Total Pageviews

Wednesday, August 20, 2025

SQLEventMonitor – real-time monitoring and email alerting hundreds of SQL Server instances simultaneously

SQLEventMonitor – Real-Time Monitoring and Email Alerting for Hundreds of SQL Server Instances Simultaneously

SQLEventMonitor is a robust, multi-threaded portable (a tiny single file) application built to monitor hundreds of SQL Server instances simultaneously using fully customizable, user-defined T-SQL queries (sample provided). Its strength lies in a simple, text-based configuration system, allowing you to define target servers, set monitoring intervals, and fine-tune a wide range of behaviors.

With SQLEventMonitor, you can:

  • Send real-time email alerts
  • Log events directly into a SQL Server database for dashboards and analytics
  • Easily adjust monitoring parameters on the fly

All of this is presented in a simple and intuitive text-based interface, designed to make your operational tasks effortless while providing deep insights into your SQL Server environment.

Email Alerting: To complement the process eco-system, an intelligent PowerShell automation script is included for real-time alerting. As soon as new events are captured and written to the SQL Server repository, the script can trigger highly configurable email notifications.

figure #1: Sample email alert processed by the PowerShell Script

Administrators can easily control email behavior via a text file - from choosing which servers to monitor, which events to alert on, and even applying suppression windows to prevent repeated alerts for the same issue.

The result: a lightweight, flexible, and scalable SQL Server monitoring solution that puts you in full control.

Download Link:

Download SQLEventMonitor

Quick Start

  1. Download and unzip the package.
  2. Run the executable for the first time – this will automatically create all required supporting files.
  3. Edit configuration settings in "event_config_sql.txt".
  4. Add SQL Server instances to monitor in "event_server_sql.txt".
  5. Create the alert repository table by executing the script in "event_table_script_sql.txt" on your target SQL Server.
  6. Configure monitoring queries in "event_query_sql.txt". You may use the supplied predefined queries, adjust them, or write your own.
  7. Run the executable again – it will begin collecting SQL Server diagnostic data for alerting purposes.
  8. For more details, refer to the comprehensive usage guide provided below.

Permissions and Authentication

  • Authentication
    • SQLEventMonitor supports only Windows Integrated Security.
    • SQL Authentication is not supported.
  • Execution Account
    • The Windows account under which the SQLEventMonitor process runs must have:
      • Read and Write permissions on the target event repository database.
      • VIEW SERVER STATE permission on each monitored SQL Server instance.
      • Any additional permissions required by the specific diagnostic queries defined in "event_query_sql.txt".
  • Notes
    • Permissions may vary depending on the monitoring queries you implement.
    • It is recommended to run SQLEventMonitor under a dedicated service account with only the required permissions for security best practices.

Configuring event_config_sql.txt

The file event_config_sql.txt defines the core settings for how and where collected SQL Server event data will be stored, as well as how often servers are checked.

TARGET_DATABASE_SERVER=<EventWritingSQLServerInstance> TARGET_DATABASE_NAME=dbSQLEvent TARGET_SQLTABLE=tblSQLEvent NEXT_SERVER_CHECK_SEC=120
  • TARGET_DATABASE_SERVER: The SQL Server instance where all collected events will be written.
  • TARGET_DATABASE_NAME: The database name on the target server where events are stored.
  • TARGET_SQLTABLE: The table name within the target database that stores event records.
  • NEXT_SERVER_CHECK_SEC: The default interval (in seconds) between checks of each monitored server.

Configuring event_server_sql.txt

The file event_server_sql.txt defines the list of SQL Server instances to be monitored. Both default and named instances are supported. There is no limit to the number of servers that can be added – monitoring is virtually unlimited.

Format: Duration|SQLServerInstance

Parameter Details

  • Duration (optional)
    • The frequency (in seconds) at which query in "event_query_sql.txt" will be executed against the target server.
    • If omitted, the default value from NEXT_SERVER_CHECK_SEC in "event_config_sql.txt" will be used.
  • SQLServerInstance (mandatory)
    • The SQL Server instance name.
    • Can be a default instance (e.g., SRV001) or a named instance (e.g., SRV001\SQL2017).
    • IP addresses and server names are both supported.

Additional Guidelines for "event_server_sql.txt":

  • One server per line: Each line must represent exactly one SQL Server, with or without a duration value.
  • Separator: Use the pipe character | to separate Duration and SQLServerInstance.
  • Comments: Use # at the beginning of a line to comment out a server.
  • Apply changes: After modifying this file, restart SQLEventMonitor.exe for the changes to take effect.
  • Logging: Check the \logs\ folder for detailed runtime information and error messages.

