Possible to report on particular Event Viewer errors?
Basically I'd like to get a report/collection that shows computers that have failing hard disks. I can determine this on an individual machine by checking the Event Viewer and the Windows Logs - System area for an 'Level: Error' entry from 'Source: disk'.
I've made a Scan Profile in PDQ Inventory and set the trigger to scan age is 7 days old -
(taken from https://help.pdq.com/hc/en-us/articles/115003468752-Inventory-WMI-Scanner-Usage-Examples#evtx)
Scanner Name: EventViewer - disk
Namespace: ROOT\CIMV2
WQL Query: SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'disk'
Now how do I setup the report/collection? I think this is where I'm missing the obvious bit!
Filter:
All - WMI (EventViewer - disk)
Column? Comparison? Value?
PS. Aware that there is already a Disk Drive - SMART status filter (which I am using) but that isn't conclusive enough.
Comments
Fantastic, thanks Luke. That was all I needed, knowing where to look!
I've now got this correctly working. For the benefit of others:
Hello,
The column, comparison, and value will differ depending on what exactly you're querying through WMI. Could you provide a screenshot of the WMI page on an example computer with the "EventViewer - Disk" WMI scanner selected? Basically I want to see this page, but in your environment:
I am also looking to do this with the Dell Trusted Device Agent within Event Viewer. I can run a command from PDQ to give me instant results on a BIOS verification. But I also want to be notified when the BIOS has been tampered with. Once the WMI scanner is set I'd like to create a report and have it emailed to me. I would need notification of three different types of events from a similar source. Here are examples of the events:
1) Error - Partial Indicator of Attack has escalated
Level: Error
Source: Trusted Device | BIOS Events and loA
Event ID: 12
2) Warning - Partial Indicator of Attack was detected
Level: Warning
Source: Trusted Device | BIOS Events and loA
Event ID: 11
3) Information - BIOS Verification Success
Level: Information
Source: Trusted Device | BIOS Verification
Event ID: 9
While it is possible to do this in Inventory, I personally recommend using a log management product like Graylog, Splunk, or ELK.
I know this is possible in PDQ, I just don't know how to do it. I work for the government, so funds are tight. I have to use what I have been given to work with. Thank you for the suggestions.