have EventSentry v2.93 installed (any edition will do, including the free "light" version), you can follow the steps outlined below. Note that all steps will need to be performed in the EventSentry management console.
1. Setup a file definition. This tells EventSentry which file you want to monitor, and sets up a logical representation of that file in the EventSentry configuration. In the "Tools" menu, click "Log Files and File Types" and then click the "Add" button.
2. Create a package and add a filter. Right-click the "Log File Packages" container, select "Add Package" and choose a descriptive name. Since new packages are unassigned by default, right-click the newly created package, select "Assign" and assign the package to host(s) on which you want to monitor the Windowsupdate log file.
3. Setup a log file filter. This tells EventSentry which content of the monitored file you are interested in. In every log file filter you can configure a database as well as an event log filter.
Right-click the previously created package and select "Add File". From the list, select the log file definition created in step 1, "WindowsUpdateLog". Select the new log file.
The database tab determines which content goes to the database (in most cases you will write all file contents to the database), while the event log tab determines which log file contents are written to the event log. For this project, we are interested in the following wildcard matches:
*AU*# Approved Updates =*
*DnldMgr*Updates to download =*
The first wildcard match will tell you the total number of updates which have been approved and will be downloaded, whereas the 2nd line will fire for every individual update which will be downloaded. In most cases the first line is sufficient and the 2nd line can be skipped.
That's it! With this setup, you will immediately get notified when patches are ready to be installed. The only thing I didn't mention here is how to setup an email action and corresponding event log filter, since both of these are usually already setup by default. If you need help with this, please check out our documentation and/or tutorials.
Please note that the full and evaluation version of EventSentry can inventory installed software and patches. This enables you to use the web interface for viewing/searching installed patches, and get (email) alerts when a patch has been successfully installed.
As always, happy monitoring!
Windows Server has long provided admins the ability to create a software RAID, enabling redundant disks without a (potentially expensive) hardware RAID controller. If you are already using Windows Server 2008's software RAID capabilities, and think that Windows will somehow notify you when a disk in an array fails, then you can skip to "Just say something!" below.
Background
Creating a RAID can all be done from Disk Management view in the Computer Management console, without any scripting or command-line tools.
Software RAIDs are not as powerful and fast as their hardware counterparts, but are nevertheless a good way to enable disk redundancy. Software RAIDs make sense in a variety of scenarios:
• When you are on a budget and don't want to spend a few hundred $$ on a hardware RAID controller
• When you need to enable redundancy on a server that wasn't originally designed with redundancy in mind (as if that would ever happen!)
• When you need to add redundancy to a server without reinstalling the OS or restoring from backup
Windows Server lets you do all this, and it's included with the OS - so why not take advantage of it? The last point is often overlooked I think - you can literally just add a hard disk to any non-redundant Windows server and create a mirror - with less than dozen clicks!
Since this article is starting to sound like a software raid promotion, and for the sake of completeness, I am listing SOME of the advantages of a hardware RAID here as well:
• Faster performance due to dedicated hardware, including cache
• More RAID levels than most software RAIDs
• Hot-plug replacement of failed disks
• Ability to select a hot spare disk
• Better monitoring capabilities (though this article will alleviate this somewhat)
But despite being far from perfect, software RAIDs do have their time and place.
Just Say Something Please!
Unfortunately, despite all the positive things about software RAID, there is a major pitfall on Windows 2008: The OS will not tell you when the RAID has failed. If the RAID is in a degraded state (usually because a hard disk is dead) then you will not know unless you navigate to the Disk Management view. The event logs are quiet, there are no notifications (e.g. tray), and even WMI is silent as a grave. Nothing. Nada. Nix.
What's peculiar is that this is a step back from Windows 2003, where RAID problems were actually logged to the System event log with the dmboot and dmio event sources. What gives?
Even though a discussion on why that is (or is not) seems justified, I will focus on the solution instead.
The Solution
Fortunately, there is a way to be notified when a RAID is "broken", thanks in part to the diskpart.exe tool (which is part of Windows) and EventSentry. With a few small steps we'll be able to log an event to the event log when a drive in a software RAID fails, and send an alert via email or other notification methods.
