Last active
March 25, 2022 07:03
-
-
Save marckean/fe8fc10bb6ea57b3d0ba166f6c63389c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### RUN AS ADMINISTRATOR | |
# This script here string, will be copied to the local computer to be run locally | |
# Change the variables in this script, they are at the top in this here string | |
$script = @' | |
# Replace with your Workspace ID | |
$LogAnalyticsCustomerID = "Workspace ID" | |
# Replace with your Log Analytics workspace Primary Key | |
$LogAnalyticsPrimaryKey = "workspace Primary Key" | |
#Specify the name of the record type that we'll be creating. | |
$LogType = "ServiceStopped" # To be used to search for as a custom log e.g. Type=ServiceStopped_CL | |
# Telstra DEV API Key - https://dev.telstra.com | |
$Telstra_app_key = "Telstra DEV API Key" | |
# Telstra DEV App Secret - https://dev.telstra.com | |
$Telstra_app_secret = "Telstra DEV App Secret" | |
# Mobile numbers to send, comma separated (with space), each number enclosed in single quotes | |
$tel_numbers = "'+61412345678', '+61498765432'" | |
# Message to send and add to the Log Analytics Custom Log | |
$Message = "The SHOUTcast service has stopped on $env:COMPUTERNAME" | |
$FunctionUri = 'https://marcfunction1.azurewebsites.net/api/EventDrivenFunction/{0}/{1}/{2}/{3}/{4}/{5}/{6}' ` | |
-f $LogAnalyticsCustomerID, $LogAnalyticsPrimaryKey, $LogType, $Telstra_app_key, $Telstra_app_secret, $tel_numbers, $Message | |
Invoke-WebRequest -Uri $FunctionUri | |
'@ | |
# Custom Event Log Query | |
$EventLog_Query = "<QueryList><Query Id='0' Path='System'><Select Path='System'>*[System[Provider[@Name='Service Control Manager'] and (Level=4 or Level=0) and (EventID=7036)]] and *[EventData[Data[@Name='param1'] and (Data='SHOUTcast')]] and *[EventData[Data[@Name='param2'] and (Data='stopped')]]</Select></Query></QueryList>" | |
$date = $(Get-Date -Format yyyyMMddhhmmss) | |
$ScriptFile = "$($env:SystemDrive)\Windows\System32\$date.ps1" | |
Set-Content -Path $ScriptFile -Value $Script | |
$taskName = "Event Driven Task $date" | |
$Path = 'PowerShell.exe' | |
$Arguments = "-ExecutionPolicy Unrestricted -File $ScriptFile" | |
# This removes empty last line at the end of the text file | |
$in = [System.IO.File]::OpenText($ScriptFile) | |
$text = ($in.readtoend()).trim("`r`n") | |
$in.close() | |
$stream = [System.IO.StreamWriter]$ScriptFile | |
$stream.write($text) | |
$stream.close() | |
$Service = new-object -ComObject ("Schedule.Service") | |
$Service.Connect() | |
$RootFolder = $Service.GetFolder("\") | |
$TaskDefinition = $Service.NewTask(0) # TaskDefinition object https://msdn.microsoft.com/en-us/library/windows/desktop/aa382542(v=vs.85).aspx | |
$TaskDefinition.RegistrationInfo.Description = '' | |
$TaskDefinition.Settings.Enabled = $True | |
$TaskDefinition.Settings.AllowDemandStart = $True | |
$TaskDefinition.Settings.DisallowStartIfOnBatteries = $False | |
$Triggers = $TaskDefinition.Triggers | |
$Trigger = $Triggers.Create(0) ## 0 is an event trigger https://msdn.microsoft.com/en-us/library/windows/desktop/aa383898(v=vs.85).aspx | |
$Trigger.Enabled = $true | |
# Expiry time if needed # $TaskEndTime = [datetime]::Now.AddMinutes(30);$Trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss") | |
$Trigger.Id = '7036' # Event ID | |
<# | |
Advanced XML filtering in the Windows Event Viewer | |
https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/ | |
#> | |
$Trigger.Subscription = $EventLog_Query | |
$Action = $TaskDefinition.Actions.Create(0) | |
$Action.Path = $Path | |
$action.Arguments = $Arguments | |
$RootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "System", $null, 5) | Out-Null |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment