TSNotify Series 13 - Windows Task Scheduler Event ID Based Notifier
In this TSNotify Series 13, we will learn how to trigger email notification based on the Windows Task Scheduler Event ID, getting prepared the necessary package dependencies such as Cobra CLI with step by step guide in Golang programming language.
#MaharlikansCode
#TSNotifySeries13
#TaskSchedulerEventIDNotify
#Golang
#LifeAsSoftwareDeveloper
#Maharlikans
#FilipinoSoftwareDeveloper
If you go with extra mile for buying me a cup of coffee, I appreciate it guys: https://ko-fi.com/maharlikanscode
Source Codes:
// ScanEventsList scans the Windows Task Scheduler events based on the event id under the Operational option
func ScanEventsList() {
for {
var err error
out, err := exec.Command("cmd", "/C", `wevtutil qe Microsoft-Windows-TaskScheduler/Operational /c:3 /rd:true /uni:false /f:text`).Output()
if err != nil {
itrlog.Error(err)
}
logName, source, date, task, level, Opcode, keyword := "", "", "", "", "", "", ""
user, userName, computer, description := "", "", "", ""
evtID, evt := 0, 0
result := strings.Split(string(out), "\n")
for _, t := range result {
val := strings.TrimSpace(t)
// Extract the Log Name
if strings.Contains(val, "Log Name:") {
logName = val
}
// Extract the Souce
if strings.Contains(val, "Source:") {
source = val
}
// Extract the Date
if strings.Contains(val, "Date:") {
date = val + _emailTimeExtraLetter
}
// Extract the Event ID
if strings.Contains(val, "Event ID:") {
// Extract the Event ID: to get the id event id only
extractedEventID := strings.Replace(val, "Event ID: ", "", -1)
evt, err = strconv.Atoi(extractedEventID)
if err != nil {
color.Red(err.Error())
itrlog.Error(err)
}
evtID = evt
}
// Extract the Task
if strings.Contains(val, "Task:") {
task = val
}
// Extract the Level
if strings.Contains(val, "Level:") {
level = val
}
// Extract the Opcode
if strings.Contains(val, "Opcode:") {
Opcode = val
}
// Extract the Keyword
if strings.Contains(val, "Keyword:") {
keyword = val
}
// Extract the User
if strings.Contains(val, "User:") {
user = val
}
// Extract the User Name
if strings.Contains(val, "User Name:") {
userName = val
}
// Extract the Computer
if strings.Contains(val, "Computer:") {
computer = val
}
// Extract the Description
if !strings.Contains(val, "Log Name:") && !strings.Contains(val, "Source:") &&
!strings.Contains(val, "Date:") && !strings.Contains(val, "Event ID:") &&
!strings.Contains(val, "Task:") && !strings.Contains(val, "Level:") &&
!strings.Contains(val, "Opcode:") && !strings.Contains(val, "Keyword: ") &&
!strings.Contains(val, "User:") && !strings.Contains(val, "User Name:") &&
!strings.Contains(val, "Computer:") && !strings.Contains(val, "Event[") &&
!strings.Contains(val, "Description:") {
if len(strings.TrimSpace(val)) gt 0 {
description = val
}
}
// Completes each individual item scanning, the proceed with the other refining processes
if strings.Contains(val, "Event[") {
// Check if monitored event id match with the latest event log's event id
for _, s := range taskEventList {
if s.EventID == evtID {
// Check if the event id already existed from the stored memory map
// Add the new task scheduler info to a map
newEvent := TSEvent{
LogName: strings.TrimSpace(logName),
Source: strings.TrimSpace(source),
Date: strings.TrimSpace(date),
EventID: evtID,
Task: strings.TrimSpace(task),
Level: strings.TrimSpace(level),
OpCode: strings.TrimSpace(Opcode),
Keyword: strings.TrimSpace(keyword),
User: strings.TrimSpace(user),
UserName: strings.TrimSpace(userName),
Computer: strings.TrimSpace(computer),
Description: strings.TrimSpace(description),
IsSent: false,
}
encBytes, err := EncodePayloadTS(newEvent)
if err != nil {
color.Magenta(err.Error())
itrlog.Error(err)
}
data, _ := DecodePayloadTS(s.EventID)
isToAdd := false
pEventDataTime := strings.TrimSpace(newEvent.Date)
if data.EventID == 0 && !data.IsSent {
isToAdd = true
}
if data.EventID gt 0 {
// eventID_eventDateTime, expiryInUnixTime
// e.g 102_2020-06-25T08:49:26.635Z, 1593051201
sEventID := fmt.Sprintf("%v", s.EventID) + "_" + pEventDataTime
_, ok := EventIDStorage[sEventID]
if !ok {
isToAdd = true
}
}
if isToAdd {
sEventID := fmt.Sprintf("%v", s.EventID) + "_" + pEventDataTime
sEventExpiry := time.Now().Add(24 * time.Hour).Unix()
EventIDStorage[sEventID] = sEventExpiry
TS.RemoveTS(s.EventID)
TS.AddTS(s.EventID, encBytes)
}
}
}
}
}
time.Sleep(1 * time.Minute)
}
}
