Total Pageviews

Saturday, August 9, 2025

WinEventMonitor - proactive, scalable, and free. Deploy once, monitor forever..

⬇ Download Now

WinEventMonitor – Watch Every Server, Catch Every Event, in Real Time, at Zero Cost

⬇ Download WinEventMonitor

Overview

WinEventMonitor is a real-time, multi-threaded Windows Event Subscription Processing Engine designed to monitor and process any event generated by Windows Server or Desktop systems — remotely and at scale. Built for large enterprise environments, it can seamlessly handle events from hundreds of servers simultaneously.

This out-of-the-box, extremely efficient solution requires no licensing fees and delivers immediate, actionable notifications, helping identify and address potential issues before they escalate.

What is WinEventMonitor?

At its core, WinEventMonitor features a WMI-based event subscription engine combined with powerful Regular Expression (RegEx) support, enabling it to parse everything from simple alerts to complex log entries.

  • Easy Configuration: Managed via a simple text file for quick customization and rapid deployment.
  • Flexible Storage: Supports SQL Server Express as a backend for event storage.
  • Automated Notifications: A PowerShell script can send email alerts automatically when events are written to the database.
  • Visualization: A custom dashboard can be implemented to provide real-time insights into events across critical servers.

No Installation Required

  • Delivered as a single executable file.
  • Can run in Command Prompt or as a Windows service.
  • No dependencies — fully portable across Windows environments.

Download

Download the zipped file from: https://bit.ly/3GFghZv

Update – 11 August 2025

1. New Flag in event_config.txt

Added a new configuration flag to control event processing behavior in the engine:

EVENT_PROCESS_ALL = No / Yes
  • EVENT_PROCESS_ALL = No
    The event engine will only process events listed in the event_filter.txt file.
  • EVENT_PROCESS_ALL = Yes
    The event engine will process all incoming events from the server.
    Note: For this to work, the event_filter.txt file must be empty. If any filters remain, this setting will have no effect.

2. Server Shutdown Event Enhancement

Added an additional check to verify whether a connected server has been triggered to shut down.

3. PowerShell Script Update

The PowerShell script now suppresses email alerts under the following conditions:

  • If the Event Name (Event Subject) contains one or more server names before a pipe (|).
  • If the Event Subject consists only of server names (no additional context).

In these cases, no email notifications will be sent for those server(s).

Note: This update improves event filtering logic and reduces unnecessary email alerts.

Screenshots:

Sample event capture and notification
Sample event notification
Sample email notification
On a Windows Command Prompt

 

Quick Start

  • Download and unzip the file.
  • Run the executable for the first time — it will create all supporting files.
  • Change parameters in event_config.txt.
  • Add servers in event_server.txt.
  • Add event names and Windows event messages in event_filter.txt.
  • Run again — it will start collecting Windows events.
  • Refer to the detailed explanation below for complete system usage.

Permissions

WinEventMonitor has built-in subscriptions to the following Windows Event Logs: Application, System, Setup, and Security.

SQL Server Permissions

  • Read and Write access to the target SQL Server database.

Windows Permissions

  • WMI Access: Remote Enable, Execute Methods, Enable Account, and Read Security permissions for the root\cimv2 namespace.
  • Group Membership: Member of the Event Log Readers group.
  • Firewall: Enable the WMI-In firewall rule.
  • DCOM: Remote Launch and Remote Activation permissions in DCOM configuration.
  • Security Log Access: Grant SeSecurityPrivilege (Manage auditing and security log).
  • Remote Access: Ensure the account can connect via RPC/DCOM to target hosts.

Account Requirements

  • Must be a domain account — username and password authentication method is not supported.

First Run

Assuming you have downloaded the provided ZIP file to a folder named C:\WinEventMonitor, follow these steps:

  1. Open a Command Prompt.
  2. Change the directory to C:\WinEventMonitor.
  3. If the ZIP file has not yet been extracted, extract it now. This will produce the following files and folders:

Core Files and Folders

  • Logs – Stores WinEventMonitor’s log files.
  • event_server.txt – Contains a list of Windows servers from which WinEventMonitor will collect log entries.
  • event_filter.txt – Contains a list of event names and messages to collect from Windows servers.
  • event_config.txt – The main configuration file.
  • event_sql_table_script.txt – A SQL script to create the required table in a SQL Server database.

