This script will help you to monitor a resource failover on a cluster. This script has been successfully tested on a Microsoft cluster running on a Windows Server 2012 operating system.

The following steps are performed :

  • use the following event ID in the event log Microsoft-Windows-FailoverClustering/Operational as scheduled task triggers
    • Event ID 1200 : trying to bring online a cluster resource
    • Event ID 1201 : the cluster resource is online
    • Event ID 1203 : trying to take offline a cluster resource
    • Event ID 1204 : the cluster resource is offline
  • the script is executed and send an email with the informations about the failover

This method can be applied to different kind of situation where you need to track an event ID and launch a task/script. I have used this method to monitor the changes in my Active Directory forest

On each cluster nodes, follow these steps :

  • copy the script below in c:\temp
  • create a scheduled task with this parameters :
    • name : clustermon
    • Trigger type : “On an event”
    • Trigger Settings : “Custom” > click on the button “New Event Filter” : In the Event Logs dropdown, select “FailoverClustering>Operational”.
      In the “Event ID” field, put : 1200,1201,1203,1204
      (keep the comma between the eventid)
    • click on the ok button to close the “New Event Filter” window
    • Action tab : Click “New” > Program/script = powershell.exe
      Argument = .\cluster_email.ps1 -eventRecordID $(eventRecordID)
      Start in = c:\temp
  • Close the windows to validate the creation of the scheduled task
  • Right click the scheduled task > Export
  • open the exported file with a text editor
  • add the following lines :
    <ValueQueries>
            <Value name="eventChannel">Event/System/Channel</Value>
            <Value name="eventRecordID">Event/System/EventRecordID</Value>
            <Value name="eventSeverity">Event/System/Level</Value>
    </ValueQueries>
  • Sched_task_xml

  • save and close the file
  • delete the scheduled task you have created previously
  • right click and then import the modified xml file as a new scheduled task

The script :

param($eventRecordID)

Function send_mail([string]$message,[string]$subject) { 
    $emailFrom = "from@mail.example" 
    $emailTo = "to@mail.example" 
    $emailCC = "cc@mail.example" 
    $smtpServer = "mailserver.mail.example" 
    Send-MailMessage -SmtpServer $smtpServer -To $emailTo -Cc $emailCC -From $emailFrom -Subject $subject -Body $message -BodyAsHtml
} 

$html_head = "<style type='text/css'>body {font-family:verdana,arial,sans-serif;font-size:14px;}</style>"
$xml_filter = "<QueryList><Query Id='0' Path='Microsoft-Windows-FailoverClustering/Operational'><Select Path='Microsoft-Windows-FailoverClustering/Operational'>*[System[(EventRecordID=$eventRecordID)]]</Select></Query></QueryList>"
$event = Get-WinEvent -FilterXml $xml_filter
$event_date = $event.TimeCreated
$clusternode_name = $event.MachineName
$eventID = $event.Id
$eventXML = [xml]$event.ToXml()

$resource_type = $eventXML.Event.EventData.Data.name
$resource_name = $eventXML.Event.EventData.Data.'#text'

$message = "[FAILOVER EVENT]<br /><br />"

switch -Regex ( $eventID ) { 
    "1200" {
		$message += "Cluster node : <i><b>$clusternode_name</b></i><br />Failover event : Trying to bring online a cluster resource<br />Resource Type :  $resource_type<br />Resource Name : <i><b>$resource_name</b></i>"
	} 
    "1201" {
		$message += "Cluster node : <i><b>$clusternode_name</b></i><br />Failover event : Cluster resource is now <font color='green'>online</font><br />Resource Type :  $resource_type<br />Resource Name : <i><b>$resource_name</b></i>"
	} 
    "1203" {
		$message += "Cluster node : <i><b>$clusternode_name</b></i><br />Failover event : Trying to take offline a cluster resource<br />Resource Type :  $resource_type<br />Resource Name : <i><b>$resource_name</b></i>"
	} 
    "1204" {
		$message += "Cluster node : <i><b>$clusternode_name</b></i><br />Failover event : Cluster resource is now <font color='red'>offline</font><br />Resource Type :  $resource_type<br />Resource Name : <i><b>$resource_name</b></i>"
	} 
	default {
		$message += "Event ID not detected"
	}
}

$subject = "[CLUSTER EVENT] $event_date - $clusternode_name / $resource_type->$resource_name"

$message_html = $html_head + "<body>" + $message + "</body>"
send_mail $message_html $subject
Monitor a resource failover on a cluster

Leave a Reply

Your email address will not be published.