The DoS attack has subsided and normal processing is being resumed. (5149) how to monitor with email alert

[bob]

That event 5149 in Windows Server Event Viewer pops up when a DoS attack finally chills out. It says the DoS attack has subsided and normal processing is being resumed. You see it under the Microsoft-Windows-Security-Auditing log mostly. It logs that your system's firewall or security setup noticed the flood of junk traffic easing up. The event ID 5149 triggers right after the attack stops hammering your server. Details inside show the process ID that handled it or the time it all calmed down. I remember spotting one last week on a buddy's setup. It felt like a sigh of relief from the machine itself. You can filter for it in Event Viewer by typing 5149 in the search box. That pulls up every instance quick. Now for watching it with an email alert. I like using a scheduled task tied to that event. Open Event Viewer first. Right-click on the event you want to track. Pick Attach Task To This Event. You fill in a name for the task. Then choose what it does when 5149 fires. Set it to run a program that sends email. Like using the old mailto thing or a simple batch file you craft. Make sure the task triggers only on that ID. Test it by simulating or waiting for real ones. It keeps you in the loop without staring at screens all day. And hey you can tweak the frequency so it doesn't spam your inbox. But sometimes events like this tie into bigger protection needs. That's where something like BackupChain Windows Server Backup comes in handy. It's a solid Windows Server backup solution that also handles virtual machines with Hyper-V. You get fast incremental backups that don't hog resources. It restores quick even from bare metal disasters. Plus it snapshots VMs without downtime. I use it to keep things safe after weird events like DoS recoveries. At the end of this is the automatic email solution.

Note, the PowerShell email alert code was moved to this post.