monitoring Windows EventLog Events using wmic

[thanks_st_ignucius]

I'm trying to use wmic to query WMI on a host using WQL. I can verify that some information on general queries is returned, like this:

command:
wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTEventlogFile"

output:
CLASS: Win32_NTEventlogFile
AccessMask|Archive|Caption|Compressed|CompressionMethod|CreationClassName|CreationDate|CSCreationClassName|CSName|Description|Drive|EightDotThreeFileName|Encrypted|EncryptionMethod|Extension|FileName|FileSize|FileType|FSCreationClassName|FSName|Hidden|InstallDate|InUseCount|LastAccessed|LastModified|LogfileName|Manufacturer|MaxFileSize|Name|NumberOfRecords|OverwriteOutDated|OverWritePolicy|Path|Readable|Sources|Status|System|Version|Writeable
0|True|c:\windows\system32\winevt\logs\internet explorer.evtx|False|(null)|Win32_NTEventlogFile|20131011011959.476859-420|Win32_ComputerSystem|CSUPP01|c:\windows\system32\winevt\logs\internet explorer.evtx|c:|c:\windows\system32\winevt\logs\intern~1.evt|False|(null)|evtx|Internet Explorer|69632|evtx File|Win32_FileSystem|NTFS|False|20131011011959.476859-420|0|20131011011959.476859-420|20131011012106.978178-420|Internet Explorer|(null)|1052672|C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx|0|0|WhenNeeded|\windows\system32\winevt\logs\|True|(Internet Explorer)|OK|False|(null)|True

and information on objects that the connecting account is forbidden to access return code indicating as such.

The problem I experience is that when I try to query a very specific result, wmic doesn't return any output. Here is the command I'm currently testing with:

wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTLogEvent where RecordNumber = 18166"

Can anyone explain what is causing the absolute lack of output here? Is it related to the WMI class I'm querying? I tested the query in wbemtest on the Windows host and it returns a value just fine.

Does anyone here have any experience using wmic to monitor Windows Event Log Events?

[rkennedy]

Do you have any special characters in your user or password? You may need to add quotes around the variables.

[hsmith]

Can you perhaps check out this plugin and see if it works? https://exchange.nagios.org/directory/P ... MI/details

WMIC troubleshooting is close to being out of the scope of our support on the forum, but there may be something in that plugin that helps you with your question. Let me know what else you may need help with. Thanks!

[hsmith]

It also may be worth checking out the WMI configuration wizard built into Nagios XI.

[thanks_st_ignucius]

Do you have any special characters in your user or password? You may need to add quotes around the variables.

thank you for your prompt reply!

nope no special characters in the password - just letters and numbers. it seems like any query against that class (no matter how specific or general) produces literally no output when executed from the command line.

[thanks_st_ignucius]

Can you perhaps check out this plugin and see if it works? https://exchange.nagios.org/directory/P ... MI/details

WMIC troubleshooting is close to being out of the scope of our support on the forum, but there may be something in that plugin that helps you with your question. Let me know what else you may need help with. Thanks!

Thank you for the reply; but unfortunately that plugin is really poorly written. I journey down this rabbit hole actually began with that shell script. The getopts statement is mangled and so is the query it assembles. That's how I started testing execution of wmic from the command line. Can you point me to some quality documentation of wmic? I haven't been able to find much.

[thanks_st_ignucius]

It also may be worth checking out the WMI configuration wizard built into Nagios XI.

Thank you, but although that wizard is very well written, as far as i know it is only configured to monitor event log events by status - i.e., Information, Warning etc.

I'd like to monitor for specific EventCodes, such as 1024 (rebooted)

[hsmith]

http://sourcecodebrowser.com/samba4/4.0 ... ic_8c.html I may have found the source code here, but finding great documentation is proving to be difficult.

Thank you, but although that wizard is very well written, as far as i know it is only configured to monitor event log events by status - i.e., Information, Warning etc.

I'd like to monitor for specific EventCodes, such as 1024 (rebooted)

I can reach out to the developer and see if this is possible using that binary, and if it is, enhancing the wizard with it.

[thanks_st_ignucius]

Thank you for all your help with this! I would greatly appreciate an update (whenever available) about anything you hear from the developer.

[tgriep]

Did you verify that the security settings for the root/cimv2 are setup with full administrator access?