Total count and single description of event id

(imported topic written by kasadis91)

Can someone give me an example of how I might create a property/report that shows the following:

  1. Count of a particular security/application/system event id for the past day/week/month

  2. Single Unique Event Description for each of the above

Examples for a security event:

Event ID 577, Count: 1320, Description: This is the description…etc.

The idea being that the property/report above would gather stats per day on each of our Windows system out there showing what sort of serious events exist and how much of each of those types of events exist. Without having to just grab every instance of the event and create huge reports.

Thanks for your time,

(imported comment written by MattBoyd)

I’ll show you some examples that I think will help you, but PLEASE test it in the fixlet debugger and look at the evaluation times. You’ll see that event log query performance is very poor, and could impact the performance/responsiveness of the client if overused or used incorrectly. I would only recommend using event log queries in an analysis with properties that are set to evaluate once per day. I don’t want to give you the gun that you use to shoot yourself in the foot…

Here’s one that attempts to return Symantec Security Risk Events

(time generated of it, concatenation of substrings separated by “%0d%0a” of description of it) of records whose (source of it = “Symantec AntiVirus” and description of it contains “Security Risk Found!”) of (application event log)

Here’s an example that retrieves the last virus scan event (I think this is the “unique” query that you’re looking for)

(concatenation of substrings separated by “%0d%0a” of descriptions of it) of items 1 of it whose (time generated of items 1 of it = item 0 of it) of ((maximum of times generated of it) of records whose (source of it = “Symantec AntiVirus” and description of it contains “Scan Complete”) of it, records whose (source of it = “Symantec AntiVirus” and description of it contains “Scan Complete”) of it) of application event log

This retrieves the number of Bugchecks (BSoDs):

number of records whose (source of it as lowercase = “bugcheck”) of system event log

This last example uses WMI to query the event log because the BigFix event log inspectors didn’t have the descriptions for some reason. The WMI queries are EVEN SLOWER than the BigFix event log inspectors. This retrieves the number of BugChecks (BSoDs) that have occurred on the workstation

(time values of properties “TimeGenerated” of it, string values of properties “Message” of it) of select objects “TimeGenerated, Message from Win32_NTLogEvent where Logfile=‘System’ AND EventCode = 1001 AND SourceName = ‘Microsoft-Windows-WER-SystemErrorReporting’” of wmi

Windows has some new APIs that seem to improve event log query performance dramatically:

http://msdn.microsoft.com/en-us/library/aa385466(v=vs.85).aspx

Managed code example: http://msdn.microsoft.com/en-us/library/bb671200(v=vs.90).aspx

The event log has some incredibly valuable information in it, so I would love to use event log queries more often to identify issues on clients, but the performance issues are a deterrent. I did request that this be implemented in TEM somehow (if possible), but I’m not sure that will happen any time soon (if ever). High performance event log querying would be a GREAT feature to brag about :slight_smile:

(imported comment written by kasadis91)

Thanks! The second one does look like what I’m looking for. I’ll give them all a try.

(imported comment written by kasadis91)

I tried the second query which you meantioned might return unique values but it gave me multiple values. I just substituted “Symantec Antivirus” and description of it contains “Scan Complete” with relevant events contained within my test machine. It returned three separate answers to the query. All the same.

Here’s a, hopefully, better example of what I’m looking for:

If I query for all events that match “(event type of it = error event log event type)” the query would return multiple answers like this:

A: Source: VSS , Count: 23, Description: “VSS service error…”

A: Source: Folder Redirection, Count: 109, Description: “Folder redirection error…”

A: Source: Application Error, Count: 241, Description: “Faulting application name: winword.exe…”

I would probably tweak this to return more specific event source related data and probably just search through/return the last day or week of events. Thanks again for your help!

(imported comment written by kasadis91)

Ok, I tried this again with different event source/description info and it only returned the first found entry. That’s a little closer but what I want is one query that will return the first of multiple unique descriptions.

So if there are 30 repeating descriptions of “Backup failed”, 20 repeating descriptions of “Backup succeeded” a single query would return two answers: Backup failed 30 times and Backup Succeeded 20 times.

Ideally I would be able to parse the entire System, Application, or Security log with one query for each log and return a single description for each group of errors/successes/events found:

Application Log: A: Backups Failed 30 times, A: Backups Succeeded 20 times

Security Log: A: 30 Login Failures A: 40 Login Successes

System Log: A: 10 reports of Disk Degraded, A: 40 Group Policy Errors

The idea being to return valuable and summarized information without having to write specific querries targeted to each event log source.

(imported comment written by kasadis91)

Ok, I think I’ve almost got it…

Q: unique values of (concatenation of substrings separated by “%0d%0a” of descriptions of it) of (records of application event log) whose (source of it = “VSS”)

A: The VSS service is shutting down due to idle timeout.

This returned just the one description instance (even though there are many with the same value).

It still returns unique but quite similar values if the description is slightly different (hashes, time stamps, etc). I’ll try it with the EventID instead.

(imported comment written by kasadis91)

Still having trouble getting this. If someone could point me in the right direction I’d be eternally greatful!

(imported comment written by MattBoyd)

Hmm… I think I understand a little better. What if you did something like this:

Q:(it, multiplicity of it) of unique values of (concatenation of substrings separated by “%0d%0a” of descriptions of it as trimmed string) of (records of application event log) whose (source of it = “VSS”)

A: The VSS service is shutting down due to idle timeout., 140

I: plural ( string with multiplicity, integer )

(imported comment written by kasadis91)

That’s much closer. I’d tried Multiplicity but hadn’t figured out how to combine the event id, description, and record count to the results. I’ve added the event ID to your query, changed the filter to all error events within the last day, and here’s what I have now:

Q:(multiplicity of it, it) of unique values of ((concatenation of substrings separated by “%0d%0a” of description of it, (event id of it mod 2147483648 mod 1073741824)) as string) of (records of application event log) whose ((event type of it = error event log event type) and (time generated of it > (now - 1*day)))

A: 1, ( The HDX MediaStream for Flash Service is not available. Server-side Flash rendering will be used if available. , 45 )

A: 3, ( An unexpected error has occured in “QuickBooks”:Returning NULL QBWinInstance Handle, 4 )

That should do it. Thanks for your help and I hope this helps someone else.