I’ve got two fixlets that I would like to combine in to one. They are as follows:
(1) not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000))))
(2) not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)whose (it as integer > 250000))))
I’ve tried a few different methods:
not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000)) OR (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)whose (it as integer > 250000))))
or
not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000)))) OR not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000))))
Anyway… the combinations I’ve tried haven’t yielded the results I’m looking for. And yes, both of the fixlet syntaxes are correct - there is supposed to be negation (I am looking for users who don’t have their application logs configured as per the system configuration policy).
You were very close. The only thing I would recommend is that you enclose the to OR’d conditions.
EX. (condition 1) OR (condition 2)
q:() OR ()
E: This expression could not be parsed.
q: (not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000))))) OR (not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)whose (it as integer > 250000)))))
If you are trying to find any computer which has one or both configured incorrectly, then you want the logic in the form of “not (() AND ())” or “(not ()) OR (not ())”. These are logically equivalent.
The first example you tried was in the form “not (() OR ())” which would only become relevant if BOTH registry locations were < 250000
@jgstew - yes, that’s exactly what I am attempting to do. The policy for that particular setting (log file size) can be defined in either of those two registry keys - it all depends on what the sys admin decides to do (use gpedit or secpol). So, in order to make sure that the log file size is correctly configured, I need to check both registry keys. It doesn’t matter if one is configured and the other isn’t, it just matters that one is configured correctly.
Anyway, I hadn’t thought of working it out that way, so I’ll have to give it a try. Thanks!
((not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000))))) AND (not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)whose (it as integer > 250000)))))) OR ((not (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventLog\Application” of registries as string)whose (it as integer > 250000))))) OR (((exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)whose (it as integer < 250000)))))
So far, its returning 0 violations (i.e. 0 instances in which the statement is true)… which I suppose is a good thing. I’m almost scared that I’ve gotten the logic wrong, and that there are some false negatives.
What I’ll often do to double check my logic is create an analysis that will return the actual value of the registry keys. Then to triple check that the value of the registry key on one of the machines and make sure the Fixlet evaluates to true.
Alright, I must be screwing up the logic somewhere… The statements and logic mentioned in the posts above haven’t really led me to a solution… A progress update follows…
I have set up the following analysis:
-There are 2 analysis properties:
((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
Property 1 returns 24 results as false and 673 results as true - which is pretty spot on (and the results I am looking for). Property 2 also returns the proper results (I am attempting to determine if one of the registry values - it doesn’t matter which - exists, and has the proper value).
So, the problem I am wrestling with is how to set up the Fixlet in order to report machines that aren’t in compliance with the analysis statement…
If I understand your question you want to find out if either of these keys has a value set at 250000 or above. And have the Fixlet report true. The only thing you should have to do is put “OR” in between them. I just tested this on my machine and changed the value to above and below the 250k limit and it changed evaluation from true to false for me.
((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application” of registries as string) whose (it as integer >= 250000)))) OR ((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
On additional thought is that my system is 64bit so I added it to:
You might also put the last 2 items in your analysis to pull the actual value:
q: ((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
A: False
T: 0.073 ms
I: singular boolean
q: ((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
A: True
T: 0.103 ms
I: singular boolean
q: ((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application” of registries as string) whose (it as integer >= 250000)))) OR ((( exists (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string) whose (it as integer >= 250000))))
A: True
T: 0.122 ms
I: singular boolean
q: (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application” of registries as string)
A: 16384
T: 0.136 ms
I: plural string
q: (values “MaxSize” of keys “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application” of registries as string)