Possible to report on particular Event Viewer errors?

Basically I'd like to get a report/collection that shows computers that have failing hard disks. I can determine this on an individual machine by checking the Event Viewer and the Windows Logs - System area for an 'Level: Error' entry from 'Source: disk'.

I've made a Scan Profile in PDQ Inventory and set the trigger to scan age is 7 days old -

(taken from https://help.pdq.com/hc/en-us/articles/115003468752-Inventory-WMI-Scanner-Usage-Examples#evtx)

Scanner Name: EventViewer - disk

Namespace: ROOT\CIMV2

WQL Query: SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'disk'

Now how do I setup the report/collection? I think this is where I'm missing the obvious bit!

Filter:

All - WMI (EventViewer - disk)

Column? Comparison? Value?

 

PS. Aware that there is already a Disk Drive - SMART status filter (which I am using) but that isn't conclusive enough.

1

Comments

5 comments
Date Votes
  • Hello,

    The column, comparison, and value will differ depending on what exactly you're querying through WMI. Could you provide a screenshot of the WMI page on an example computer with the "EventViewer - Disk" WMI scanner selected? Basically I want to see this page, but in your environment:

    1
  • Fantastic, thanks Luke. That was all I needed, knowing where to look!

    I've now got this correctly working. For the benefit of others:

    2
  • I am also looking to do this with the Dell Trusted Device Agent within Event Viewer.  I can run a command from PDQ to give me instant results on a BIOS verification.  But I also want to be notified when the BIOS has been tampered with. Once the WMI scanner is set I'd like to create a report and have it emailed to me.  I would need notification of three different types of events from a similar source.  Here are examples of the events:

    1) Error - Partial Indicator of Attack has escalated

    Level: Error
    Source: Trusted Device | BIOS Events and loA
    Event ID: 12

    2) Warning - Partial Indicator of Attack was detected

    Level: Warning
    Source: Trusted Device | BIOS Events and loA
    Event ID: 11

    3) Information - BIOS Verification Success

    Level: Information
    Source: Trusted Device | BIOS Verification
    Event ID: 9

     

    0
  • While it is possible to do this in Inventory, I personally recommend using a log management product like Graylog, Splunk, or ELK.

    0
  • I know this is possible in PDQ, I just don't know how to do it.  I work for the government, so funds are tight.  I have to use what I have been given to work with. Thank you for the suggestions.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post