How to pull Event Description from Application Event Log

(imported topic written by shinobi)

Hi,

I’m looking for some assistance in pulling a description from a certain Event ID in the Application Event Log in Windows.

Currently we have a GPO in place that blocks certain directories or certain files from running. The events generated come up as Event ID 866.

Built a query assuming that ‘descriptions’ would pull the detail I desired, but to no avail. Verified with the following;

exists descriptions of records whose (event id of it = 866) of application event log

False

Evaluation time: 1642.140 ms

So far the query I have built is incomplete in terms of data required, here’s what I have so far;

(computer of it, time generated of it) of (records of application event log) whose (event id of it = 866 AND (time generated of it > (now - 7*day)))

Can anybody shed light on this? Many thanks in advance.

(imported comment written by jgstew)

Are you sure that 866 is the correct event id as returned by the inspector, not just what it says when you look at the event log in windows? I’ve seen cases where the ID returned by the inspector is longer or different than how it appears in the Event Log viewer. I have also seen cases where the same Event ID is shared by multiple events, further confusing the issue.

Check the event log ids with this:

unique values of event ids of records of application event log

Also try this:

descriptions of records whose (event id of it = 866 AND exists descriptions of it) of application event log

Also the event log inspector tends to be very slow, so it only works well in Analyses and should not be used in applicability relevance in most cases.

(imported comment written by shinobi)

I’m quite certain this is the appropriate Event ID (
http://technet.microsoft.com/en-us/library/cc734084(v=ws.10).aspx
), as I’ve been able to pull Computer Name and Time Generated without issue.

This query you provided “works” in the sense that it does not return errors - however the content returned is null. That has been my problem for some time.

Here’s an example in QnA for you;

q: descriptions of records whose (event id of it = 866 AND exists descriptions of it) of application event log

T: 1620.680 ms

Using psloglist, I’m able to retrieve the full event logs (for demonstration purposes, this is not ideal however). Notice how it says “Message text not available. Insertion strings”. I have a feeling this is why I’m not getting the descriptions of x event. Any ideas how to pull this string in BigFix?

c:>psloglist \Computer -h 72 -i 866 application

Application log on \Computer:

[14831] Microsoft-Windows-SoftwareRestrictionPolicies

Type: WARNING

Computer: computer.domain.com

Time: 14-04-07 9:06:11 AM ID: 866

User: DOMAIN\user

Message text not available. Insertion strings:

    C:\Users\UserName\AppData\Local\test-application.exe {888465EA-8BDD-45B3-9F9E-1F2899182E78} C:\Users\UserName\AppData\Local\*.exe

I should note, this is specifically used in Analyses, ran once daily for log harvesting across org.