[Xymon] XymonPS error log handling

Timothy Williams tlwilliams4 at vcu.edu
Thu Feb 28 18:32:01 CET 2019


Zak, I know you just worked on the Windows Event log handling. I have a few
issues that may need some documentation guidance, or an enhancement.
Basically, I'm trying to get Windows Defender log entries. We will be
migrating from a commercial anti-virus platform to using the Defender and
need to have alerting.

Most important to me is that it appears that only the top-level logs listed
in EventLogSummary can be parsed (example at end). As a test, I included
the Windows PowerShell log in the clientconfig.cfg file.

eventlogswanted:Windows PowerShell,system:7500:Warning,Critical,Error

It took some experimentation with/without quotes as the code calls
"Get-WinEvent -FilterXML $logFilterXML" and the QueryList uses -Path which
states in Help file examples to use quotes if log file name has spaces. I
found that the query creates double quotes as illustrated in excerpt below.

<start Help file>
    -------------------------- EXAMPLE 11 --------------------------
    PS C:\>Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'

    This command gets events from a copy of the Windows PowerShell event
log file in a test directory. The path is enclosed in quotation marks
because the log name includes a space.
<end help file>

2019-02-28 11:28:56  Processing event log Windows PowerShell
2019-02-28 11:28:56  Log filter     <QueryList>
      <Query Id="0" Path="Windows PowerShell">
        <Select Path="Windows
PowerShell">*[System[TimeCreated[timediff(@SystemTime) <= 3600000] and
(Level=3 or Level=1 or Level=2)]]</Select>
      </Query>
    </QueryList>

My 2 issues: "-Path" parameter should be the actual path to log file per
Help, but the QueryList appears to be using LogName format with name of log
not path, is that correct?
And actually, I am trying to get the entries in the Windows Defender log
file which is at
"%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows
Defender%4Operational.evtx" by -Path or "Microsoft-Windows-Windows
Defender/Operational" by -LogName.

eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows
Defender/Operational:7500:Warning,Critical,Error

I don't think the QueryList can handle the /Operational slash. The entry is
ignored and no QueryList appears in log. Xymon can read the log; if I
manually edit the $logenries I get the Defender entries in the client file.
                    $logentries = @(get-winevent -logname
"Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50)

I also have a question about the Max payload value ($maxpayloadlength) and
how it is handled. Is that for the total of all the log files together, or
per each log? If total, then a chatty log would prevent any entries in the
other logs from being reported on? I would rather have most recent from
each, and the value be 'per log'.

Lastly as an aside, in the client data file there are two Event Log Summary
sections that appear to be redundant. Is there a purpose for one vs. the
other? We do have the Summary show under msgs column data.

[EventlogSummary]

Max(K) Retain OverflowAction    Entries Log
------ ------ --------------    ------- ---
16,384      0 OverwriteAsNeeded  10,046 Application
20,480      0 OverwriteAsNeeded       0 HardwareEvents
   512      7 OverwriteOlder          0 Internet Explorer
20,480      0 OverwriteAsNeeded       0 Key Management Service
15,168      7 OverwriteOlder          2 Microsoft-ServerManagementExperience
16,384      0 OverwriteAsNeeded  10,183 Security
16,384      0 OverwriteAsNeeded  45,885 System
15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell


[msgs:EventlogSummary]

Max(K) Retain OverflowAction    Entries Log
------ ------ --------------    ------- ---
16,384      0 OverwriteAsNeeded  10,046 Application
20,480      0 OverwriteAsNeeded       0 HardwareEvents
   512      7 OverwriteOlder          0 Internet Explorer
20,480      0 OverwriteAsNeeded       0 Key Management Service
15,168      7 OverwriteOlder          2 Microsoft-ServerManagementExperience
16,384      0 OverwriteAsNeeded  10,183 Security
16,384      0 OverwriteAsNeeded  45,885 System
15,360      0 OverwriteAsNeeded   3,421 Windows PowerShell

Thanks for your continuing support of a valuable tool! I'll keep playing
with it, and post an update if I get a version working.

Tim Williams
VCU Computer Center
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190228/ed5662b9/attachment.html>


More information about the Xymon mailing list