Diskpart is pretty much the command-line interface to the Disk Management MMC snap-in, which allows you to everything the MMC snap-in does - and much more! One of the things you can do with the tool is to review the status of all (logical) drives. Since we're interested as to whether a particular RAID-enabled logical drive is "Healthy", we'll be looking at logical drives.
So how can we turn diskpart's output into an email (or other) alert? Simple: We use EventSentry's application scheduler to run diskpart.exe on a regular basis (and since the tool doesn't stress the system it can be run as often as every minute) and generate an alert. The sequence looks like this:
• EventSentry runs our VBScript (which in turn runs diskpart) and captures the output
• When a problem is detected, EventSentry logs an error event 10200 to the application event log, including output from step 1.
• An event log filter looks for a 10200 error event, possibly looking at the event message as well (for custom routing).
Diskpart
Diskpart's output is pretty straightforward. If you just run diskpart and execute the "list volume" command, you will see output similar to this:
Notice the "Status" column, which indicates that our "BOOT" volume is feeling dandy right now. However, when a disk fails, the status is updated and reads "Failed Rd" instead:
Technically, scripting diskpart is a bit cumbersome, as the creators of the tool want you to specify any commands to pass to diskpart in a text file, and in turn specify that text file with the /s parameter. This makes sense, since diskpart can automate partitioning, which can certainly result in a dozen or so commands.
For our purposes however it's overkill, so we can trick diskpart by running a single command:
which will yield the same results as above, without the need of an "instruction" file.
The easy way out
The quickest way (though per usual not the most elegant) to get RAID notifications is to create a batch file (e.g. list_raid.cmd) with the content shown earlier
and execute the script on a regular basis (e.g. every minute) which will result in the output of the diskpart command being logged to the event log as event 10200.
Then, you can create an include filter in an event log package, which will look for the following string:
If your EventSentry configuration is already setup to email you all new errors then you don't even have to setup an event log filter - just creating the script and scheduling it will do the trick.
But surely you will want to know how this can be accomplished in a more elegant fashion? Yes? Excellent, here it is.
A Better Solution
One problem with the "easy way out" is that it will not detect all Non-Ok RAID statuses, such as:
• At Risk
• Rebuild
Furthermore, the output can be rather verbose, and will include any logical drive, include CD-ROMs, removable disks and others.
It is for this reason we have created a VBScript, which will parse the output of the diskpart command with a regular expression, and provide the following:
• A filtered output, showing only drives in a software raid
• Formatted output, showing only relevant drive parameters
• Detecting any Non-Healthy RAID
Alas, an example output of the script is as follows:
Much nicer, isn't it? If a problem is detected, then output will be more verbose:
The VBScript will look at the actual "Status" column and report any status that is not "Healthy", a more accurate way to verify the status of the RAID.
Since the script has a dynamic ERRORLEVEL, it's not necessary to evaluate the script output - simply evaluating the return code is sufficient.
Implementation
Let's leave the theory behind us and implement the solution, which requires only three steps:
1. Create an embedded script (we will include this script with v2.93 by default) through the Tools -> Embedded Scripts option, based on the VBScript below. Select "cscript.exe" as the interpreter. Embedded scripts are elegant because they are automatically included in the EventSentry configuration - no need to manage the scripts outside EventSentry.
2. Create a new System Health package and add the "Application Scheduler" object to it. Alternatively you can also add the Application Scheduler object to an existing system health package. Either way, schedule the script with a recurring schedule.
Note that commands starting with the @ symbol are embedded scripts. The "Log application return code 0 to event log ..." option is not selected here, since the script runs every minute and would generate 1440 entries per day. You may want to enable this option first to ensure that your configuration is working, or if you don't mind having that many entries in your application log. It's mainly a matter of preference.
3. This step is optional if you already have a filter in place which forwards Errors to a notification. Otherwise, create an event log filter which looks for the following properties:
Log: Application
Severity: Error
Source: EventSentry
ID: 10200
Text (optional): "WARNING: One or more redundant drives*"
The VBScript
Background
Creating a RAID can all be done from Disk Management view in the Computer Management console, without any scripting or command-line tools.
Software RAIDs are not as powerful and fast as their hardware counterparts, but are nevertheless a good way to enable disk redundancy. Software RAIDs make sense in a variety of scenarios:
• When you are on a budget and don't want to spend a few hundred $$ on a hardware RAID controller
• When you need to enable redundancy on a server that wasn't originally designed with redundancy in mind (as if that would ever happen!)
