[Xymon] [External] XymonPS error log handling

Timothy Williams tlwilliams4 at vcu.edu
Mon Mar 4 16:01:39 CET 2019


Thanks for explanations. As it is possible to pass in the desired log file
names in clientconfig using 'eventlogswanted:' couldn't that be passed to
the Get-WinEvent -ListLogs? Something like "$script:EventLogs =
Get-WinEvent -Listlog $script:wantedlogs"

*Timothy L. Williams*

*Operating Systems Analyst*
Virginia Commonwealth University Computer Center
900 East Main St. STE 1141 Richmond VA 23219
*804-828-0556 <(804)%20828-0556>*





On Fri, Mar 1, 2019 at 5:16 AM Beck, Zak <zak.beck at accenture.com> wrote:

> Hi
>
>
>
> My 2 issues: "-Path" parameter should be the actual path to log file per
> Help, but the QueryList appears to be using LogName format with name of log
> not path, is that correct?
>
>
>
> Get-WinEvent -Path is for reading saved event logs e.g. that you have
> saved from Event Viewer by right-clicking and using Save All Events As.
>
>
>
> You can play with FilterXML in Event Viewer – click Filter Current Log and
> then switch to the XML tab. The Path we’re using is part of that query XML
> syntax. If the XML works in event viewer, it should work in Powershell.
>
>
>
> eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows
> Defender/Operational:7500:Warning,Critical,Error
>
>
>
> The problem is in function XymonEventLogs – that runs Get-EventLog -List
> and that only retrieves the list shown under [EventLogSummary]. That list
> is then used as the basis for the main loop in function XymonMsgs.
>
>
>
> If we change two lines - this line in function XymonEventLogs:
>
>
>
>     $script:EventLogs = Get-EventLog -List
>
> To
>
>     $script:EventLogs = Get-WinEvent -ListLogs *
>
>
>
> And this line in function XymonMsgs:
>
>     foreach ($l in ($script:EventLogs | select -ExpandProperty Log))
>
> to
>
>     foreach ($l in ($script:EventLogs | select -ExpandProperty LogName))
>
>
>
> Then it works 🙂, but the summary is much longer.
>
>
>
> I don’t actually know what purpose the summary serves, it pre-dates my
> involvement. I think we only need one of those summaries. I guess it’s
> useful for checking the configuration (e.g. max size) of a log is.
>
>
>
> I can release a new version with the above changes in next week.
>
>
>
> Max payload value ($maxpayloadlength) and how it is handled. Is that for
> the total of all the log files together, or per each log?
>
>
>
> Right now, this is the total for all logs, the maximum the client can
> return. The problem is it’s easy to bust the server max payload length with
> all this event log data. The idea is that you use the filtering (ignore /
> include) to restrict the entries to just the ones that are critical for you.
>
>
>
> Zak
>
>
>
> *From:* Xymon <xymon-bounces at xymon.com> *On Behalf Of *Timothy Williams
> *Sent:* Thursday, 28 February 2019 17:32
> *To:* xymon at xymon.com
> *Subject:* [External] [Xymon] XymonPS error log handling
>
>
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with
> links and attachments.
> ------------------------------
>
>
>
> Zak, I know you just worked on the Windows Event log handling. I have a
> few issues that may need some documentation guidance, or an enhancement.
> Basically, I'm trying to get Windows Defender log entries. We will be
> migrating from a commercial anti-virus platform to using the Defender and
> need to have alerting.
>
>
>
> Most important to me is that it appears that only the top-level logs
> listed in EventLogSummary can be parsed (example at end). As a test, I
> included the Windows PowerShell log in the clientconfig.cfg file.
>
>
>
> eventlogswanted:Windows PowerShell,system:7500:Warning,Critical,Error
>
>
>
> It took some experimentation with/without quotes as the code calls
> "Get-WinEvent -FilterXML $logFilterXML" and the QueryList uses -Path which
> states in Help file examples to use quotes if log file name has spaces. I
