marckean/Scheduled Task, event log trigger.ps1

## Scheduled Task, event log trigger.ps1
### RUN AS ADMINISTRATOR
# This script here string, will be copied to the local computer to be run locally

# Change the variables in this script, they are at the top in this here string
$script = @'
# Replace with your Workspace ID
$LogAnalyticsCustomerID = "Workspace ID"

# Replace with your Log Analytics workspace Primary Key
$LogAnalyticsPrimaryKey = "workspace Primary Key"

#Specify the name of the record type that we'll be creating.
$LogType = "ServiceStopped" # To be used to search for as a custom log e.g. Type=ServiceStopped_CL

# Telstra DEV API Key - https://dev.telstra.com
$Telstra_app_key = "Telstra DEV API Key"

# Telstra DEV App Secret - https://dev.telstra.com
$Telstra_app_secret = "Telstra DEV App Secret"

# Mobile numbers to send, comma separated (with space), each number enclosed in single quotes
$tel_numbers = "'+61412345678', '+61498765432'"

# Message to send and add to the Log Analytics Custom Log
$Message = "The SHOUTcast service has stopped on $env:COMPUTERNAME"

$FunctionUri = 'https://marcfunction1.azurewebsites.net/api/EventDrivenFunction/{0}/{1}/{2}/{3}/{4}/{5}/{6}' `
-f $LogAnalyticsCustomerID, $LogAnalyticsPrimaryKey, $LogType, $Telstra_app_key, $Telstra_app_secret, $tel_numbers, $Message

Invoke-WebRequest -Uri $FunctionUri
'@

# Custom Event Log Query
$EventLog_Query = "<QueryList><Query Id='0' Path='System'><Select Path='System'>*[System[Provider[@Name='Service Control Manager'] and (Level=4 or Level=0) and (EventID=7036)]] and *[EventData[Data[@Name='param1'] and (Data='SHOUTcast')]] and *[EventData[Data[@Name='param2'] and (Data='stopped')]]</Select></Query></QueryList>"

$date = $(Get-Date -Format yyyyMMddhhmmss)
$ScriptFile = "$($env:SystemDrive)\Windows\System32\$date.ps1"
Set-Content -Path $ScriptFile -Value $Script

$taskName = "Event Driven Task $date"
$Path = 'PowerShell.exe'
$Arguments = "-ExecutionPolicy Unrestricted -File $ScriptFile"

# This removes empty last line at the end of the text file
$in = [System.IO.File]::OpenText($ScriptFile)
$text = ($in.readtoend()).trim("`r`n")
$in.close()
$stream = [System.IO.StreamWriter]$ScriptFile
$stream.write($text)
$stream.close()

$Service = new-object -ComObject ("Schedule.Service")
$Service.Connect()
$RootFolder = $Service.GetFolder("\")
$TaskDefinition = $Service.NewTask(0) # TaskDefinition object https://msdn.microsoft.com/en-us/library/windows/desktop/aa382542(v=vs.85).aspx
$TaskDefinition.RegistrationInfo.Description = ''
$TaskDefinition.Settings.Enabled = $True
$TaskDefinition.Settings.AllowDemandStart = $True
$TaskDefinition.Settings.DisallowStartIfOnBatteries = $False
$Triggers = $TaskDefinition.Triggers
$Trigger = $Triggers.Create(0) ## 0 is an event trigger https://msdn.microsoft.com/en-us/library/windows/desktop/aa383898(v=vs.85).aspx
$Trigger.Enabled = $true
# Expiry time if needed # $TaskEndTime = [datetime]::Now.AddMinutes(30);$Trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
$Trigger.Id = '7036' # Event ID
<#
Advanced XML filtering in the Windows Event Viewer
https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/
#>
$Trigger.Subscription = $EventLog_Query
$Action = $TaskDefinition.Actions.Create(0)
$Action.Path = $Path
$action.Arguments = $Arguments
$RootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "System", $null, 5) | Out-Null
	### RUN AS ADMINISTRATOR
	# This script here string, will be copied to the local computer to be run locally

