Access event viewer on a non-domain joined computer

Entaille · December 23, 2015, 10:55pm

Hello - is there a way to utilize BigFix in some manner to access the event viewer on a computer not joined to the domain? The computers in question have the BigFix agent installed, and can communicate with the BigFix server on our domain.

strawgate · December 24, 2015, 3:21am

If you know specifically what events you are looking for you can use the event inspector: https://support.bigfix.com/inspectors/System%20Objects_Any.html#event%20log

Entaille · December 28, 2015, 5:47pm

thanks - I am not entirely clear on which events I’m after, this was more for general troubleshooting on a remote machine without disrupting them and taking control of it (being able to browse system/app logs specifically)

strawgate · December 28, 2015, 5:55pm

You definitely won’t want to pull the entire event log with BigFix. You should be able to use the event viewer to remotely connect to the machine and use a local account on the system for authentication.

if you know roughly what you’re looking for (warnings/errors in the application event log) you can start with that

Entaille · December 28, 2015, 6:06pm

thanks - I was thinking that was the case, but was hopeful that there was a tool/process I wasn’t aware of. It’s an odd scenario where most things are blocked but the agent and console have open communication, I was trying to avoid poking any new holes open.

jgstew · December 28, 2015, 7:15pm

If you know what you are looking for, then you can write relevance to detect it with BigFix.

The idea would be to find a computer with an issue and examine it’s logs to narrow down the issue and figure out how to write relevance to look for it specifically. Then once you have that, you can put it into an analysis and get back the data for all computers to see if they have the same problem.

One issue is you have to be very careful with the log inspector, it can be very slow in some cases, particularly as the event logs get very large. You should have any properties dealing with event logs report once every 6 hours or less often. It is also a good idea to limit the search to the last 30 or 60 days of events in the log.

It should be possible to export the event logs from a particular computer and upload them to the root sever using BigFix. Then get them, put them on another machine, and then dig through them to find what you are looking for.