• When you need to add redundancy to a server without reinstalling the OS or restoring from backup
Windows Server lets you do all this, and it's included with the OS - so why not take advantage of it? The last point is often overlooked I think - you can literally just add a hard disk to any non-redundant Windows server and create a mirror - with less than dozen clicks!
Since this article is starting to sound like a software raid promotion, and for the sake of completeness, I am listing SOME of the advantages of a hardware RAID here as well:
• Faster performance due to dedicated hardware, including cache
• More RAID levels than most software RAIDs
• Hot-plug replacement of failed disks
• Ability to select a hot spare disk
• Better monitoring capabilities (though this article will alleviate this somewhat)
But despite being far from perfect, software RAIDs do have their time and place.
Just Say Something Please!
Unfortunately, despite all the positive things about software RAID, there is a major pitfall on Windows 2008: The OS will not tell you when the RAID has failed. If the RAID is in a degraded state (usually because a hard disk is dead) then you will not know unless you navigate to the Disk Management view. The event logs are quiet, there are no notifications (e.g. tray), and even WMI is silent as a grave. Nothing. Nada. Nix.
What's peculiar is that this is a step back from Windows 2003, where RAID problems were actually logged to the System event log with the dmboot and dmio event sources. What gives?
Even though a discussion on why that is (or is not) seems justified, I will focus on the solution instead.
The Solution
Fortunately, there is a way to be notified when a RAID is "broken", thanks in part to the diskpart.exe tool (which is part of Windows) and EventSentry. With a few small steps we'll be able to log an event to the event log when a drive in a software RAID fails, and send an alert via email or other notification methods.
Diskpart is pretty much the command-line interface to the Disk Management MMC snap-in, which allows you to everything the MMC snap-in does - and much more! One of the things you can do with the tool is to review the status of all (logical) drives. Since we're interested as to whether a particular RAID-enabled logical drive is "Healthy", we'll be looking at logical drives.
So how can we turn diskpart's output into an email (or other) alert? Simple: We use EventSentry's application scheduler to run diskpart.exe on a regular basis (and since the tool doesn't stress the system it can be run as often as every minute) and generate an alert. The sequence looks like this:
• EventSentry runs our VBScript (which in turn runs diskpart) and captures the output
• When a problem is detected, EventSentry logs an error event 10200 to the application event log, including output from step 1.
• An event log filter looks for a 10200 error event, possibly looking at the event message as well (for custom routing).
Diskpart
Diskpart's output is pretty straightforward. If you just run diskpart and execute the "list volume" command, you will see output similar to this:
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 System Rese NTFS Simple 100 MB Healthy System
Volume 1 C NTFS Mirror 141 GB Healthy Boot
Volume 2 D System Rese NTFS Simple 100 MB Healthy
Notice the "Status" column, which indicates that our "BOOT" volume is feeling dandy right now. However, when a disk fails, the status is updated and reads "Failed Rd" instead:
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 System Rese NTFS Simple 100 MB Healthy System
Volume 1 C NTFS Mirror 141 GB Failed Rd Boot
Volume 2 D System Rese NTFS Simple 100 MB Healthy
Technically, scripting diskpart is a bit cumbersome, as the creators of the tool want you to specify any commands to pass to diskpart in a text file, and in turn specify that text file with the /s parameter. This makes sense, since diskpart can automate partitioning, which can certainly result in a dozen or so commands.
For our purposes however it's overkill, so we can trick diskpart by running a single command:
echo list volume | diskpartwhich will yield the same results as above, without the need of an "instruction" file.
The easy way out
The quickest way (though per usual not the most elegant) to get RAID notifications is to create a batch file (e.g. list_raid.cmd) with the content shown earlier
echo list volume | diskpartand execute the script on a regular basis (e.g. every minute) which will result in the output of the diskpart command being logged to the event log as event 10200.
Then, you can create an include filter in an event log package, which will look for the following string:
*DISKPART*Status*Failed Rd*If your EventSentry configuration is already setup to email you all new errors then you don't even have to setup an event log filter - just creating the script and scheduling it will do the trick.
But surely you will want to know how this can be accomplished in a more elegant fashion? Yes? Excellent, here it is.