Example:

  1. 120|WIN251 -> Run query every 120 seconds against this default instance
  2. RDP80\SQL2022 -> Use global default interval for this named instance
  3. 30|WIN252 -> Run query every 30 seconds against this default instance
  4. WIN253 -> Use global default interval for this default instance
  5. 60|192.168.0.230 -> Run query every 60 seconds against this named instance

Figure #2: Running SQLEventMonitor.exe on the command prompt

Notes on Running as Windows Service:

Use NSSM (https://nssm.cc/) to create a Windows Service. Ensure that the service account has the necessary permissions to access both the monitored SQL Server instances and the event repository server.

Configuring "event_query_sql.txt"

The file event_query_sql.txt contains the diagnostic T-SQL queries that SQLEventMonitor will execute against all listed SQL Server instances.

Key Requirements:

  • The file may contain one or more SELECT statements combined using UNION ALL.
  • Each SELECT statement must include the following columns:
    1. SourceName
    2. EventSubject
    3. EventType
    4. MessageText
  • If these columns are missing or misnamed, the query will fail.

Notes

  • Several production-ready queries are provided a separate "event_query_sql.txt" to detect common SQL Server issues so that you can start quickly.
  • These queries are designed with backward compatibility in mind.

Supplied Alerting Events in the diagnostic query:

The provided alerting queries will capture and generate the following events:

  1. Blocking detected
  2. Long-running active session detected
  3. Long-running idle transaction detected
  4. AG replica health issue detected
  5. tempdb space usage
  6. Database log usage alert
  7. tempdb latch contention
  8. Memory utilization
  9. Plan cache usage
  10. Pending I/O requests
  11. AG replica lag

These events cover a broad range of performance, availability, and resource utilization scenarios commonly encountered in SQL Server environments.

You are encouraged to add, update, or adjust queries in event_query_sql.txt to fit your unique operational and monitoring requirements.

Structure Example

SELECT SourceName, EventSubject, EventType, MessageText UNION ALL SELECT SourceName, EventSubject, EventType, MessageText UNION ALL SELECT SourceName, EventSubject, EventType, MessageText

Sample Structured Query Example:

SELECT 'SQLMonitor' AS SourceName, 'Service Broker Issue' AS EventSubject, 'Critical' AS EventType, 'Service broker has poisoned queue' AS MessageText UNION ALL SELECT 'SQLMonitor' AS SourceName, 'Blocking detected' AS EventSubject, 'Warning' AS EventType, 'SPID 55 is blocking 25 other sessions' AS MessageText UNION ALL So on

Quick Start – Email Alerts:

  • The PowerShell script SQLEvent_Monitor_Mail.ps1 sends email notifications based on the criteria defined in "eventAction_EventSubject_sql.txt".
  • Before using the script, update the following parameters:
    • Alert Repository server
    • Table name
    • SMTP server configuration
    • Recipient email addresses
  • The script is designed to prevent duplicate or repetitive alerts. When run for the first time, it creates a file named "eventAction_LastEventID_sql.txt" and records the current MAX(ID) from the alert table.
  • If you skipped running the script for a period and new records have accumulated, you may delete "eventAction_LastEventID_sql.txt" to avoid sending old alerts.
  • Each time the script starts, it:
    • Reads the latest MAX(ID) from the alert table.
    • Updates or recreates "eventAction_LastEventID_sql.txt" with the new value.
    • Processes and sends email alerts only for new records after the MAX(ID).

Customizing Email Alerts for SQLEvent_Monitor_Mail.ps1:

The configuration file eventAction_EventSubject_sql.txt controls how and when email alerts are sent.

File format: Servers | EventName | Duration (in minutes)

Parameter Details

  • Servers (mandatory)
    • Use * to include all servers, or specify one or more server names separated by commas.
  • EventName (mandatory)
    • Must exactly match an event name defined in event_query_sql.txt.
  • Duration (optional)
    • Defines a suppression window (in minutes).
    • This determines how frequently the script can send alerts for the same event.
    • Without a duration (*|EventName), alerts are sent every time the event occurs.

Examples of Customization:

  1. *|Blocking detected:
    • Monitors SQL blocking across all servers and sends alerts whenever blocking is detected.
  2. *|Blocking detected|10:
    • Monitors SQL blocking across all servers, but applies a 10-minute suppression window, preventing duplicate alerts within that time.
  3. SRV2700,SRVFIN\SQL2019|Blocking detected:
    • Excludes blocking alerts for these two servers.
    • Alerts will still be sent for all other servers.
  4. SRV0012,SRV0HR\SQL2022|Blocking detected|15:
    • Monitors blocking for all servers, but applies a 15-minute suppression window only to these two servers.
  5. SQLSRV314|tempdb space usage detected:
    • Suppresses tempdb space alerts permanently for this server.
  6. HR234,FIN450\SQL2017,SQLSRV314|AG replica lag:
    • Suppresses AG replica lag alerts for these three servers only.

