How to setup pushover alert on logon event in Windows

In this post I’ll show you how to configure Pushover with Windows server. In this specific case it will notify you when someone logs onto your machine.

This screenshot shows what you can accomplish:

Pushover screenshot on iOS device.
Pushover screenshot on iOS device.

There is an attachment with all scripts in a footer of this post.

Configure Pushover

(You can skip this section if you are Pushover cowboy)

At first you’ll need Pushover account and client (it’s not free unfortunately). When you’ll log on your account go to Apps & Plugins. Now you need to create app for your server monitoring purposes. Call it whatever fits your task for example “Server monitor” etc. Select some icon, since we will be using Powershell for this task, I’ve selected this one.

pushover_app
Creating new app on Pushover website.

After creation of your application you’ll get API key. It looks like that:

api_key
API Token/Key

Copy it to notepad. This is first Key that we’ll need.

Another key is placed in the main site (simply click Pushover logo). Now copy your second key to notepad.

User key.
User key.

You’ll also need to configure some client for your notifications but it’s not topic of this post. There is a good documentation here.

Windows Server part

You need to have at least Powershell 3 installed. If you don’t have it, please obtain it from here. If you don’t know which version is installed on your machine, simply run Powershell command and type echo $PSVersionTable. You’ll get output:

powershell_ver
Not sufficient 2.0 Powershell (look at PSVersion)

Log on to your server machine and create file called pushover.ps1 (of course you can name it whatever you want) somewhere in your system (I’ve used C:\Batch in this case). Open it in your favorite text editor. Put this contents into it:

param (
	[string]$username = "none",
	[string]$logontype = "not defined",
	[string]$ip = "address not defined"
)

$uri = "https://api.pushover.net/1/messages.json"
$parameters = @{
  token = "put your API token here"
  user = "put your user token"
  message = "$username has logged to $env:computername (logon type $logontype) from $ip."
}
$parameters | Invoke-RestMethod -Uri $uri -Method Post

 

Now go into your task scheduler and create new task called “Login monitoring” or something like that. Select Run  whether user is logged on or not.

task_scheduler_3

Go to triggers and click New. Select Begin the task: On an event and Custom in settings like that:

task_scheduler_1

 

When you’re ready click New Event Filter … button. In next window select XML tab and mark Edit query manually radio bellow.

task_scheduler_2

Put this contents into text field:

<QueryList>
 <Query Id="0" Path="Security">
 <Select Path="Security">
 *[
 System[(EventID='4624')]
 and
 EventData[Data[@Name='LogonType']='10']
 or
 EventData[Data[@Name='LogonType']='3']
 ] 
 </Select>
 </Query>
</QueryList>

Quick explanation:

  1. EventID=’4624′ stands for Windows log on event.
  2. Data[@Name=’LogonType’]=’10’ and 3 stands for specific types of log on (check this).

After clicking OK two times go to Actions tab. Click new and configure it like that:

  1. Program/script: powershell
  2. Add arguments (optional): -ExecutionPolicy Bypass -file “C:\Batch\pushover.ps1” -username “$(TargetUserName)” -logontype “$(LogonType)” -ip “$(IpAddress)”

Click OK two times and type your credentials.

Almost there mate…

There is still one trick to fulfill our dreams of detailed notification! Export your task to XML file.

export_task

 

Open this file in your favorite text editor and find closing tag </Subscription> just after it paste this contents:

 <ValueQueries>
 <Value name="TargetUserName">Event/EventData/Data[@Name='TargetUserName']</Value>
 <Value name="LogonType">Event/EventData/Data[@Name='LogonType']</Value>
 <Value name="IpAddress">Event/EventData/Data[@Name='IpAddress']</Value>
 </ValueQueries>

 

Save it. Now go back into Task Scheduler and delete task that you’ve created 5 minutes ago (yes do this!) and import task from file that you’ve recently edited.

All set! Log onto your machine and check if everything is working.

Leave comment in case of a problem.

Further tweaks

There are some things that could work better. For example log on and log off are the same numbers in Windows event log. So you’ll be also notified about this events. Also every samba access will be notified (type 3 of Windows log on).




Comments

0 responses to “How to setup pushover alert on logon event in Windows”

  1. Björn Avatar
    Björn

    Thanks for your guide.
    I have a question. Can i get the public ip adress insted of the internal?
    This works fine in Powershell
    (Invoke-WebRequest ifconfig.me/ip).Content
    but i don’t know how to ad it in your script.
    Grateful for your help

    1. Konrad Fedorczyk Avatar
      Konrad Fedorczyk

      Hi,
      I’m getting an external ip address using this script. Generally you can pass that way every thing that you can find in your Windows event. I believe using “(Invoke-WebRequest ifconfig.me/ip).Content” will return an ip of a computer that triggers event, not an user that logged to the system.