A Better Solution
One problem with the "easy way out" is that it will not detect all Non-Ok RAID statuses, such as:
• At Risk
• Rebuild
Furthermore, the output can be rather verbose, and will include any logical drive, include CD-ROMs, removable disks and others.It is for this reason we have created a VBScript, which will parse the output of the diskpart command with a regular expression, and provide the following:
• A filtered output, showing only drives in a software raid
• Formatted output, showing only relevant drive parameters
• Detecting any Non-Healthy RAID
Alas, an example output of the script is as follows:
Status of Mirror C: (Boot) is "Healthy"
Much nicer, isn't it? If a problem is detected, then output will be more verbose:
**WARNING** Status of Mirror C: (Boot) is "Failed Rd"
WARNING: One or more redundant drives are not in a "Healthy" state!
The VBScript will look at the actual "Status" column and report any status that is not "Healthy", a more accurate way to verify the status of the RAID.
Since the script has a dynamic ERRORLEVEL, it's not necessary to evaluate the script output - simply evaluating the return code is sufficient.
Implementation
Let's leave the theory behind us and implement the solution, which requires only three steps:
1. Create an embedded script (we will include this script with v2.93 by default) through the Tools -> Embedded Scripts option, based on the VBScript below. Select "cscript.exe" as the interpreter. Embedded scripts are elegant because they are automatically included in the EventSentry configuration - no need to manage the scripts outside EventSentry.
2. Create a new System Health package and add the "Application Scheduler" object to it. Alternatively you can also add the Application Scheduler object to an existing system health package. Either way, schedule the script with a recurring schedule. Note that commands starting with the @ symbol are embedded scripts. The "Log application return code 0 to event log ..." option is not selected here, since the script runs every minute and would generate 1440 entries per day. You may want to enable this option first to ensure that your configuration is working, or if you don't mind having that many entries in your application log. It's mainly a matter of preference.3. This step is optional if you already have a filter in place which forwards Errors to a notification. Otherwise, create an event log filter which looks for the following properties:
Log: Application
Severity: Error
Source: EventSentry
ID: 10200
Text (optional): "WARNING: One or more redundant drives*"
The VBScript
' Lists all logical drives on the local computer which are configured for
' software RAID. Returns an %ERRORLEVEL% of 1 if any redundant drive is
' not in a "Healthy" state. Returns 0 otherwise.
'
' Supports Windows Vista/7, Windows 2008/R2
Option Explicit
Dim WshShell, oExec
Dim RegexParse
Dim hasError : hasError = 0
Set WshShell = WScript.CreateObject("WScript.Shell")
Set RegexParse = New RegExp
' Execute diskpart
Set oExec = WshShell.Exec("%comspec% /c echo list volume | diskpart.exe")
RegexParse.Pattern = "\s\s(Volume\s\d)\s+([A-Z])\s+(.*)\s\s(NTFS|FAT)\s+(Mirror|RAID-5)\s+(\d+)\s+(..)\s\s([A-Za-z]*\s?[A-Za-z]*)(\s\s)*.*"
While Not oExec.StdOut.AtEndOfStream
Dim regexMatches
Dim Volume, Drive, Description, Redundancy, RaidStatus
Dim CurrentLine : CurrentLine = oExec.StdOut.ReadLine
Set regexMatches = RegexParse.Execute(CurrentLine)
If (regexMatches.Count > 0) Then
Dim match
Set match = regexMatches(0)
If match.SubMatches.Count >= 8 Then
Volume = match.SubMatches(0)
Drive = match.SubMatches(1)
Description = Trim(match.SubMatches(2))
Redundancy = match.SubMatches(4)
RaidStatus = Trim(match.SubMatches(7))
End If
If RaidStatus <> "Healthy" Then
hasError = 1
WScript.StdOut.Write "**WARNING** "
End If
WScript.StdOut.WriteLine "Status of " & Redundancy & " " & Drive & ": (" & Description & ") is """ & RaidStatus & """"
End If
Wend
If (hasError) Then
WScript.StdOut.WriteLine ""
WScript.StdOut.WriteLine "WARNING: One or more redundant drives are not in a ""Healthy"" state!"