Sample eventAction_EventSubject_sql.txt:

# Format: Servers|EventName|Duration # * = All servers # EventName = Exact name of event from event_query_sql.txt # Duration = Suppression window in minutes (optional) *|Blocking detected|5 *|Long running active session detected|10 *|Long running idle transaction detected|10 *|AG replica health issue detected *|tempdb space usage|10 *|Database log usage alert|15 *|tempdb latch contention|10 *|Memory utilization|30 *|Plan cache usage|30 *|Pending I/O requests *|AG replica lag # Alert suppression rules SRV123|tempdb space usage|10 SRV191,SRV380|Long running active session detected SRV191,SRV185,SRV310|Long running idle transaction detected SRV159,SRV348|Blocking detected SRV420|tempdb space usage detected SRV510|Blocking detected|15 SRV555\SQL2017,S081\SQL2016,SRV151|Long running active session detected SRV810,SRT351\FINSQL01|Long running idle transaction detected SRV555|Plan cache usage

Quick rules:

  • * in server field = applies to all servers.
  • No duration = permanent suppression.
  • With duration = rate-limiting (alerts only after N minutes).
  • Multiple servers can be listed with commas.
  • # skip the line to evaluate and to send email alert.
  • Subject match is substring/LIKE, not exact.

Conclusion:

I have worked on the Windows and SQL Server platform for many years, and during that time I have not found a lightweight, easy-to-configure tool that consistently delivers the desired results. While I am familiar with many commercial solutions, I often find them unnecessarily complex, slow to respond, prone to missing critical alerts, and demanding excessive hardware resources due to heavy data processing.

The tools I share here are the result of my personal initiative and hobbyist development. They have been running successfully in live production environments across 300+ servers for many years without a single issue. I hope you will find them equally useful in your own work. Thank you.

Saturday, August 9, 2025

WinEventMonitor - proactive, scalable, and free. Deploy once, monitor forever..

⬇ Download Now

WinEventMonitor – Watch Every Server, Catch Every Event, in Real Time, at Zero Cost

⬇ Download WinEventMonitor

Overview

WinEventMonitor is a real-time, multi-threaded Windows Event Subscription Processing Engine designed to monitor and process any event generated by Windows Server or Desktop systems — remotely and at scale. Built for large enterprise environments, it can seamlessly handle events from hundreds of servers simultaneously.

This out-of-the-box, extremely efficient solution requires no licensing fees and delivers immediate, actionable notifications, helping identify and address potential issues before they escalate.


What is WinEventMonitor?

At its core, WinEventMonitor features a WMI-based event subscription engine combined with powerful Regular Expression (RegEx) support, enabling it to parse everything from simple alerts to complex log entries.

  • Easy Configuration: Managed via a simple text file for quick customization and rapid deployment.
  • Flexible Storage: Supports SQL Server Express as a backend for event storage.
  • Automated Notifications: A PowerShell script can send email alerts automatically when events are written to the database.
  • Visualization: A custom dashboard can be implemented to provide real-time insights into events across critical servers.

No Installation Required

  • Delivered as a single executable file.
  • Can run in Command Prompt or as a Windows service.
  • No dependencies — fully portable across Windows environments.

Download

Download the zipped file from: https://bit.ly/3GFghZv

Update – 11 August 2025

1. New Flag in event_config.txt

Added a new configuration flag to control event processing behavior in the engine:

EVENT_PROCESS_ALL = No / Yes
  • EVENT_PROCESS_ALL = No
    The event engine will only process events listed in the event_filter.txt file.
  • EVENT_PROCESS_ALL = Yes
    The event engine will process all incoming events from the server.
    Note: For this to work, the event_filter.txt file must be empty. If any filters remain, this setting will have no effect.

2. Server Shutdown Event Enhancement

Added an additional check to verify whether a connected server has been triggered to shut down.

3. PowerShell Script Update

The PowerShell script now suppresses email alerts under the following conditions:

  • If the Event Name (Event Subject) contains one or more server names before a pipe (|).
  • If the Event Subject consists only of server names (no additional context).

In these cases, no email notifications will be sent for those server(s).

Note: This update improves event filtering logic and reduces unnecessary email alerts.

