Table of Contents
WMI - Event Log
Preface
At beginning of this document I would like to ask you to prevent to use this type of WQL data query for active polling of MS Windows Event Log data for monitoring purposes.
There are another more efficient ways for implementation and integration of MS Windows Event Logs based monitoring. One of them is to configure your MS Windows server to send SNMP Trap only for the interesting events (as well it is possible to configure basic correlation of this events directly on MS Windows server to prevent overloading of the SNMP trap destination).
On another hand if you are looking for central reporting solution for all your MS Windows servers and you’ll need to collect Event Logs from your MS Windows servers. It is really pointless to send each record from Event Log like SNMP trap to central SNMP Trap receiver (it will create really high overhead on your infrastructure). According to this probably it is enough to dump your Event Log data from all MS Windows servers once a time. In case like this it is possible to use WQL to get mentioned data on your central reporting server.
Event Log Provider
Official documentation:http://msdn.microsoft.com/en-us/library/aa390413
The Event Log service writes events to one of several log files. The Event Log provider uses the Win32_NTEventLogFile class to map data from the event logs to WMI objects. The Event Log provider also uses the Win32_NTLogEvent class to represent events.
Win32_NTEventlogFile
Official documentation: http://msdn.microsoft.com/en-us/library/aa394225
With help of this class it is possible to get list of files where are all Event Logs stored.
Structure:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTEventlogFile" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}' CLASS: Win32_NTEventlogFile AccessMask Archive Caption Compressed CompressionMethod CreationClassName CreationDate CSCreationClassName CSName Description Drive EightDotThreeFileName Encrypted EncryptionMethod Extension FileName FileSize FileType FSCreationClassName FSName Hidden InstallDate InUseCount LastAccessed LastModified LogfileName Manufacturer MaxFileSize Name NumberOfRecords OverwriteOutDated OverWritePolicy Path Readable Sources Status System Version Writeable
Example, list of files:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT LogfileName,FileName,FileSize,FileType FROM Win32_NTEventlogFile " CLASS: Win32_NTEventlogFile FileName|FileSize|FileType|LogfileName|Name Application|1118208|evtx File|Application|C:\Windows\System32\Winevt\Logs\Application.evtx DNS Server|69632|evtx File|DNS Server|C:\Windows\System32\Winevt\Logs\DNS Server.evtx HardwareEvents|69632|evtx File|HardwareEvents|C:\Windows\System32\Winevt\Logs\HardwareEvents.evtx Internet Explorer|69632|evtx File|Internet Explorer|C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx Key Management Service|69632|evtx File|Key Management Service|C:\Windows\System32\Winevt\Logs\Key Management Service.evtx Security|2166784|evtx File|Security|C:\Windows\System32\Winevt\Logs\Security.evtx System|1118208|evtx File|System|C:\Windows\System32\Winevt\Logs\System.evtx Windows PowerShell|1118208|evtx File|Windows PowerShell|C:\Windows\System32\Winevt\Logs\Windows PowerShell.evtx
Win32_NTLogEvent
Official documentation: http://msdn.microsoft.com/en-us/library/aa390413
The Win32_NTLogEvent WMI class is used to provide events from the Windows Event Viewer Log.
Structure:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEvent" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}' CLASS: Win32_NTLogEvent Category CategoryString ComputerName Data EventCode EventIdentifier EventType InsertionStrings Logfile Message RecordNumber SourceName TimeGenerated TimeWritten Type User
Example of gretting logged data:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT TimeGenerated,EventCode,EventIdentifier,EventType,Type FROM Win32_NTLogEvent" | head -5 CLASS: Win32_NTLogEvent EventCode|EventIdentifier|EventType|Logfile|RecordNumber|TimeGenerated|Type 8196|1073750020|3|Application|420|20140501163249.000000-000|Information 8196|1073750020|3|Application|419|20140501143249.000000-000|Information 8196|1073750020|3|Application|418|20140501123248.000000-000|Information
Win32_NTLogEventLog
Official documentation: msdn.microsoft.com/en-us/library/aa394228
The Win32_NTLogEventLog association WMI class relates a Windows event with a Windows event log file.
To be honest I’m not sure if you will use this class really often. Any way it is providing count of logged events in particular event log according to this it is handy in case that you would like to cross check the data from Event Log.
Structure:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventLog" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}' CLASS: Win32_NTLogEventLog Log Record
Example:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventLog" | head -5 CLASS: Win32_NTLogEventLog Log|Record Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=420 Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=419 Win32_NTEventlogFile.Name="C:\\Windows\\System32\\Winevt\\Logs\\Application.evtx"|Win32_NTLogEvent.Logfile="Application",RecordNumber=418
Win32_NTLogEventUser
Official documentation: http://msdn.microsoft.com/en-us/library/aa394229
The Win32_NTLogEventUserassociation WMI class relates a Windows event with the currently logged-on user.
To be honest I’m not sure if you will use this class really often. Any way it is providing user name of user that has logged the event in to Event Log according to this it is handy in case that you would like to cross check the data from Event Log.
Structure:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventUser" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}' CLASS: Win32_NTLogEventUser Record User
Example:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventUser" | head -5 CLASS: Win32_NTLogEventUser Record|User Win32_NTLogEvent.Logfile="Application",RecordNumber=331|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator" Win32_NTLogEvent.Logfile="Application",RecordNumber=330|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator" Win32_NTLogEvent.Logfile="Application",RecordNumber=329|Win32_UserAccount.Domain="WIN-7VRT6O322S5",Name="Administrator"
Win32_NTLogEventComputer
Official documentation: http://msdn.microsoft.com/en-us/library/aa394227
The Win32_NTLogEventComputerassociation WMI class relates a computer and an event.
To be honest I’m not sure if you will use this class really often. Any way it is providing server source information that has logged the event in to Event Log according to this it is handy in case that you would like to cross check the data from Event Log.
Structure:
[root@Linux-WMI-Client ~]# wmic -U wmiuser%wmipasswd //wmi-server.localnet "SELECT * FROM Win32_NTLogEventComputer" | head -2 | awk -F"|" '{ for (i=1;i<=NF;i++) print $i}' CLASS: Win32_NTLogEventComputer Computer Record
Example:
[root@Linux-WMI-Client ~]# wmic -U Administrator%R00troot //10.0.12.120 "SELECT * FROM Win32_NTLogEventComputer" | head -5 CLASS: Win32_NTLogEventComputer Computer|Record Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=420 Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=419 Win32_ComputerSystem.Name="WIN-7VRT6O322S5"|Win32_NTLogEvent.Logfile="Application",RecordNumber=418
URL's
WMI Providers: http://msdn.microsoft.com/en-us/library/aa394570
Event Log Provider: http://msdn.microsoft.com/en-us/library/aa390413
Win32_NTEventlogFile class: http://msdn.microsoft.com/en-us/library/aa394225
Win32_NTLogEvent class: http://msdn.microsoft.com/en-us/library/aa390413
Win32_NTLogEventLog class: http://msdn.microsoft.com/en-us/library/aa394228
Win32_NTLogEventUser class: http://msdn.microsoft.com/en-us/library/aa394229
Win32_NTLogEventComputer class: http://msdn.microsoft.com/en-us/library/aa394227