(imported topic written by wnolan91)
Wondering if there is a way to look in the Event logs? and pull events. or create a Fixlet that goes against an event.
Thanks
Bill
(imported comment written by jessewk)
Look in your inspector guide and you’ll find details on 3 event log inspectors, or run this query in your relevance debugger:
Q: properties whose (it as string contains “event log”)
A: event log : event log
A: application event log: event log
A: security event log: event log
A: system event log: event log
A: record count of : integer
A: oldest record number of : integer
A: record of : event log record
A: records of : event log record
A: error event log event type: event log event type
A: warning event log event type: event log event type
A: information event log event type: event log event type
A: audit success event log event type: event log event type
A: audit failure event log event type: event log event type
A: event log event type : event log event type
A: length of : integer
A: record number of : integer
A: time generated of : time
A: time written of : time
A: event id of : integer
A: event type of : event log event type
A: category of : integer
A: source of : string
A: computer of : string
A: user sid of : security identifier
A: description of : string
T: 1.428 ms
I: plural property
(imported comment written by brolly3391)
so you can do nifty things like:
q: descriptions of records whose (event type of it = audit failure event log event type) of security event log
to get the description of all security audit failures.
or get fancy and pull the time written and descriptions of the last 3 days failures:
q: ((time written of it) as string & " – "& (description of it) as string ) of records whose (event type of it = audit failure event log event type and time written of it >(now-3*day)) of security event log
Check out page 243 in the Windows Inspector Library:
http://support.bigfix.com/fixlet/documents/WinInspectors-2006-08-10.pdf
(imported comment written by BenKus)
Don’t forget that Event Log inspectors can be used in BES Clients 6.0+ only.
See http://support.bigfix.com/bes/changes/relevancechanges.html for inspector changes/additions.
Ben
(imported comment written by mauricem)
I’ve been trying the queries quoted and a couple from the WinInspectors guide and I keep getting errors that objects are not defined.
Q: descriptions of records whose (event type of it = audit failure event log event type) of security event log
E: The operator “security event log” is not defined.
Q: properties whose (it as string contains “event log”)
E: The operator “properties” is not defined.
Q: event log event type 1
E: The operator “event log event type” is not defined.
Q: description of record (oldest record number of it) of application event log
E: The operator “application event log” is not defined.
Q: descriptions of records whose (event type of it = audit failure event log event type) of security event log
E: The operator “security event log” is not defined.
What am I doing wrong?
(imported comment written by jessewk)
It sounds like your QnA / Relevance debugger installation is messed up. I’d grab a new copy from http://support.bigfix.com/fixlet
-Jesse
(imported comment written by mauricem)
Right you are. It turns out I was using version qna-5.0.3.0. Now that I have the current version it works like a charm. Thanks
(imported comment written by jcsUTSW)
Would an analysis with this
((time written of it) as string & " – "& (description of it) as string ) of records whose (event type of it = audit failure event log event type and time written of it >(now-3*day)) of security event log
be too much on my clients?
Or do you recommend a fixlet that runs every 12 hours or so?