Using WMI to query Windows Event Collector logs

windows-event-logwmi

Using WMI to query the eventlog is quite simple, using Win32_NTLogEvent, for example:

Get-WmiObject -query "SELECT *FROM Win32_NTLogEvent WHERE (logfile='Application' and SourceName='Something')

However, if i want to query a log that contains events collected with Windows Event Collector, they don't show up in the results, even tho events from other sources in the same log does.

I can use the cmdlet Get-Eventlog to retrieve WEC events, but that does not solve my problem.

What i am trying to do, is to use the __InstanceCreationEvent and do something (forward it to a kafka instance) when a new event is inserted in the log. See example from Scripting Guy and Logstash Eventlog input module for example usage.

$query = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And (TargetInstance.LogFile = 'HardwareEvents')"
$Eventwatcher = New-Object management.managementEventWatcher $Query
$Event = $Eventwatcher.waitForNextEvent()

This works perfectly for normal logs, but not with forwarded events from Windows Event Collector.

Any suggestions?

Best Answer

On your Event Subscription, if you set the "Destination Log" to "System", AND if you do NOT specify logfile in your WHERE condition, then the forwarded events will show up in the results. This is totally weird.

Related Solutions

Fix SELECT * from Win32_Process Query Hanging Indefinitely

WMI might have gotten corrupt on that machine. Try reinstalling it.

COPY ALL LINES BELOW INTO A BATCH FILE AND RUN IT:

net stop winmgmt

pause

c:

cd c:\windows\system32\wbem

rd /S /Q repository

regsvr32 /s %systemroot%\system32\scecli.dll

regsvr32 /s %systemroot%\system32\userenv.dll

mofcomp cimwin32.mof

mofcomp cimwin32.mfl

mofcomp rsop.mof

mofcomp rsop.mfl

for /f %%s in ('dir /b /s *.dll') do regsvr32 /s %%s

for /f %%s in ('dir /b *.mof') do mofcomp %%s

for /f %%s in ('dir /b *.mfl') do mofcomp %%s

mofcomp exwmi.mof

mofcomp -n:root\cimv2\applications\exchange wbemcons.mof

mofcomp -n:root\cimv2\applications\exchange smtpcons.mof

mofcomp exmgmt.mof

WMI query of Win32_Product creates events in the W2K8+ Application Event Log

Greg,

I would strongly recommend NOT using Win32_Product if you can avoid it. First, it is really, really slow. Second, and more significant is that you can screw up your system:

The Win32_Product class works by enumerating every MSI package that is installed on the system. When a package is touched, it performs a reconfiguration where the application is validated (and repaired if found to be inconsistent with the original MSI).

This can be a huge problem if you have applications that were configured after install (i.e. previously disabled services can be re-enabled, etc.)

As an alternative, you can do a search on a particular file and check its version to see if an application is installed. Here is a link to a blog post I did describing the technique (and also has a link to an article by Darren Mar-Elia discussing Win32_Product):

http://windowshell.wordpress.com/2010/07/08/wmi-query-for-an-installed-application/

Related Topic