End If
WScript.Quit(hasError)
Most of the time I work on a Lenovo laptop running Windows 7, and I'm overall quite happy with the laptop (especially after the mainboard was replaced and it stopped randomly rebooting). However, a minor nuance had been bugging me for a while: If I plugged my computer into a LAN (I have a docking station at work and at home) while a wireless signal was also available (and configured on the laptop), Windows 7 would keep both connections active.
1. The Problem
So I'd have my laptop in the docking station, connected to a 1Gb Ethernet network, and yet the laptop would also be connected to a WiFi network. While not a big deal per se, it does have a few advantages to automatically disable the WiFi connection when already connected to Ethernet:
So how could I disable the WiFi connection automatically when I connected the laptop to an Ethernet, yet automatically re-enable it when there is no Ethernet connection?
2. The Research
After some intense brainstorming, I remembered two things:
3. Evidence Gathering
The first one was easy, a quick look at the system event log revealed the following event:
A similar event is logged when the "network link" has connected. The event shown here is specific to the driver of my laptop's network card (an Intel(R) 82577LM adapter), but most newer drivers will log events when a cable is disconnected or the link is otherwise lost. If you are already running EventSentry with its hardware inventory feature enabled, then you can obtain the name of the network adapter from any monitored host on the network through the hardware inventory page, an example is shown below.
Coming up with a way to enable and disable a particular network connection with netsh.exe was a bit more challenging, but I eventually cracked the cryptic command line parameters of netsh.exe.
Enable a connection
netsh interface set interface "Wireless Network Connection" ENABLED
Disable a connection
netsh interface set interface "Wireless Network Connection" DISABLED
And yes, you do need to specify the word "interface" twice. If you do find yourself wanting to automate network adapter settings with scripts and/or the command line frequently, then you should check out this link.
4. The Solution
So now that we have all the ingredients, let's take a look at the recipe. In order to accomplish the automatic interface toggling, we need to create:
A couple of clarifications: First, you do not need to use embedded scripts, you can create the scripts in the file system too and then point the process action to those files. I prefer embedded scripts since I don't have to worry about maintaining the script, as it gets distributed to remote hosts automatically when needed. Second, the event source and event id will depend on the network card you have installed on your network, the above example will only work with Lenovo T410 laptops.
So what happens is pretty straightforward: When I connect my laptop to a LAN, the Intel NIC driver writes event id 32 with the event source e1kexpress to the system event log. EventSentry intercepts the event and triggers the Wifi Disable action, which in turns runs the netsh.exe process, disabling the WiFi connection.
5. Setting it up in the management console
Embedded Scripts
You can manage embedded scripts via Tools -> Embedded Scripts. Click "New", specify a descriptive name (e.g. wifi_enable.cmd) and paste the command line netsh interface set interface "Wireless Network Connection" ENABLED into the script content window. Then, do the same for the wifi_disable.cmd script, but this time use the netsh interface set interface "Wireless Network Connection" DISABLED command line. You can leave the interpreter empty as long as you give the filename the .cmd extension.
Actions
I recommend enabling both "Event Log Options", as this will help with troubleshooting. Now we just need the event log filters, and we are all set.
Like I mentioned earlier, you can also reference any external process or .cmd file with the process action, if you'd rather not use embedded scripts.
Event Log Filters
Since we'll need two filter, we'll create a new event log package called "Toggle Wifi" by right-clicking the "Event Log Packages" container and selecting "Add Package". Inside the package we can then add the two filters: One to trigger the "Wifi Enable" action when the NIC drivers logs its event indicating that the network cable was unplugged, and one that will trigger the "Wifi Disable" action when the NIC drivers logs that the network cable was plugged in. The filter will look similar to this, but note that the event source as well as event id will depend on the network card and driver.
That's pretty much it. If you enabled the event log options in the process action earlier, then you can see the output from the process action in the event log, as shown below:
Here are some links to the official EventSentry documentation regarding the features used:
1. The Problem
So I'd have my laptop in the docking station, connected to a 1Gb Ethernet network, and yet the laptop would also be connected to a WiFi network. While not a big deal per se, it does have a few advantages to automatically disable the WiFi connection when already connected to Ethernet:
- Avoid potential connectivity issues
- Increase security by not transmitting data via Wifi when not necessary
- Increase battery life when connected to a LAN
- Because you can!