Email Notification

  • WinEventMonitor.ps1 – PowerShell script for sending email notifications.
  • eventAction_EventSubject.txt – List of event names that will trigger specific email notifications sent by the PowerShell script.
  • eventAction_LastWinEventID.txt – Stores the last processed event ID from the SQL Server table (tblWinEvent).

Details on event_server.txt

This file contains the names or IP addresses of the servers to be monitored.

  • Any server or IP address commented out with a # will be ignored during the next refresh cycle.

Details on event_filter.txt

This file contains event names and Windows messages to be monitored.

  • Structure: CustomEventName|Message1|Message2|Message3|Message4,...
  • The first section before the first pipe (|) is treated as the event name (event subject).
  • Each subsequent Message(x) is treated as a separate message but linked to the same event name.
  • Messages can contain Regular Expressions for advanced parsing. WinEventMonitor supports all standard RegEx syntax.

Configuration File – event_config.txt

ParameterDescription
DUPLICATE_SUPPRESSION_INTERVAL_SEC = 10Suppresses duplicate events for the specified number of seconds. If set to 0, every event is processed. Duplicate detection is based on the first part of each entry in server_filter.txt.
THREAD_RESTART_DELAY_SEC = 60Time (in seconds) to wait before attempting to reconnect to a disconnected server.
THREAD_RESTART_RETRY = 5Number of reconnection attempts before giving up.
THREAD_ACTIVITY_TO_LOG_FILE = NoReserved for future use. Currently has no effect.
SERVER_REFRESH_INTERVAL_MIN = 30Interval (in minutes) to refresh the server list. Changes in event_server.txt take effect at the next refresh.
FILTER_REFRESH_INTERVAL_MIN = 30Interval (in minutes) to reload event filters after changes in event_filter.txt.
SQLSERVER_NAME = localhostSQL Server instance name. For default instances, specify the server name (e.g., FinanceSQL2022). For named instances, use ServerName\Instance (e.g., ServerABC\HRSQL927).
SQLSERVER_DATABASE = dbWinEventName of the SQL Server database (default: dbWinEvent).
SQLSERVER_TABLE = tblWinEventName of the SQL Server table (default: tblWinEvent).
EVENT_PROCESS_ALL = No / YesTo control event processing behavior in the engine, selected or all events (default: No).

Sample Files Provided

  • server_filter.txt – Contains over 150 predefined event names and messages.
  • eventAction_EventSubject.txt – Contains event names used by the PowerShell script to determine which events trigger email notifications.

Running WinEventMonitor

As a Windows Service

Use NSSM to create a Windows service for WinEventMonitor.

  • Run the service under a Windows domain account with the required permissions to access Windows Event Logs and SQL Server.

From the Command Prompt

Ensure event_server.txt and event_filter.txt are configured before starting. Two modes are available:

  1. With “No” clause
    WinEventMonitor.exe No
    Logs all events to the \logs\ folder without writing to SQL Server.
  2. Without “No” clause
    WinEventMonitor.exe
    Runs in non-interactive mode and writes events to SQL Server (if configured).

Log Management

Logs are stored in the \logs\ folder. WinEventMonitor automatically retains only the last 10 log files.

PowerShell Script for Email Notifications

A provided PowerShell script (WinEvent_Monitor_Mail.ps1) runs continuously, monitoring the SQL Server table for new events.

  • When a new event is found (based on the table’s identity column), it sends an email if the event subject matches an entry in eventAction_EventSubject.txt.
  • Subjects can be excluded from notifications by commenting them out with #.
  • The subject must match exactly the first part of the corresponding entry in server_filter.txt (before the pipe |).
  • After processing an event, the script updates eventAction_EventSubject.txt with the last processed event ID.

Note: Adjust the parameters at the top of the PowerShell script as needed.

Built-in Alerts

WinEventMonitor includes built-in alerts to detect Windows shutdown events by default. When triggered, alerts are recorded in both the SQL table and the log file.

  • RPC failed
  • The remote procedure call failed
  • The RPC server is unavailable
  • System shutdown event triggered
  • Windows Server is shutting down
  • Windows Server is unavailable
  • Windows Server shutdown
⬇ Download WinEventMonitor
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)