> found that the query creates double quotes as illustrated in excerpt below.
>
>
>
> <start Help file>
>
>     -------------------------- EXAMPLE 11 --------------------------
>
>     PS C:\>Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'
>
>
>
>     This command gets events from a copy of the Windows PowerShell event
> log file in a test directory. The path is enclosed in quotation marks
> because the log name includes a space.
>
> <end help file>
>
>
>
> 2019-02-28 11:28:56  Processing event log Windows PowerShell
>
> 2019-02-28 11:28:56  Log filter     <QueryList>
>
>       <Query Id="0" Path="Windows PowerShell">
>
>         <Select Path="Windows
> PowerShell">*[System[TimeCreated[timediff(@SystemTime) <= 3600000] and
> (Level=3 or Level=1 or Level=2)]]</Select>
>
>       </Query>
>
>     </QueryList>
>
>
>
> My 2 issues: "-Path" parameter should be the actual path to log file per
> Help, but the QueryList appears to be using LogName format with name of log
> not path, is that correct?
>
> And actually, I am trying to get the entries in the Windows Defender log
> file which is at
> "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows
> Defender%4Operational.evtx" by -Path or "Microsoft-Windows-Windows
> Defender/Operational" by -LogName.
>
>
> eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows
> Defender/Operational:7500:Warning,Critical,Error
>
>
>
> I don't think the QueryList can handle the /Operational slash. The entry
> is ignored and no QueryList appears in log. Xymon can read the log; if I
> manually edit the $logenries I get the Defender entries in the client file.
>
>                     $logentries = @(get-winevent -logname
> "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50)
>
>
>
> I also have a question about the Max payload value ($maxpayloadlength) and
> how it is handled. Is that for the total of all the log files together, or
> per each log? If total, then a chatty log would prevent any entries in the
> other logs from being reported on? I would rather have most recent from
> each, and the value be 'per log'.
>
>
>
> Lastly as an aside, in the client data file there are two Event Log
> Summary sections that appear to be redundant. Is there a purpose for one
> vs. the other? We do have the Summary show under msgs column data.
>
>
>
> [EventlogSummary]
>
>
>
> Max(K) Retain OverflowAction    Entries Log
>
>
> ------ ------ --------------    ------- ---
>
>
> 16,384      0 OverwriteAsNeeded  10,046 Application
>
>
> 20,480      0 OverwriteAsNeeded       0 HardwareEvents
>
>
>    512      7 OverwriteOlder          0 Internet Explorer
>
>
> 20,480      0 OverwriteAsNeeded       0 Key Management Service
>
>
> 15,168      7 OverwriteOlder          2
> Microsoft-ServerManagementExperience
>
> 16,384      0 OverwriteAsNeeded  10,183 Security
>
>
> 16,384      0 OverwriteAsNeeded  45,885 System
>
>
> 15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell
>
>
>
>
>
>
> [msgs:EventlogSummary]
>
>
>
> Max(K) Retain OverflowAction    Entries Log
>
>
> ------ ------ --------------    ------- ---
>
>
> 16,384      0 OverwriteAsNeeded  10,046 Application
>
>
> 20,480      0 OverwriteAsNeeded       0 HardwareEvents
>
>
>    512      7 OverwriteOlder          0 Internet Explorer
>
>
> 20,480      0 OverwriteAsNeeded       0 Key Management Service
>
>
> 15,168      7 OverwriteOlder          2
> Microsoft-ServerManagementExperience
>
> 16,384      0 OverwriteAsNeeded  10,183 Security
>
>
> 16,384      0 OverwriteAsNeeded  45,885 System
>
>
> 15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell
>
>
>
>
> Thanks for your continuing support of a valuable tool! I'll keep playing
> with it, and post an update if I get a version working.
>
>
>
> Tim Williams
>
> VCU Computer Center
>
>
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190304/751621f3/attachment.html>


More information about the Xymon mailing list