So how could I disable the WiFi connection automatically when I connected the laptop to an Ethernet, yet automatically re-enable it when there is no Ethernet connection?
2. The Research
After some intense brainstorming, I remembered two things:
- Most Ethernet NIC drivers log event to the System event log when a network port is connected/disconnected.
- A while back, I used the netsh command to configure DNS servers from the command line. Maybe one could toggle the state of network adapters with this tool as well?
3. Evidence Gathering
The first one was easy, a quick look at the system event log revealed the following event:
A similar event is logged when the "network link" has connected. The event shown here is specific to the driver of my laptop's network card (an Intel(R) 82577LM adapter), but most newer drivers will log events when a cable is disconnected or the link is otherwise lost. If you are already running EventSentry with its hardware inventory feature enabled, then you can obtain the name of the network adapter from any monitored host on the network through the hardware inventory page, an example is shown below.Coming up with a way to enable and disable a particular network connection with netsh.exe was a bit more challenging, but I eventually cracked the cryptic command line parameters of netsh.exe.Enable a connection
netsh interface set interface "Wireless Network Connection" ENABLED
Disable a connection
netsh interface set interface "Wireless Network Connection" DISABLED
And yes, you do need to specify the word "interface" twice. If you do find yourself wanting to automate network adapter settings with scripts and/or the command line frequently, then you should check out this link.
4. The Solution
So now that we have all the ingredients, let's take a look at the recipe. In order to accomplish the automatic interface toggling, we need to create:
- an embedded script called wifi_enable.cmd, using the command line from above
- an embedded script called wifi_disable.cmd, again using the command line from above
- a process action "Wifi Enable", referencing the above wifi_enable.cmd embedded script
- a process action "Wifi Disable", referencing the above wifi_disable.cmd embedded script
- an event log filter for event source "e1kexpress" and event id 27, triggering the "Wifi Enable" action
- an event log filter for event source "e1kexpress" and event id 32, triggering the "Wifi Disable" action
A couple of clarifications: First, you do not need to use embedded scripts, you can create the scripts in the file system too and then point the process action to those files. I prefer embedded scripts since I don't have to worry about maintaining the script, as it gets distributed to remote hosts automatically when needed. Second, the event source and event id will depend on the network card you have installed on your network, the above example will only work with Lenovo T410 laptops.
So what happens is pretty straightforward: When I connect my laptop to a LAN, the Intel NIC driver writes event id 32 with the event source e1kexpress to the system event log. EventSentry intercepts the event and triggers the Wifi Disable action, which in turns runs the netsh.exe process, disabling the WiFi connection.
5. Setting it up in the management console
Embedded Scripts
You can manage embedded scripts via Tools -> Embedded Scripts. Click "New", specify a descriptive name (e.g. wifi_enable.cmd) and paste the command line netsh interface set interface "Wireless Network Connection" ENABLED into the script content window. Then, do the same for the wifi_disable.cmd script, but this time use the netsh interface set interface "Wireless Network Connection" DISABLED command line. You can leave the interpreter empty as long as you give the filename the .cmd extension.
ActionsCreate two process actions, one pointing to wifi_enable.cmd, and one pointing to wifi_disable.cmd. You can access these embedded scripts by clicking the pull-down - you should see the embedded script(s) you created in step one - each prefixed with the @ symbol. The resulting dialog should look like this:
I recommend enabling both "Event Log Options", as this will help with troubleshooting. Now we just need the event log filters, and we are all set.Like I mentioned earlier, you can also reference any external process or .cmd file with the process action, if you'd rather not use embedded scripts.
Event Log Filters
Since we'll need two filter, we'll create a new event log package called "Toggle Wifi" by right-clicking the "Event Log Packages" container and selecting "Add Package". Inside the package we can then add the two filters: One to trigger the "Wifi Enable" action when the NIC drivers logs its event indicating that the network cable was unplugged, and one that will trigger the "Wifi Disable" action when the NIC drivers logs that the network cable was plugged in. The filter will look similar to this, but note that the event source as well as event id will depend on the network card and driver.
That's pretty much it. If you enabled the event log options in the process action earlier, then you can see the output from the process action in the event log, as shown below:Here are some links to the official EventSentry documentation regarding the features used:
Follow @netikus