	# Change the variables in this script, they are at the top in this here string
	$script = @'
	# Replace with your Workspace ID
	$LogAnalyticsCustomerID = "Workspace ID"

	# Replace with your Log Analytics workspace Primary Key
	$LogAnalyticsPrimaryKey = "workspace Primary Key"

	#Specify the name of the record type that we'll be creating.
	$LogType = "ServiceStopped" # To be used to search for as a custom log e.g. Type=ServiceStopped_CL

	# Telstra DEV API Key - https://dev.telstra.com
	$Telstra_app_key = "Telstra DEV API Key"

	# Telstra DEV App Secret - https://dev.telstra.com
	$Telstra_app_secret = "Telstra DEV App Secret"

	# Mobile numbers to send, comma separated (with space), each number enclosed in single quotes
	$tel_numbers = "'+61412345678', '+61498765432'"

	# Message to send and add to the Log Analytics Custom Log
	$Message = "The SHOUTcast service has stopped on $env:COMPUTERNAME"

	$FunctionUri = 'https://marcfunction1.azurewebsites.net/api/EventDrivenFunction/{0}/{1}/{2}/{3}/{4}/{5}/{6}' `
	-f $LogAnalyticsCustomerID, $LogAnalyticsPrimaryKey, $LogType, $Telstra_app_key, $Telstra_app_secret, $tel_numbers, $Message

	Invoke-WebRequest -Uri $FunctionUri
	'@

	# Custom Event Log Query
	$EventLog_Query = "<QueryList><Query Id='0' Path='System'><Select Path='System'>[System[Provider[@Name='Service Control Manager'] and (Level=4 or Level=0) and (EventID=7036)]] and [EventData[Data[@Name='param1'] and (Data='SHOUTcast')]] and *[EventData[Data[@Name='param2'] and (Data='stopped')]]</Select></Query></QueryList>"

	$date = $(Get-Date -Format yyyyMMddhhmmss)
	$ScriptFile = "$($env:SystemDrive)\Windows\System32\$date.ps1"
	Set-Content -Path $ScriptFile -Value $Script

	$taskName = "Event Driven Task $date"
	$Path = 'PowerShell.exe'
	$Arguments = "-ExecutionPolicy Unrestricted -File $ScriptFile"

	# This removes empty last line at the end of the text file
	$in = [System.IO.File]::OpenText($ScriptFile)
	$text = ($in.readtoend()).trim("`r`n")
	$in.close()
	$stream = [System.IO.StreamWriter]$ScriptFile
	$stream.write($text)
	$stream.close()

	$Service = new-object -ComObject ("Schedule.Service")
	$Service.Connect()
	$RootFolder = $Service.GetFolder("\")
	$TaskDefinition = $Service.NewTask(0) # TaskDefinition object https://msdn.microsoft.com/en-us/library/windows/desktop/aa382542(v=vs.85).aspx
	$TaskDefinition.RegistrationInfo.Description = ''
	$TaskDefinition.Settings.Enabled = $True
	$TaskDefinition.Settings.AllowDemandStart = $True
	$TaskDefinition.Settings.DisallowStartIfOnBatteries = $False
	$Triggers = $TaskDefinition.Triggers
	$Trigger = $Triggers.Create(0) ## 0 is an event trigger https://msdn.microsoft.com/en-us/library/windows/desktop/aa383898(v=vs.85).aspx
	$Trigger.Enabled = $true
	# Expiry time if needed # $TaskEndTime = [datetime]::Now.AddMinutes(30);$Trigger.EndBoundary = $TaskEndTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
	$Trigger.Id = '7036' # Event ID
	<#
	Advanced XML filtering in the Windows Event Viewer
	https://blogs.technet.microsoft.com/askds/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer/
	#>
	$Trigger.Subscription = $EventLog_Query
	$Action = $TaskDefinition.Actions.Create(0)
	$Action.Path = $Path
	$action.Arguments = $Arguments
	$RootFolder.RegisterTaskDefinition($taskName, $TaskDefinition, 6, "System", $null, 5) \| Out-Null