WMI - Event Log

At beginning of this document I would like to ask you to prevent to use this type of WQL data query for active polling of MS Windows Event Log data for monitoring purposes.

There are another more efficient ways for implementation and integration of MS Windows Event Logs based monitoring. One of them is to configure your MS Windows server to send SNMP Trap only for the interesting events (as well it is possible to configure basic correlation of this events directly on MS Windows server to prevent overloading of the SNMP trap destination).

On another hand if you are looking for central reporting solution for all your MS Windows servers and you’ll need to collect Event Logs from your MS Windows servers. It is really pointless to send each record from Event Log like SNMP trap to central SNMP Trap receiver (it will create really high overhead on your infrastructure). According to this probably it is enough to dump your Event Log data from all MS Windows servers once a time. In case like this it is possible to use WQL to get mentioned data on your central reporting server.

Official documentation:http://msdn.microsoft.com/en-us/library/aa390413

The Event Log service writes events to one of several log files. The Event Log provider uses the Win32_NTEventLogFile class to map data from the event logs to WMI objects. The Event Log provider also uses the Win32_NTLogEvent class to represent events.

Official documentation: http://msdn.microsoft.com/en-us/library/aa394225

With help of this class it is possible to get list of files where are all Event Logs stored.

Structure:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTEventlogFile" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}'
CLASS: Win32_NTEventlogFile
AccessMask
Archive
Caption
Compressed
CompressionMethod
CreationClassName
CreationDate
CSCreationClassName
CSName
Description
Drive
EightDotThreeFileName
Encrypted
EncryptionMethod
Extension
FileName
FileSize
FileType
FSCreationClassName
FSName
Hidden
InstallDate
InUseCount
LastAccessed
LastModified
LogfileName
Manufacturer
MaxFileSize
Name
NumberOfRecords
OverwriteOutDated
OverWritePolicy
Path
Readable
Sources
Status
System
Version
Writeable

Example, list of files:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT LogfileName,FileName,FileSize,FileType FROM Win32_NTEventlogFile "
CLASS: Win32_NTEventlogFile
FileName|FileSize|FileType|LogfileName|Name
Application|1118208|evtx File|Application|C:\Windows\System32\Winevt\Logs\Application.evtx
DNS Server|69632|evtx File|DNS Server|C:\Windows\System32\Winevt\Logs\DNS Server.evtx
HardwareEvents|69632|evtx File|HardwareEvents|C:\Windows\System32\Winevt\Logs\HardwareEvents.evtx
Internet Explorer|69632|evtx File|Internet Explorer|C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx
Key Management Service|69632|evtx File|Key Management Service|C:\Windows\System32\Winevt\Logs\Key Management Service.evtx
Security|2166784|evtx File|Security|C:\Windows\System32\Winevt\Logs\Security.evtx
System|1118208|evtx File|System|C:\Windows\System32\Winevt\Logs\System.evtx
Windows PowerShell|1118208|evtx File|Windows PowerShell|C:\Windows\System32\Winevt\Logs\Windows PowerShell.evtx

Official documentation: http://msdn.microsoft.com/en-us/library/aa390413

The Win32_NTLogEvent WMI class is used to provide events from the Windows Event Viewer Log.

Structure:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEvent" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}'
CLASS: Win32_NTLogEvent
Category
CategoryString
ComputerName
Data
EventCode
EventIdentifier
EventType
InsertionStrings
Logfile
Message
RecordNumber
SourceName
TimeGenerated
TimeWritten
Type
User

Example of gretting logged data:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT TimeGenerated,EventCode,EventIdentifier,EventType,Type FROM Win32_NTLogEvent" | head -5
CLASS: Win32_NTLogEvent
EventCode|EventIdentifier|EventType|Logfile|RecordNumber|TimeGenerated|Type
8196|1073750020|3|Application|420|20140501163249.000000-000|Information
8196|1073750020|3|Application|419|20140501143249.000000-000|Information
8196|1073750020|3|Application|418|20140501123248.000000-000|Information

Official documentation: msdn.microsoft.com/en-us/library/aa394228

The Win32_NTLogEventLog association WMI class relates a Windows event with a Windows event log file.

To be honest I’m not sure if you will use this class really often. Any way it is providing count of logged events in particular event log according to this it is handy in case that you would like to cross check the data from Event Log.

Structure:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventLog" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}'
CLASS: Win32_NTLogEventLog
Log
Record

Example:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventLog" | head -5
CLASS: Win32_NTLogEventLog
Log|Record
Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=420
Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=419
Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=418

Official documentation: http://msdn.microsoft.com/en-us/library/aa394229

The Win32_NTLogEventUserassociation WMI class relates a Windows event with the currently logged-on user.

To be honest I’m not sure if you will use this class really often. Any way it is providing user name of user that has logged the event in to Event Log according to this it is handy in case that you would like to cross check the data from Event Log.

Structure:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventUser" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}'
CLASS: Win32_NTLogEventUser
Record
User

Example:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventUser" | head -5
CLASS: Win32_NTLogEventUser
Record|User
Win32_NTLogEvent.Logfile="Application",RecordNumber=331|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator"
Win32_NTLogEvent.Logfile="Application",RecordNumber=330|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator"
Win32_NTLogEvent.Logfile="Application",RecordNumber=329|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator"

Official documentation: http://msdn.microsoft.com/en-us/library/aa394227

The Win32_NTLogEventComputerassociation WMI class relates a computer and an event.

To be honest I’m not sure if you will use this class really often. Any way it is providing server source information that has logged the event in to Event Log according to this it is handy in case that you would like to cross check the data from Event Log.

Structure:

[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventComputer" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}'
CLASS: Win32_NTLogEventComputer
Computer
Record

Example:

[root@Linux-WMI-Client ~]# wmic -U Administrator%R00troot //10.0.12.120 "SELECT * FROM Win32_NTLogEventComputer" | head -5
CLASS: Win32_NTLogEventComputer
Computer|Record
Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=420
Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=419
Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=418

WMI Providers: http://msdn.microsoft.com/en-us/library/aa394570
Event Log Provider: http://msdn.microsoft.com/en-us/library/aa390413
Win32_NTEventlogFile class: http://msdn.microsoft.com/en-us/library/aa394225
Win32_NTLogEvent class: http://msdn.microsoft.com/en-us/library/aa390413
Win32_NTLogEventLog class: http://msdn.microsoft.com/en-us/library/aa394228
Win32_NTLogEventUser class: http://msdn.microsoft.com/en-us/library/aa394229
Win32_NTLogEventComputer class: http://msdn.microsoft.com/en-us/library/aa394227