(imported topic written by upinya91)
in win\sys32\winevt\logs are a mess of logs i’d love to see in bigfix. where would i start?
(imported comment written by BenKus)
So what kind of specific things were you interested in gathering from this data? # of files? Last file updated?
Ben
(imported comment written by upinya91)
Well, they are event viewer format just like application/security/system, and I’d love to run queries against the data in them. It just seems like the syntax used against these “new” format logs isnt working like the old xp-based stuff.
(imported comment written by BenKus)
You can query these in relevance… here is an example:
q: number of records of event log “Microsoft-Windows-Backup”
Ben
(imported comment written by upinya91)
q: number of records of event log “Microsoft-Windows-Backup”
A: 1013
My “Microsoft-Windows-Backup” is empty. What gives?
(imported comment written by BenKus)
Try this and see what it says:
(time generated of it, event id of it, category of it) of records of event log “Microsoft-Windows-Backup”
Ben
(imported comment written by upinya91)
q: (time generated of it, event id of it, category of it) of records of event log “Microsoft-Windows-Backup”
A: ( Sat, 19 Dec 2009 22:19:39 -0500 ), 1073750833, 0
A: ( Sat, 19 Dec 2009 22:19:39 -0500 ), 1530, 0
A: ( Sat, 19 Dec 2009 22:19:41 -0500 ), 1532, 0
A: ( Sat, 19 Dec 2009 22:20:23 -0500 ), 1073746449, 0
A: ( Sat, 19 Dec 2009 22:20:23 -0500 ), 1531, 0
A: ( Sat, 19 Dec 2009 22:20:28 -0500 ), 3221231087, 0
A: ( Sat, 19 Dec 2009 22:20:32 -0500 ), 3221231089, 0
A: ( Sat, 19 Dec 2009 22:20:33 -0500 ), 42, 0
A: ( Sat, 19 Dec 2009 22:20:33 -0500 ), 42, 0
A: ( Sat, 19 Dec 2009 22:21:04 -0500 ), 1073745925, 0
A: ( Sat, 19 Dec 2009 22:21:04 -0500 ), 1073750827, 0
…
A: ( Tue, 05 Jan 2010 21:21:01 -0500 ), 8224, 0
A: ( Wed, 06 Jan 2010 00:03:00 -0500 ), 8224, 0
A: ( Wed, 06 Jan 2010 02:14:52 -0500 ), 258, 0
A: ( Wed, 06 Jan 2010 02:14:52 -0500 ), 258, 0
A: ( Wed, 06 Jan 2010 02:21:07 -0500 ), 258, 0
A: ( Wed, 06 Jan 2010 03:59:20 -0500 ), 1073742724, 0
A: ( Wed, 06 Jan 2010 03:59:22 -0500 ), 1073742890, 0
A: ( Wed, 06 Jan 2010 03:59:22 -0500 ), 1073742827, 0
A: ( Wed, 06 Jan 2010 03:59:22 -0500 ), 1073742726, 0
A: ( Wed, 06 Jan 2010 03:59:24 -0500 ), 1073743528, 0
A: ( Wed, 06 Jan 2010 04:04:23 -0500 ), 1073758208, 0
A: ( Wed, 06 Jan 2010 04:04:23 -0500 ), 1073742727, 0
A: ( Wed, 06 Jan 2010 07:50:35 -0500 ), 1073741856, 0
A: ( Wed, 06 Jan 2010 09:09:01 -0500 ), 1073742081, 0
A: ( Wed, 06 Jan 2010 09:10:54 -0500 ), 1073742081, 0
Point of fact, these are entries from my Application event log.
(imported comment written by BenKus)
Interesting… it appears that the “Microsoft-Windows-Backup” log is not accessible… And when the log is not accessible, it defaults to the application log (by design of the Microsoft APIs… See http://forum.bigfix.com/viewtopic.php?id=2519 for more info)…
q: record count of event log "Key Management Service"
A: 0
q: record count of event log "DFS Replication"
A: 6
q: record count of application event log
A: 8146
q: record count of event log "Microsoft-Windows-Backup"
A: 8146
Ben
(imported comment written by upinya91)
It is actually the Group Policy event viewer I’m interested in. Does BigFix plan on making the client able to parse these logs?
Thanks!
(imported comment written by BenKus)
Try this:
q: record count of event log "Microsoft-Windows-GroupPolicy"
A: 49262
Ben
(imported comment written by upinya91)
OK cool.
I want to find the time date stamp of the last event with the text “Starting periodic policy processing for computer”.
(imported comment written by upinya91)
This isnt promising…
q: record count of application event log
A: 1264
q: record count of system event log
A: 8042
q: record count of event log “Microsoft-Windows-GroupPolicy”
A: 8042
q: source of record (oldest record number of it) of system event log
A: Microsoft-Windows-Eventlog
q: source of record (oldest record number of it) of event log “Microsoft-Windows-GroupPolicy”
A: Microsoft-Windows-Eventlog
(imported comment written by BenKus)
Interesting technique… This is interesting that the “name” of the event log is different from the event log file name… see this:
q: source of record (oldest record number of it) of application event log
A: profsvc
q: source of record (oldest record number of it) of system event log
A: Microsoft-Windows-Servicing
q: source of record (oldest record number of it) of security event log
A: Microsoft-Windows-Security-Auditing
q: source of record (oldest record number of it) of event log "blah"
A: profsvc
q: source of record (oldest record number of it) of event log "Microsoft-Windows-Security-Auditing"
A: Microsoft-Windows-Security-Auditing
q: source of record (oldest record number of it) of event log "DFSR"
A: DFSR
q: source of record (oldest record number of it) of event log "DFS Replication"
A: DFSR
So we should try to figure out the “real name” of “Microsoft-Windows-GroupPolicy”
I would say we are making progress (just very slowly)…
Ben
(imported comment written by BenKus)
OK… I
might
have figured it out… It looks like the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog lists the event logs… I built relevance to list the event logs:
q: (it, record count of event logs (it) , (if (record count of it > 0) then sources of records (oldest record number of it) of it else “no records”) of event logs (it)) of (names of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog” of registry )
A: Application, 8180, profsvc
A: DFS Replication, 6, DFSR
A: HardwareEvents, 0, no records
A: Internet Explorer, 0, no records
A: Key Management Service, 0, no records
A: Media Center, 0, no records
A: ODiag, 80, Microsoft Office 12 Diagnostics
A: OSession, 507, Microsoft Office 12 Sessions
A: Security, 41873, Microsoft-Windows-Security-Auditing
A: System, 49206, Microsoft-Windows-Servicing
A: Windows PowerShell, 0, no records
Not sure if this is the complete list though…
Ben
(imported comment written by upinya91)
The actual filename is %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx. I wonder does that help…
(imported comment written by whoseit91)
This does not work in Win7 any ideas?
q: descriptions whose (it as string contains “username”) of records whose ((event id of it = 528 AND time written of it > now - (1*day))) of security event log
T: 3193.122 ms
(imported comment written by NoahSalzman)
Are there any events that actually have ID 528?
number of records whose (event id of it = 528) of security event log
If yes, are there any in the time frame?
(imported comment written by jessewk)
Also, event ids can be weird. See here: