Relevance on specific Event ID number

(imported topic written by ErinC91)

I’m trying to identify PCs on our domain that have Event IDs 1000, 1202, 412 and 454 in the Application Event Log.

(Group Policy database file is corrupt, as described by MSKB http://support.microsoft.com/kb/278316/en-us)

I’ve been reading pages 243 onwards from the WinInspectors-2006-08-10.pdf but I’m not getting anywhere.

The first problem is that the event ids reported by Q&A show a long number like follows;

Q: event id of record (oldest record number of it) of application event log

A: 3221226502

But the main problem is that I just can’t get my head around the relevance language properly.

I have already written and tested a bigfix task to fix the corrupt database, so now I want to create a relevance keyed on the existence of the above Event IDs in the application log. So if any of the four event IDs are are detected, the relevance will return TRUE and the fix will be automatically applied to the problem client. Sounds nifty if I can get this working.

Any suggestions gratefully received.

(imported comment written by jessewk)

Erin,

There is some info here:

http://forum.bigfix.com/viewtopic.php?id=200

It sounds like you want an action with relevance like this:

exists record whose ((event id of it = 1202 AND event type of it = warning event log event type) OR ((event id of it = 1000 OR event id of it = 412 OR event id of it = 454) AND event type of it = error event log event type)) of application event log

You might want to add relevance to restrict it further to specific sources. It currently returns true on my machine and I’m not sure if it should.

Please test carefully, but hopefully this will get you on the way.

-Jesse

(imported comment written by ErinC91)

Thanks for that jessewk, unfortunately though the relevance comes back as False on my test pc (and it should come back as true)

Playing around with different relevancies to examine the test PC’s application event log I’ve verified that event id 1202 actually reports as 2147484850

And when I change your relevancy to the following, it comes out as True;

Q: exists record whose ((event id of it = 2147484850 AND event type of it = warning event log event type) OR ((event id of it = 1000 OR event id of it = 412 OR event id of it = 454) AND event type of it = error event log event type)) of application event log

A: True

I don’t understand why these event id numbers are being represented like this but now I need to identify the proper numbers for the other IDs 1000, 412 and 454.

(imported comment written by ErinC91)

I’ve performed more testing and examination of the problem PCs and have my detection working ok on the event id 1202 alone.

I also have a task that recreates the security database, which works well.

Now my problem is that once I’ve fixed the security database, the PCs are still show up as having the event id 1202 in their application event log.

Is there some way that I can use BigFix to clear the application event logs on the problem PCs after my database fix task has been applied ?

I’ve been trying to achieve this with a VB script called with the Microsoft Windows Script Host (cscript.exe) but am having problems getting it to work on all PCs reliably.