Example: Reporting all machines with specific Event Log entries

This tutorial explains how you can use a scope action to generate a report of specific event log entries for a set of machines.

Goal

In this example, we create a scope action which reports all Application Event Log entries related to the source: Goverlan, on a set of machines.
Note: Reporting all event entries with a specific Event ID or other criteria are very similar.

Solution

The Goverlan Scope Action feature doesn't include a native attribute set for event log entries. Therefore, we need to use WMI technology to accomplish our goal. WMI is very powerful and includes an class for every machine object that is reportable remotely.

Researching WMI to find a solution

First, we need to find out which WMI class could assist us for this report. WMI contains a lot of classes. We need to find which one provides information on a single event entry of the event logs. Once we find the WMI class which encapsulates an Event Log Entry, we will need to build a WMI Query which targets only specific events.

This seems complicated, however, it can easily be done using the WMIX feature.

1. Open WMIX and open the WMI repository on the local machine (connect to 127.0.0.1).

2. Select the Query WMI tab. This tab allows you to create and test WMI Queries.

3. Click on Use Query Wizard.

4. Under Query Wizard : Select WMI Class. Click on the down arrow of the selection control and select: Other Class at the bottom of the list.

5. In the Search for WMI window, enter Event in the search field.
   > Confirm that the Search In option is set to CIMV2 (default namespace).
   > Under Search Options, only enable Search object names.
   > Click onSearch...
   
   The search results in tree entries: NT Eventlog File, NT EventLog Provider Config and NT Log Event. The last entry is the one we need so double click on it.
   
   Click on Next.

6. Under Query Wizard : Select the Properties to return > select All Properties and click on Next.
7. Under Query Wizard : WMI Query Filter > select Configure a WMI query filter and click on Next.
8. This is where we define our event search criteria. We need to specify that we only want event entries from the Goverlan source.
   
   > Click on Add a new condition to this group.
   > Set the condition Property to Source Name, the condition to = (equal) and the value to Goverlan. Click on OK.
   
   
   
   Since multiple event logs exist on a machine, to reduce the amount of processing time for this query, we add another filter which only targets the Application log.
   > Click on Add a new condition to this group.
   > Set the condition Property to Log File, the condition to = (equal) and the value to Application. Click on OK.
   
   If you need to add other filters, repeat step 8. For instance, you can search the events by event ID or severity.
   
   Click on Finish.
9. The WMI Query Wizard has now generated the appropriate WQL query for our needs. Let's test it on the local machine to make sure it returns the expected results.
   
   Click on the Transfer to Query Field button and click on Run Query. The query is run against your machine and the result event entries are returned in the Instances Query Result pane. You can double click on any of the resulting objects to view its properties and to confirm that the information is correct.

Configuring Scope Action with our WQL Query

Now that we have created the WMI Query, we need to configure it into the Scope Action feature. Do not close WMIX yet as we may need it again.

• Open Goverlan and select the Scope Action feature.

• Create a new scope action, define its name and click on Next.

• Under Scope, select the Computers object type and define the list of machines to process (see: Defining the Scope). Click on Next.

• Under Actions, double click on Add New to start the Action Module property window.

• Under Execute the following Action(s), click on Add/Remove > Report Computer Property > WMI Objects > Manage WMI Objects...

• The list of WMI Objects accessible from a scope action can be configured using WMIX or by using a dedicated data set (see: Working with WMI and Scope Actions)

• • If you selected to use WMIX to define the list of WMI objects, go back to where we left off in WMIX.
    > Click on the Add Query to Browser View... button
    > Enter the query display name, for instance, Goverlan Events.
    > Select 'No' when prompted to set the focus on this new object.
    > Close WMIX.
     

  • If you have selected to use a separate list,
    > Click on Manage Custom List.
    > Click on the button.
    > Select Add a new query object from the menu.
    > Enter the query object's display name, for instance, Goverlan Events.
    > Copy the WQL Query string we generated in the previous section from WMIX to the Query fields.
    > Click on OK.

• Now we can select the WMI query as a report attribute set.
  Under Execute the following Action(s), click on Add/Remove > Report Computer Property > WMI Objects > [Query] Goverlan Events > All [Query] Goverlan Events Information.

• Complete your scope action and run it.

Viewing the Report

To view the report of the scope action, right-click on it and select View Last Run's Report. From the Select Report Format window, select the HTML format - Report Model and click on OK.

Note: The HTML report includes an Export to CSV button. Click on it to save the data displayed into a comma separated value file or to view the data in Microsoft Excel.