Cannot see if security event log exists

(imported topic written by jeremytoo)

I am using the following relevance to get the location of the security event log on MS Windows machines.

value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string

This returns a value such as:

%SystemRoot%\System32\config\SecEvent.Evt

I then strip out the unaparseable characters with this relevance:

Preceding text of first “%00” of (following text of last “%25” of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string))

Using that, I try to see if the file exists, using this relevance:

exists ( file (Preceding text of first “%00” of (following text of last “%25” of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string)) ) of windows folder)

It seems to me like this should work, but it doesn’t, so I must be doing something wrong.

I note that the fixlet debugger generally cannot see the parent directory of the security event file, but that the bigfix client can see it. The client reports that this file does not exist – even though I can see the file via windows explorer.

Also, the following relevance DOES evaluate to true:

exists security event log

I want to be able to pass the location of the Security Event Log through to a batch file which will parse the log for events. We are trying to launch the batchfile via actionscript, so the approach I have above isn’t the only way I’d be willing to approach this. If there were something like:

pathname of security event log

I’d be MORE than happy to use that instead.

(imported comment written by NoahSalzman)

Does this help?

q: (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string)

A: %25SystemRoot%25\System32\winevt\Logs\Security.evtx%00

q: expand environment string of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string)

A: C:\Windows\System32\winevt\Logs\Security.evtx

(imported comment written by jeremytoo)

That’s a lot cleaner than what i had before!

So, should this also work:

exists file (expand environment string of (value “File” of key “HKLM\System\CurrentControlSet\Services\EventLog\Security” of native registry as string))

On my 64-bit server 2003 and server 2008 machines, it’s reporting false to that – even though I can see the files in Windows explorer.

(imported comment written by NoahSalzman)

Maybe try “exists x64 file …” ?

(imported comment written by jeremytoo)

Noah: That worked, so then I have to use different relevance between 32-bit and 64-bit windows?

Is there a doc explaining all this?