Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Possible to report on particular Event Viewer errors?

Bromsgrove School

December 05, 2019 13:40

Basically I'd like to get a report/collection that shows computers that have failing hard disks. I can determine this on an individual machine by checking the Event Viewer and the Windows Logs - System area for an 'Level: Error' entry from 'Source: disk'.

I've made a Scan Profile in PDQ Inventory and set the trigger to scan age is 7 days old -

(taken from https://help.pdq.com/hc/en-us/articles/115003468752-Inventory-WMI-Scanner-Usage-Examples#evtx)

Scanner Name: EventViewer - disk

Namespace: ROOT\CIMV2

WQL Query: SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'disk'

Now how do I setup the report/collection? I think this is where I'm missing the obvious bit!

Filter:

All - WMI (EventViewer - disk)

Column? Comparison? Value?

PS. Aware that there is already a Disk Drive - SMART status filter (which I am using) but that isn't conclusive enough.

Comments

5 comments

lnichols
December 05, 2019 22:03

Hello,

The column, comparison, and value will differ depending on what exactly you're querying through WMI. Could you provide a screenshot of the WMI page on an example computer with the "EventViewer - Disk" WMI scanner selected? Basically I want to see this page, but in your environment:

1
Bromsgrove School
December 06, 2019 13:31

Fantastic, thanks Luke. That was all I needed, knowing where to look!

I've now got this correctly working. For the benefit of others:

2
Emily Dullum
February 17, 2021 22:04 (Edited February 17, 2021 22:05)

I am also looking to do this with the Dell Trusted Device Agent within Event Viewer. I can run a command from PDQ to give me instant results on a BIOS verification. But I also want to be notified when the BIOS has been tampered with. Once the WMI scanner is set I'd like to create a report and have it emailed to me. I would need notification of three different types of events from a similar source. Here are examples of the events:

1) Error - Partial Indicator of Attack has escalated

Level: Error
Source: Trusted Device | BIOS Events and loA
Event ID: 12

2) Warning - Partial Indicator of Attack was detected

Level: Warning
Source: Trusted Device | BIOS Events and loA
Event ID: 11

3) Information - BIOS Verification Success

Level: Information
Source: Trusted Device | BIOS Verification
Event ID: 9

0
Colby Bouma
February 17, 2021 22:12

While it is possible to do this in Inventory, I personally recommend using a log management product like Graylog, Splunk, or ELK.

0
Emily Dullum
February 17, 2021 22:21 (Edited February 17, 2021 22:22)

I know this is possible in PDQ, I just don't know how to do it. I work for the government, so funds are tight. I have to use what I have been given to work with. Thank you for the suggestions.

0