Read Event Viewer Logs

gsing1987 · October 15, 2025, 5:47pm

Hi,

I am working on one the client requirement where i need to read the event viewer logs on Windows machine using BigFix Analysis, Absolute path of the event log is Event Viewer → Applications and Services Logs → Microsoft → Windows → BitLocker-Management → Management, I want to search a keyword “TPM” if that keyword found then it should provide me the information of Level, Date & Time, Source, Event ID and it should provide the information mentioned inside the GENERAL tab. Kindly help me to achieve this task.

brolly33 · October 15, 2025, 6:55pm

Consider starting with the relevance in this post and build out the specific details from there.

ageorgiev · October 15, 2025, 7:43pm

Word of a caution. This is the heaviest inspector that exist as far as I am concerned! Depending how big your event logs are and how many findings there are I would thread very very careful! I have seen a query to find a specific event ID in the system event log evaluate for 10+ mins and spike one core at 100% for the duration (and agent does nothing else for the duration) - granted the machine had 150mb event logs and that same freeze was observed with any other event log query tool but still I would never put a query like that in a property.

A while back I even compared the event log inspectors vs the wmi query against Win32_NTLogEvent and the former came off worse (faster to apply same exact query via WMI).

D.Dean · October 15, 2025, 9:00pm

Agreed on the heavy inspector, so we use this as an On Demand Analysis.

We set a registry key, It could be a client settings if you want, to a value of True, which will make the analysis applicable to the system.

Gather the information you need, then set the value to False so the system is no longer applicable.

gsing1987 · October 16, 2025, 5:42am

I used the relevance descriptions of it of records whose (event id of it = 840 and description of it as lowercase contains "A trusted WIM file has been added ") of event log “Microsoft-Windows-BitLocker-API/Management”

But it says The expression could not be evaluated: Windows Error 0x3a9f: The specified channel could not be found.

I can confirm the path,keyword and event id is absolutely correct mentioned in above relevance and I can see the same error from other machines too.

SLB · October 16, 2025, 9:27am

Try using the event log name “Microsoft-Windows-BitLocker/BitLocker Management”.

Looking at the properties, its full name is not the same as it appears in Event Viewer data

Jstev · October 16, 2025, 1:28pm

Here is a snippet of the analysis we use when we need it. But as it was stated in the event log inspectors are the most impactful from a performance aspect so be cautious when using them.

We have also parsed through event logs with powershell then reported on the exported event logs via property in webreports so that might be an option for you too.

(time generated of it, description of it) of records whose (time generated of it > now - day * 7 ) of event log “Microsoft-Windows-BitLocker/BitLocker Management”

brolly33 · October 16, 2025, 3:11pm

Great reminder Angel! This post from Strawgate is a powerful technique to reduce the overhead Relevance: Speeding Up Event Log Queries