Displaying certain eventlog message

(imported topic written by JesseR91)

I am writing an analysis to grab a certain eventlog message. The windows 2000 DST fix runs a VBScript and logs an event in the eventlog stating “DST 2007 Registry Update and Refresh was a success” the SourceName is WSH. Using the this code:

string values of selects (“Message from Win32_NTLogEvent where SourceName = ‘WSH’”) of wmi It will return all WSH entries. I want it to ONLY return the DST information. I am struggling to figure this out. Anybody have any ideas? Thanks!

(imported comment written by BenKus)

Hey JesseR,

Are you using BES 6.0? If so, you can do something like this:

descriptions of records whose (event id of it = 4 AND source of it = “WSH” AND description of it contains “”) of application event log

See here http://forum.bigfix.com/viewtopic.php?id=630 for more details about this…

Ben

(imported comment written by JesseR91)

thanks Ben! Is there a way I can just type some of the description instead of the entire thing?

(imported comment written by BenKus)

Sure… because we are using the “contains” inspector, you can specify a subset of the description…

So for instance, if the description was:

“There was an error in device001.”

Any of these relevance expressions should work:

descriptions of records whose (event id of it = 4 AND source of it = “WSH” AND description of it contains “error”) of application event log
descriptions of records whose (event id of it = 4 AND source of it = “WSH” AND description of it contains “was an error”) of application event log

Note that this is a case-sensitive comparison. Add “as lowercase” after “description of it” to make it case insensitive.

Ben

(imported comment written by SystemAdmin)

Can get source and description to work, but can seem to get event id to trigger properly. Is that the right syntax “event id”?

(imported comment written by BenKus)

Hey Nicky,

There is some trickiness here… The event log inspectors will usually return a number that is a different from what the event viewer shows…

To illustrate this, if you run this query to get all events in the last day (I get something like this):

q: (event id of it, source of it, time generated of it) of records whose (now - time generated of it < 1*day) of application event log
A: 1073743631, SecurityCenter, ( Wed, 21 Feb 2007 22:30:51 -0800 )
A: 0, iPod Service, ( Wed, 21 Feb 2007 22:30:56 -0800 )
A: 1073741850, Outlook, ( Thu, 22 Feb 2007 04:34:21 -0800 )
A: 1073741850, Outlook, ( Thu, 22 Feb 2007 04:34:30 -0800 )
A: 3221225487, AutoEnrollment, ( Thu, 22 Feb 2007 06:31:57 -0800 )
A: 1073743528, SceCli, ( Thu, 22 Feb 2007 11:29:27 -0800 )

Now if I compare this to my application event log, the event IDs just look wrong. Instead of 1073743528 for the last event, I have 1704… A quick trip to the calculator show that:
1073743528 - 2^30 = 1704

So basically the event viewer in Windows throws away the “high bits” of the event, but the event ID inspector doesn’t do this. According to the Microsoft technical documentation, the bits of the “EventID” looks like this: http://msdn2.microsoft.com/en-us/library/aa363651.aspx . As far as we can tell, you aren’t technically supposed to throw away the high bits of the event id so we are having a hard time calling this a full bug, but it seems to me that we should allow you to get the Event Viewer’s concept of the ID that doesn’t include the high-bits.

While we figure that out, you can use the mathematical “mod” operator to “knock off” the top bits to get the event viewer’s concept of eventid. For instance, I can rewrite my above expression as:

q: (event id of it mod 2147483648 mod 1073741824 , source of it, time generated of it) of records whose (now - time generated of it < 1*day) of application event log

A: 1807, SecurityCenter, ( Wed, 21 Feb 2007 20:27:34 -0800 )

A: 1807, SecurityCenter, ( Wed, 21 Feb 2007 22:30:51 -0800 )

A: 0, iPod Service, ( Wed, 21 Feb 2007 22:30:56 -0800 )

A: 26, Outlook, ( Thu, 22 Feb 2007 04:34:21 -0800 )

A: 26, Outlook, ( Thu, 22 Feb 2007 04:34:30 -0800 )

A: 15, AutoEnrollment, ( Thu, 22 Feb 2007 06:31:57 -0800 )

A: 1704, SceCli, ( Thu, 22 Feb 2007 11:29:27 -0800 )

Which looks just like my event viewer…

Hope that helps,

Ben

(imported comment written by amitspradhan)

HI,

I tried the above for security logs, it works great. But I have an issue here…

For Audit purpose, we are planning to kee track/record all the security logs onto our critical servers for last 30 days. The security log onto or exchange server alone goes to approx 300 MB.

Can anyone help me with this?

Also is it possible to generate the log file and then transfer it onto a different share so that all the last 30 log files can be maintained seperately.

Was just wondering how much database will it eat up…

Regards,

Amit

(imported comment written by amitspradhan)

Hi ,

Was also wondering if I run the above Analysis, will it affect my database size…?

Especially as per my query above, the security logs are too big…

Regards,

Amit

(imported comment written by Shawn_Jefferson)

amitspradhan

For Audit purpose, we are planning to kee track/record all the security logs onto our critical servers for last 30 days. The security log onto or exchange server alone goes to approx 300 MB.
Can anyone help me with this?

I don’t know how well Bigfix will work for this, but we use another product to archive the event logs from all our servers, which saves them in a file for each month to a share on our network which we then backup. We can go back to the event logs of pretty much all our servers since we started doing it.

The product we use is called EventSave, but there are several products like this.

Shawn

(imported comment written by jpeppers91)

I’m trying to get the clause below to work with a time generated statement.

descriptions of records whose (event id of it = 0 AND description of it contains “Error sending file to server. This may be due to misconfigured server settings. Please contact your server administrator.”) of application event log

(time generated of it) of records whose (now - time generated of it < 1*day)

How do I mix the 2?

(imported comment written by jessewk)

(time generated of it, description of it) of records whose (event id of it = 0 AND now - time generated of it < 1*day AND description of it contains “Error sending file to server. This may be due to misconfigured server settings. Please contact your server administrator.”) of application event log

(imported comment written by jpeppers91)

Thanks