[Xymon] [External] XymonPS error log handling

Beck, Zak zak.beck at accenture.com
Fri Mar 1 11:16:05 CET 2019 

Hi

My 2 issues: "-Path" parameter should be the actual path to log file per Help, but the QueryList appears to be using LogName format with name of log not path, is that correct?

Get-WinEvent -Path is for reading saved event logs e.g. that you have saved from Event Viewer by right-clicking and using Save All Events As.

You can play with FilterXML in Event Viewer – click Filter Current Log and then switch to the XML tab. The Path we’re using is part of that query XML syntax. If the XML works in event viewer, it should work in Powershell.

eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows Defender/Operational:7500:Warning,Critical,Error

The problem is in function XymonEventLogs – that runs Get-EventLog -List and that only retrieves the list shown under [EventLogSummary]. That list is then used as the basis for the main loop in function XymonMsgs.

If we change two lines - this line in function XymonEventLogs:

    $script:EventLogs = Get-EventLog -List
To
    $script:EventLogs = Get-WinEvent -ListLogs *

And this line in function XymonMsgs:
    foreach ($l in ($script:EventLogs | select -ExpandProperty Log))
to
    foreach ($l in ($script:EventLogs | select -ExpandProperty LogName))

Then it works 🙂, but the summary is much longer.

I don’t actually know what purpose the summary serves, it pre-dates my involvement. I think we only need one of those summaries. I guess it’s useful for checking the configuration (e.g. max size) of a log is.

I can release a new version with the above changes in next week.

Max payload value ($maxpayloadlength) and how it is handled. Is that for the total of all the log files together, or per each log?

Right now, this is the total for all logs, the maximum the client can return. The problem is it’s easy to bust the server max payload length with all this event log data. The idea is that you use the filtering (ignore / include) to restrict the entries to just the ones that are critical for you.

Zak

From: Xymon <xymon-bounces at xymon.com> On Behalf Of Timothy Williams
Sent: Thursday, 28 February 2019 17:32
To: xymon at xymon.com
Subject: [External] [Xymon] XymonPS error log handling

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
________________________________

Zak, I know you just worked on the Windows Event log handling. I have a few issues that may need some documentation guidance, or an enhancement. Basically, I'm trying to get Windows Defender log entries. We will be migrating from a commercial anti-virus platform to using the Defender and need to have alerting.

Most important to me is that it appears that only the top-level logs listed in EventLogSummary can be parsed (example at end). As a test, I included the Windows PowerShell log in the clientconfig.cfg file.

eventlogswanted:Windows PowerShell,system:7500:Warning,Critical,Error

It took some experimentation with/without quotes as the code calls "Get-WinEvent -FilterXML $logFilterXML" and the QueryList uses -Path which states in Help file examples to use quotes if log file name has spaces. I found that the query creates double quotes as illustrated in excerpt below.

<start Help file>
    -------------------------- EXAMPLE 11 --------------------------
    PS C:\>Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'

    This command gets events from a copy of the Windows PowerShell event log file in a test directory. The path is enclosed in quotation marks because the log name includes a space.
<end help file>

2019-02-28 11:28:56  Processing event log Windows PowerShell
2019-02-28 11:28:56  Log filter     <QueryList>
      <Query Id="0" Path="Windows PowerShell">
        <Select Path="Windows PowerShell">*[System[TimeCreated[timediff(@SystemTime) <= 3600000] and (Level=3 or Level=1 or Level=2)]]</Select>
      </Query>
    </QueryList>

My 2 issues: "-Path" parameter should be the actual path to log file per Help, but the QueryList appears to be using LogName format with name of log not path, is that correct?
And actually, I am trying to get the entries in the Windows Defender log file which is at "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx" by -Path or "Microsoft-Windows-Windows Defender/Operational" by -LogName.

eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows Defender/Operational:7500:Warning,Critical,Error

I don't think the QueryList can handle the /Operational slash. The entry is ignored and no QueryList appears in log. Xymon can read the log; if I manually edit the $logenries I get the Defender entries in the client file.
                    $logentries = @(get-winevent -logname "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50)

I also have a question about the Max payload value ($maxpayloadlength) and how it is handled. Is that for the total of all the log files together, or per each log? If total, then a chatty log would prevent any entries in the other logs from being reported on? I would rather have most recent from each, and the value be 'per log'.

Lastly as an aside, in the client data file there are two Event Log Summary sections that appear to be redundant. Is there a purpose for one vs. the other? We do have the Summary show under msgs column data.

[EventlogSummary]

Max(K) Retain OverflowAction    Entries Log
------ ------ --------------    ------- ---
16,384      0 OverwriteAsNeeded  10,046 Application
20,480      0 OverwriteAsNeeded       0 HardwareEvents
   512      7 OverwriteOlder          0 Internet Explorer
20,480      0 OverwriteAsNeeded       0 Key Management Service
15,168      7 OverwriteOlder          2 Microsoft-ServerManagementExperience
16,384      0 OverwriteAsNeeded  10,183 Security
16,384      0 OverwriteAsNeeded  45,885 System
15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell


[msgs:EventlogSummary]

Max(K) Retain OverflowAction    Entries Log
------ ------ --------------    ------- ---
16,384      0 OverwriteAsNeeded  10,046 Application
20,480      0 OverwriteAsNeeded       0 HardwareEvents
   512      7 OverwriteOlder          0 Internet Explorer
20,480      0 OverwriteAsNeeded       0 Key Management Service
15,168      7 OverwriteOlder          2 Microsoft-ServerManagementExperience
16,384      0 OverwriteAsNeeded  10,183 Security
16,384      0 OverwriteAsNeeded  45,885 System
15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell

Thanks for your continuing support of a valuable tool! I'll keep playing with it, and post an update if I get a version working.

Tim Williams
VCU Computer Center


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190301/aa5fabb5/attachment.html>

More information about the Xymon mailing list