BigFix relevance based on disabled Event Log in Windows

flayofish · July 8, 2021, 4:46pm

Good afternoon!
I’m wanting to create a BigFix relevance based on the disabled Windows event log “Microsoft-Windows-PrintService/Operational” (this log is disabled by default in Windows devices). I can then leverage PowerShell to turn it on for targeted devices.
I’d also like to create a separate relevance based on Event ID 307 inside “Microsoft-Windows-PrintService/Operational” event log.
The goal here is to target specific devices to enable printing service logging, then turn around and create a column in computers that reports the presence of Event ID 307 inside of that Event Log. Any help on this is greatly appreciated, thanks!

flayofish · July 8, 2021, 6:57pm

I’m doing some work arounds at the moment. Does anyone have info on how to target relevance based on specific Event ID? This ID would not be in the basic locations, it’s nested “Microsoft-Windows-PrintService/Operational” and the ID is 307. Found some posts on this subject, but the links with the answers go to 505 errors on the website.

SLB · July 8, 2021, 8:02pm

To check if any records exist

Q: exists records whose (event id of it = 307) of event log "Microsoft-Windows-PrintService/Operational"
A: False
T: 0.812 ms
I: singular boolean

Or to count them

Q: number of records whose (event id of it = 307) of event log "Microsoft-Windows-PrintService/Operational"
A: 0
T: 0.802 ms
I: singular integer

flayofish · July 8, 2021, 8:08pm

well that turned out WAAAAAY easier than I thought it would, thanks!!!

brolly33 · July 8, 2021, 8:09pm

Nice thinking. re you going to use this to help identify servers that never print, to help targeting on disabling the spooler?

flayofish · July 8, 2021, 8:11pm

exactly what I plan to do But you have to enable the print service operational event log first as it is disabled by default. Here’s the one-liner Action i used to enable it through BigFix:
waithidden powershell -ExecutionPolicy Bypass -command “$logName = ‘Microsoft-Windows-PrintService/Operational’ ; $log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName ; $log.IsEnabled=$true ; $log.SaveChanges()”

flayofish · July 8, 2021, 8:14pm

Just be aware it only starts logging printing events after Event log is enabled.

flayofish · July 9, 2021, 1:28pm

After studying a few servers I expanded the relevance statement:
(exists records whose (event id of it = 307) of event log “Microsoft-Windows-PrintService/Operational”) OR (exists records whose (event id of it = 800) of event log “Microsoft-Windows-PrintService/Operational”) OR (exists records whose (event id of it = 801) of event log “Microsoft-Windows-PrintService/Operational”) OR (exists records whose (event id of it = 805) of event log “Microsoft-Windows-PrintService/Operational”) OR (exists records whose (event id of it = 842) of event log “Microsoft-Windows-PrintService/Operational”)

JasonWalker · July 9, 2021, 1:50pm

Looks good, but I’d point out that this causes a full scan of the event log 5 times, which may be inefficient as the log grows. This alternative scans the event log once and may improve the performance

(exists records whose (
 event id of it = 307 
 or event id of it = 800 
 or event id of it = 801 
 or event id of it = 805 
 or event id of it = 842
) of event log "Microsoft-Windows-PrintService/Operational")

flayofish · July 9, 2021, 2:02pm

Thank you for pointing that out, I didn’t realize it’d do that!

brolly33 · July 9, 2021, 2:46pm

nice enhancement, @JasonWalker
We could go one further with a set

(exists records whose ( event id of it is contained by set of (307; 800; 801; 805 ;842)) of event log "Microsoft-Windows-PrintService/Operational")