Screenshots:

Sample event capture and notification
Sample event notification
Sample email notification
On a Windows Command Prompt

 


Quick Start

  • Download and unzip the file.
  • Run the executable for the first time — it will create all supporting files.
  • Change parameters in event_config.txt.
  • Add servers in event_server.txt.
  • Add event names and Windows event messages in event_filter.txt.
  • Run again — it will start collecting Windows events.
  • Refer to the detailed explanation below for complete system usage.

Permissions

WinEventMonitor has built-in subscriptions to the following Windows Event Logs: Application, System, Setup, and Security.

SQL Server Permissions

  • Read and Write access to the target SQL Server database.

Windows Permissions

  • WMI Access: Remote Enable, Execute Methods, Enable Account, and Read Security permissions for the root\cimv2 namespace.
  • Group Membership: Member of the Event Log Readers group.
  • Firewall: Enable the WMI-In firewall rule.
  • DCOM: Remote Launch and Remote Activation permissions in DCOM configuration.
  • Security Log Access: Grant SeSecurityPrivilege (Manage auditing and security log).
  • Remote Access: Ensure the account can connect via RPC/DCOM to target hosts.

Account Requirements

  • Must be a domain account — username and password authentication method is not supported.

First Run

Assuming you have downloaded the provided ZIP file to a folder named C:\WinEventMonitor, follow these steps:

  1. Open a Command Prompt.
  2. Change the directory to C:\WinEventMonitor.
  3. If the ZIP file has not yet been extracted, extract it now. This will produce the following files and folders:

Core Files and Folders

  • Logs – Stores WinEventMonitor’s log files.
  • event_server.txt – Contains a list of Windows servers from which WinEventMonitor will collect log entries.
  • event_filter.txt – Contains a list of event names and messages to collect from Windows servers.
  • event_config.txt – The main configuration file.
  • event_sql_table_script.txt – A SQL script to create the required table in a SQL Server database.

Email Notification

  • WinEventMonitor.ps1 – PowerShell script for sending email notifications.
  • eventAction_EventSubject.txt – List of event names that will trigger specific email notifications sent by the PowerShell script.
  • eventAction_LastWinEventID.txt – Stores the last processed event ID from the SQL Server table (tblWinEvent).

Details on event_server.txt

This file contains the names or IP addresses of the servers to be monitored.

  • Any server or IP address commented out with a # will be ignored during the next refresh cycle.

Details on event_filter.txt

This file contains event names and Windows messages to be monitored.

  • Structure: CustomEventName|Message1|Message2|Message3|Message4,...
  • The first section before the first pipe (|) is treated as the event name (event subject).
  • Each subsequent Message(x) is treated as a separate message but linked to the same event name.
  • Messages can contain Regular Expressions for advanced parsing. WinEventMonitor supports all standard RegEx syntax.

Configuration File – event_config.txt

ParameterDescription
DUPLICATE_SUPPRESSION_INTERVAL_SEC = 10Suppresses duplicate events for the specified number of seconds. If set to 0, every event is processed. Duplicate detection is based on the first part of each entry in server_filter.txt.
THREAD_RESTART_DELAY_SEC = 60Time (in seconds) to wait before attempting to reconnect to a disconnected server.
THREAD_RESTART_RETRY = 5Number of reconnection attempts before giving up.
THREAD_ACTIVITY_TO_LOG_FILE = NoReserved for future use. Currently has no effect.
SERVER_REFRESH_INTERVAL_MIN = 30Interval (in minutes) to refresh the server list. Changes in event_server.txt take effect at the next refresh.
FILTER_REFRESH_INTERVAL_MIN = 30Interval (in minutes) to reload event filters after changes in event_filter.txt.
SQLSERVER_NAME = localhostSQL Server instance name. For default instances, specify the server name (e.g., FinanceSQL2022). For named instances, use ServerName\Instance (e.g., ServerABC\HRSQL927).
SQLSERVER_DATABASE = dbWinEventName of the SQL Server database (default: dbWinEvent).
SQLSERVER_TABLE = tblWinEventName of the SQL Server table (default: tblWinEvent).
EVENT_PROCESS_ALL = No / YesTo control event processing behavior in the engine, selected or all events (default: No).

Sample Files Provided

  • server_filter.txt – Contains over 150 predefined event names and messages.
  • eventAction_EventSubject.txt – Contains event names used by the PowerShell script to determine which events trigger email notifications.

Running WinEventMonitor

As a Windows Service

Use NSSM to create a Windows service for WinEventMonitor.

  • Run the service under a Windows domain account with the required permissions to access Windows Event Logs and SQL Server.

From the Command Prompt

Ensure event_server.txt and event_filter.txt are configured before starting. Two modes are available:

  1. With “No” clause
    WinEventMonitor.exe No
    Logs all events to the \logs\ folder without writing to SQL Server.
  2. Without “No” clause
    WinEventMonitor.exe
    Runs in non-interactive mode and writes events to SQL Server (if configured).

