Event Triggers
Updated: January 21, 2005
Displays and configures event triggers on local or remote machines.
To view the command syntax, click a command:
eventtriggers create
This command creates a new event trigger that monitors and acts
upon the occurrence of log events of given criteria.
Syntax
eventtriggers[.exe] /create [/s
Computer [/u Domain\User [/p
Password]]] /tr TriggerName [/l
[APPLICATION] [SYSTEM] [SECURITY] ["DNS Server"]
[LOG] [DirectoryLogName] [*]] {[/eid
ID] | [/t {ERROR | INFORMATION |
WARNING | SUCCESSAUDIT | FAILUREAUDIT}] | [/so
Source]} [/d Description] /tk
TaskName
Parameters
/sComputer
Specifies the name or IP address of a remote
computer (do not use backslashes). The default is
the local computer.
/u Domain\User
Runs the command with the account permissions of the
user specified by User or Domain\User.
The default is the permissions of the current logged
on user on the computer issuing the command.
/pPassword
Specifies the password of the user account that is
specified in the /u parameter.
/trTriggerName
Specifies a friendly name to associate with the
event trigger.
/l [APPLICATION] [SYSTEM] [SECURITY]
["DNS Server"] [LOG] [DirectoryLogName]
[*]]
Specifies the event log(s) to monitor. Valid types
include: Application, System, Security, DNS server,
Log, and Directory log. The wildcard (*) can be used
and is the default value.
/eidID
Specifies a specific event ID for which the event
trigger should monitor. Valid values are any valid
integer.
/t {ERROR | INFORMATION |
WARNING | SUCCESSAUDIT | FAILUREAUDIT}
Specifies an event type for which the event trigger
should monitor. Valid values include: ERROR,
INFORMATION, WARNING, SUCCESSAUDIT, and
FAILUREAUDIT. Cannot be used in conjunction with the
/id or /so parameters.
/soSource
Specifies an event source for which the event
trigger should monitor. Valid values are any string.
Cannot be used in conjunction with the /id or
/type parameters.
/dDescription
Specifies a detailed description of the event
trigger. Valid values are any string.
/tkTaskName
Specifies the task/command/line to execute when the
event trigger conditions are met.
/?
Displays help at the command prompt.
Remarks
- When using the parameters /eid, /t and /so together, a log event must match the criteria specified by all three parameters for the event trigger to be created.
Examples
The following examples show how you can use the eventtriggers
/create command:
eventtriggers /create /tr "Disk Cleanup" /l system /t error /tk c:\windows\system32\cleanmgr.exe
eventtriggers /create /s srvmain /u maindom\hiropln /p p@ssW23 /tr "Low Disk Space" /eid 4133 /t warning /tk \\server\share\ diskcleanup.cmd
eventtriggers /create /s srvmain /user maindom\hiropln /p p@ssW23 /tr "Disk Backup" /eid 4133 /l system /t error /tk \\server\ share\ntbackup.exe
eventtriggers delete
This command deletes an event trigger from a system by event
trigger ID.
Syntax
eventtriggers[.exe] /delete [/s
Computer [/u Domain\User [/p
Password]]] /tid {ID | *}
Parameters
/sComputer
Specifies the name or IP address of a remote
computer (do not use backslashes). The default is
the local computer.
/uDomain\User
Runs the command with the account permissions of the
user specified by User or Domain\User.
The default is the permissions of the current logged
on user on the computer issuing the command.
/pPassword
Specifies the password of the user account that is
specified in the /u parameter.
/tid {ID | *}
Specifies the event trigger(s) to be deleted by
"Event Trigger ID". The (*) wildcard can be used.
/?
Displays help at the command prompt.
Examples
The following examples show how you can use the eventtriggers
/delete command:
eventtriggers /delete /tid 1 /tid 2 /tid 4 /tid 6
eventtriggers /delete /s srvmain /u maindom\hiropln /p p@ssW23 /tid *
eventtriggers /delete /s srvmain /u maindom\hiropln /p p@ssW23 /tid 1
eventtriggers query
Queries and displays a system's event trigger properties and
settings.
Syntax
eventtriggers[.exe] /query [/s
Computer [/u Domain\User [/p
Password]]] [/fo {TABLE | LIST |
CSV}] [/nh] [/v]
Parameters
/sComputer
Specifies the name or IP address of a remote
computer (do not use backslashes). The default is
the local computer.
/uDomain\User
Runs the command with the account permissions of the
user specified by User or Domain\User.
The default is the permissions of the current logged
on user on the computer issuing the command.
/pPassword
Specifies the password of the user account that is
specified in the /u parameter.
/fo {TABLE | LIST | CSV}
Specifies the format to use for the query output.
Valid values are TABLE, LIST, and
CSV. The default format for output is TABLE.
/nh
Suppresses column header in the output. Valid when
the /fo parameter is set to TABLE or
CSV.
/v
Specifies that detailed information be displayed in
the output.
/?
Displays help at the command prompt.
Examples
The following examples show how you can use the eventtriggers
/query command:
eventtriggers /query
eventtriggers /query /s srvmain
eventtriggers /query /s srvmain /u maindom\hiropln /p p@ssW23 /fo list
Remarks
-
When specified without an operation, eventtriggers returns a list of event triggers. To see a list of event triggers, type:
eventtriggers
Output similar to the following appears:
Trigger ID Event Trigger Name Task ========== ================== =============================== 1 Disk Cleanup c:\windows\system32\cleanmgr.exe - In the case that an event fails to execute, eventtriggers creates a log file called TriggerConsumer.log in the \windows\system32\wbem\logs directory containing a message that the event failed to trigger.
Formatting legend
| Format | Meaning |
| Italic | Information that the user must supply |
| Bold | Elements that the user must type exactly as shown |
| Ellipsis (...) | Parameter that can be repeated several times in a command line |
| Between brackets ([]) | Optional items |
| Between braces ({}); choices separated by pipe (|). Example: {even|odd} | Set of choices from which the user must choose only one |
| Courier font | Code or program output |