(imported topic written by jeremytoo)
I am using the following relevance to get the location of the security event log on MS Windows machines.
value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string
This returns a value such as:
%SystemRoot%\System32\config\SecEvent.Evt
I then strip out the unaparseable characters with this relevance:
Preceding text of first “%00” of (following text of last “%25” of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string))
Using that, I try to see if the file exists, using this relevance:
exists ( file (Preceding text of first “%00” of (following text of last “%25” of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string)) ) of windows folder)
It seems to me like this should work, but it doesn’t, so I must be doing something wrong.
I note that the fixlet debugger generally cannot see the parent directory of the security event file, but that the bigfix client can see it. The client reports that this file does not exist – even though I can see the file via windows explorer.
Also, the following relevance DOES evaluate to true:
exists security event log
I want to be able to pass the location of the Security Event Log through to a batch file which will parse the log for events. We are trying to launch the batchfile via actionscript, so the approach I have above isn’t the only way I’d be willing to approach this. If there were something like:
pathname of security event log
I’d be MORE than happy to use that instead.