monitoring Windows EventLog Events using wmic
-
- Posts: 12
- Joined: Thu Sep 17, 2015 12:10 pm
monitoring Windows EventLog Events using wmic
I'm trying to use wmic to query WMI on a host using WQL. I can verify that some information on general queries is returned, like this:
command:
wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTEventlogFile"
output:
CLASS: Win32_NTEventlogFile
AccessMask|Archive|Caption|Compressed|CompressionMethod|CreationClassName|CreationDate|CSCreationClassName|CSName|Description|Drive|EightDotThreeFileName|Encrypted|EncryptionMethod|Extension|FileName|FileSize|FileType|FSCreationClassName|FSName|Hidden|InstallDate|InUseCount|LastAccessed|LastModified|LogfileName|Manufacturer|MaxFileSize|Name|NumberOfRecords|OverwriteOutDated|OverWritePolicy|Path|Readable|Sources|Status|System|Version|Writeable
0|True|c:\windows\system32\winevt\logs\internet explorer.evtx|False|(null)|Win32_NTEventlogFile|20131011011959.476859-420|Win32_ComputerSystem|CSUPP01|c:\windows\system32\winevt\logs\internet explorer.evtx|c:|c:\windows\system32\winevt\logs\intern~1.evt|False|(null)|evtx|Internet Explorer|69632|evtx File|Win32_FileSystem|NTFS|False|20131011011959.476859-420|0|20131011011959.476859-420|20131011012106.978178-420|Internet Explorer|(null)|1052672|C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx|0|0|WhenNeeded|\windows\system32\winevt\logs\|True|(Internet Explorer)|OK|False|(null)|True
and information on objects that the connecting account is forbidden to access return code indicating as such.
The problem I experience is that when I try to query a very specific result, wmic doesn't return any output. Here is the command I'm currently testing with:
wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTLogEvent where RecordNumber = 18166"
Can anyone explain what is causing the absolute lack of output here? Is it related to the WMI class I'm querying? I tested the query in wbemtest on the Windows host and it returns a value just fine.
Does anyone here have any experience using wmic to monitor Windows Event Log Events?
command:
wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTEventlogFile"
output:
CLASS: Win32_NTEventlogFile
AccessMask|Archive|Caption|Compressed|CompressionMethod|CreationClassName|CreationDate|CSCreationClassName|CSName|Description|Drive|EightDotThreeFileName|Encrypted|EncryptionMethod|Extension|FileName|FileSize|FileType|FSCreationClassName|FSName|Hidden|InstallDate|InUseCount|LastAccessed|LastModified|LogfileName|Manufacturer|MaxFileSize|Name|NumberOfRecords|OverwriteOutDated|OverWritePolicy|Path|Readable|Sources|Status|System|Version|Writeable
0|True|c:\windows\system32\winevt\logs\internet explorer.evtx|False|(null)|Win32_NTEventlogFile|20131011011959.476859-420|Win32_ComputerSystem|CSUPP01|c:\windows\system32\winevt\logs\internet explorer.evtx|c:|c:\windows\system32\winevt\logs\intern~1.evt|False|(null)|evtx|Internet Explorer|69632|evtx File|Win32_FileSystem|NTFS|False|20131011011959.476859-420|0|20131011011959.476859-420|20131011012106.978178-420|Internet Explorer|(null)|1052672|C:\Windows\System32\Winevt\Logs\Internet Explorer.evtx|0|0|WhenNeeded|\windows\system32\winevt\logs\|True|(Internet Explorer)|OK|False|(null)|True
and information on objects that the connecting account is forbidden to access return code indicating as such.
The problem I experience is that when I try to query a very specific result, wmic doesn't return any output. Here is the command I'm currently testing with:
wmic -U user%password --namespace root/cimv2 //hostname "Select * From Win32_NTLogEvent where RecordNumber = 18166"
Can anyone explain what is causing the absolute lack of output here? Is it related to the WMI class I'm querying? I tested the query in wbemtest on the Windows host and it returns a value just fine.
Does anyone here have any experience using wmic to monitor Windows Event Log Events?
Re: monitoring Windows EventLog Events using wmic
Do you have any special characters in your user or password? You may need to add quotes around the variables.
Former Nagios Employee
Re: monitoring Windows EventLog Events using wmic
Can you perhaps check out this plugin and see if it works? https://exchange.nagios.org/directory/P ... MI/details
WMIC troubleshooting is close to being out of the scope of our support on the forum, but there may be something in that plugin that helps you with your question. Let me know what else you may need help with. Thanks!
WMIC troubleshooting is close to being out of the scope of our support on the forum, but there may be something in that plugin that helps you with your question. Let me know what else you may need help with. Thanks!
Former Nagios Employee.
me.
me.
Re: monitoring Windows EventLog Events using wmic
It also may be worth checking out the WMI configuration wizard built into Nagios XI.
Former Nagios Employee.
me.
me.
-
- Posts: 12
- Joined: Thu Sep 17, 2015 12:10 pm
Re: monitoring Windows EventLog Events using wmic
thank you for your prompt reply!rkennedy wrote:Do you have any special characters in your user or password? You may need to add quotes around the variables.
nope no special characters in the password - just letters and numbers. it seems like any query against that class (no matter how specific or general) produces literally no output when executed from the command line.
-
- Posts: 12
- Joined: Thu Sep 17, 2015 12:10 pm
Re: monitoring Windows EventLog Events using wmic
hsmith wrote:Can you perhaps check out this plugin and see if it works? https://exchange.nagios.org/directory/P ... MI/details
WMIC troubleshooting is close to being out of the scope of our support on the forum, but there may be something in that plugin that helps you with your question. Let me know what else you may need help with. Thanks!
Thank you for the reply; but unfortunately that plugin is really poorly written. I journey down this rabbit hole actually began with that shell script. The getopts statement is mangled and so is the query it assembles. That's how I started testing execution of wmic from the command line. Can you point me to some quality documentation of wmic? I haven't been able to find much.
-
- Posts: 12
- Joined: Thu Sep 17, 2015 12:10 pm
Re: monitoring Windows EventLog Events using wmic
Thank you, but although that wizard is very well written, as far as i know it is only configured to monitor event log events by status - i.e., Information, Warning etc.hsmith wrote:It also may be worth checking out the WMI configuration wizard built into Nagios XI.
I'd like to monitor for specific EventCodes, such as 1024 (rebooted)
Re: monitoring Windows EventLog Events using wmic
http://sourcecodebrowser.com/samba4/4.0 ... ic_8c.html I may have found the source code here, but finding great documentation is proving to be difficult.
I can reach out to the developer and see if this is possible using that binary, and if it is, enhancing the wizard with it.thanks_st_ignucius wrote:Thank you, but although that wizard is very well written, as far as i know it is only configured to monitor event log events by status - i.e., Information, Warning etc.
I'd like to monitor for specific EventCodes, such as 1024 (rebooted)
Former Nagios Employee.
me.
me.
-
- Posts: 12
- Joined: Thu Sep 17, 2015 12:10 pm
Re: monitoring Windows EventLog Events using wmic
Thank you for all your help with this! I would greatly appreciate an update (whenever available) about anything you hear from the developer.
Re: monitoring Windows EventLog Events using wmic
Did you verify that the security settings for the root/cimv2 are setup with full administrator access?
Be sure to check out our Knowledgebase for helpful articles and solutions!