Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Possible to report on particular Event Viewer errors?

Basically I'd like to get a report/collection that shows computers that have failing hard disks. I can determine this on an individual machine by checking the Event Viewer and the Windows Logs - System area for an 'Level: Error' entry from 'Source: disk'.

I've made a Scan Profile in PDQ Inventory and set the trigger to scan age is 7 days old -

(taken from https://help.pdq.com/hc/en-us/articles/115003468752-Inventory-WMI-Scanner-Usage-Examples#evtx)

Scanner Name: EventViewer - disk

Namespace: ROOT\CIMV2

WQL Query: SELECT * FROM Win32_NTLogEvent WHERE Type != 'Information' AND SourceName LIKE 'disk'

Now how do I setup the report/collection? I think this is where I'm missing the obvious bit!

Filter:

All - WMI (EventViewer - disk)

Column? Comparison? Value?

 

PS. Aware that there is already a Disk Drive - SMART status filter (which I am using) but that isn't conclusive enough.

1

Comments

5 comments
Date Votes
  • Fantastic, thanks Luke. That was all I needed, knowing where to look!

    I've now got this correctly working. For the benefit of others:

    2
  • Hello,

    The column, comparison, and value will differ depending on what exactly you're querying through WMI. Could you provide a screenshot of the WMI page on an example computer with the "EventViewer - Disk" WMI scanner selected? Basically I want to see this page, but in your environment:

    1
  • I am also looking to do this with the Dell Trusted Device Agent within Event Viewer.  I can run a command from PDQ to give me instant results on a BIOS verification.  But I also want to be notified when the BIOS has been tampered with. Once the WMI scanner is set I'd like to create a report and have it emailed to me.  I would need notification of three different types of events from a similar source.  Here are examples of the events:

    1) Error - Partial Indicator of Attack has escalated

    Level: Error
    Source: Trusted Device | BIOS Events and loA
    Event ID: 12

    2) Warning - Partial Indicator of Attack was detected

    Level: Warning
    Source: Trusted Device | BIOS Events and loA
    Event ID: 11

    3) Information - BIOS Verification Success

    Level: Information
    Source: Trusted Device | BIOS Verification
    Event ID: 9

     

    0
  • While it is possible to do this in Inventory, I personally recommend using a log management product like Graylog, Splunk, or ELK.

    0
  • I know this is possible in PDQ, I just don't know how to do it.  I work for the government, so funds are tight.  I have to use what I have been given to work with. Thank you for the suggestions.

    0