Log Management

Logs are stored in the \logs\ folder. WinEventMonitor automatically retains only the last 10 log files.


PowerShell Script for Email Notifications

A provided PowerShell script (WinEvent_Monitor_Mail.ps1) runs continuously, monitoring the SQL Server table for new events.

  • When a new event is found (based on the table’s identity column), it sends an email if the event subject matches an entry in eventAction_EventSubject.txt.
  • Subjects can be excluded from notifications by commenting them out with #.
  • The subject must match exactly the first part of the corresponding entry in server_filter.txt (before the pipe |).
  • After processing an event, the script updates eventAction_EventSubject.txt with the last processed event ID.

Note: Adjust the parameters at the top of the PowerShell script as needed.


Built-in Alerts

WinEventMonitor includes built-in alerts to detect Windows shutdown events by default. When triggered, alerts are recorded in both the SQL table and the log file.

  • RPC failed
  • The remote procedure call failed
  • The RPC server is unavailable
  • System shutdown event triggered
  • Windows Server is shutting down
  • Windows Server is unavailable
  • Windows Server shutdown
⬇ Download WinEventMonitor

Wednesday, July 9, 2025

🔍 Introducing WinDigger — Your Go-To Windows & SQL Server Diagnostic Companion

WinDigger is my latest creation—a lightweight, portable tool purpose-built for Windows Server and SQL Server environments. Whether you're a seasoned sysadmin, DBA, administrator, or just curious about system internals, WinDigger empowers you to explore, analyze, and act—remotely and efficiently.


⚙️ What Makes WinDigger Stand Out?

Unlike many bloated commercial tools, WinDigger requires no installation, no external dependencies, and leaves no footprint. Just launch it—locally or remotely—and you’re ready to go.

This utility uncovers deep system insights, surfaces hidden problems, and enables you to take immediate action—all in one place. Designed for educational and charitable use, WinDigger is completely free.

  • No installation
  • No admin agents or services
  • No hidden telemetry or licensing

🔧 Feature Highlights

  • Process Management: View and terminate processes on remote systems.
  • Windows Services Control: Start, stop, disable, or restart any service remotely.
  • Disk & Storage Analysis: Get full visibility into physical drives, partitions, and controllers.
  • Network Diagnostics: Inspect adapters, routing tables, active connections, and configurations.
  • Windows Event Viewer: Access logs, hotfixes, reliability reports, and reboot status.
  • Active Directory Queries: Fetch user and group information via LDAP/ADSI.
  • Failover Cluster Insights: Review cluster health and configuration parameters.
  • Scheduled Tasks: List, disable, delete, or trigger tasks across the network.
  • VMware Awareness: Analyze vCPU/vSocket layout and receive optimization tips.
  • Local Admin Management: Remotely manage members of the local Administrators group.
  • WMI Repair Tools: Rebuild WMI, restore performance counters, and restart COM+ services.
  • Run As Different User: Launch external apps under alternate credentials.
  • ... and more! Regular updates bring new features and enhancements.

🔐 Administrator Privileges Required

WinDigger uses system-level access through WMI, PowerShell, LDAP, and COM interfaces. To ensure full functionality, please run the executable as Administrator. Without elevated privileges, some features may not work as expected.


⚠️ Anti-Virus Notice

WinDigger is distributed in two formats:

  • Compressed (UPX-packed)
  • Uncompressed (Raw EXE)

Some antivirus software may flag the compressed version due to heuristics. This is a common issue with portable system tools. If flagged, use the uncompressed version or add an exclusion.


📥 Download WinDigger

🔗 Download WinDigger

Includes both compressed and uncompressed versions.

Last upload date: 04 August 2025

Changes made: v2025.08.04

  • Added Availability Groups
  • Added SQL Server Permissions
  • Added SQL Server tabs: Databases, Backups, workload per databases
  • SQL Server detection on a remote server
  • SQL Server Connection using Windows and SQL Authentication
  • Various UI improvement

🖼️ Screenshots

Below are some example screenshots of WinDigger in action:

Windows Failover Cluster overview

Disk Drives


🙌 Why I Built This

WinDigger was created to give back to the community—especially those who want to learn more about the systems they manage. Whether you're debugging a complex issue or just exploring, this tool is designed to simplify the journey.

If you find WinDigger useful, please consider sharing the link or leaving feedback below.


💬 Feedback or Suggestions?

I welcome your feedback! Drop a comment on this post or reach out directly for feature requests, ideas, or contributions.