How to add event log files to the `Win32_NTLogEvent` WMI class

Not all event logs are are in the Win32_NTLogEvent WMI class. Since the Event Viewer integration can only pick up events in this class, you will need to modify the Windows Registry to add event logs outside of the scope of this class.

The first step is to confirm whether or not the logfile can be accessed through the Win32_NTLogEvent using the following WMI query in Powershell. (This is the same query the Agent runs to collect these events)

$ Get-WmiObject -Query "Select EventCode,SourceName,TimeGenerated,Type,InsertionStrings,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1

If there are no results, the log file cannot be accessed and you will need to add it through the Windows Registry.

Locate the event logs you want to monitor in the Event Viewer. Locate the log file and click “properties” under the “Actions” section to find the Log path and Full Name. For example, here is how to set up monitoring the “Operational” event Log file located in the Microsoft/Windows/TaskScheduler folder:

image1.png

Open the Windows Registry. (search for regedit.exe, the default name of the registry editor). Inside the registry editor, locate the EventLog folder in the following path:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Create a new key with the name of the event log you’re wanting to monitor. Using the syntax of path-to-folder/LogFileName (i.e. the Full Name found in the Event Viewer)

image2.png

image3.png

Next, you’ll need to add three values to this key. First, add the path to the log file as a String Value (REG_SZ) named “File”:

image4.png

Next, add the Full Name of the Log file as a String Value (REG_SZ) named “Primary Module”:

image5.png

Finally, add the path to the Windows Event Log Api DLL (wevtapi.dll), which should be at %SystemRoot%\system32\wevtapi.dll as an Expandable String Value with the name “DisplayNameFile”:

image6.png

The changes should be immediate. To confirm that the event log is accesible through the Win32_NTLogEvent WMI class, try the above query again. Then you can resume adding events to the Event Viewer integration config file

Note: if there still aren’t events when running the query, check the event viewer to confirm that there are any events in the log file. Also, make sure that the event log isn’t disabled and that there are recent events available. 

image8.png

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk