Zak, I know you just worked on the Windows Event log handling. I have a few issues that may need some documentation guidance, or an enhancement. Basically, I'm trying to get Windows Defender log entries. We will be migrating from a commercial anti-virus platform to using the Defender and need to have alerting.
Most important to me is that it appears that only the top-level logs listed in EventLogSummary can be parsed (example at end). As a test, I included the Windows PowerShell log in the clientconfig.cfg file.
eventlogswanted:Windows PowerShell,system:7500:Warning,Critical,Error
It took some experimentation with/without quotes as the code calls "Get-WinEvent -FilterXML $logFilterXML" and the QueryList uses -Path which states in Help file examples to use quotes if log file name has spaces. I found that the query creates double quotes as illustrated in excerpt below.
<start Help file> -------------------------- EXAMPLE 11 -------------------------- PS C:\>Get-WinEvent -Path 'c:\ps-test\Windows PowerShell.evtx'
This command gets events from a copy of the Windows PowerShell eventlog file in a test directory. The path is enclosed in quotation marks because the log name includes a space. <end help file>
2019-02-28 11:28:56 Processing event log Windows PowerShell 2019-02-28 11:28:56 Log filter <QueryList> <Query Id="0" Path="Windows PowerShell"> <Select Path="Windows PowerShell">*[System[TimeCreated[timediff(@SystemTime) <= 3600000] and (Level=3 or Level=1 or Level=2)]]</Select> </Query> </QueryList>
My 2 issues: "-Path" parameter should be the actual path to log file per Help, but the QueryList appears to be using LogName format with name of log not path, is that correct? And actually, I am trying to get the entries in the Windows Defender log file which is at "%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx" by -Path or "Microsoft-Windows-Windows Defender/Operational" by -LogName.
eventlogswanted:Windows PowerShell,system,Microsoft-Windows-Windows Defender/Operational:7500:Warning,Critical,Error
I don't think the QueryList can handle the /Operational slash. The entry is ignored and no QueryList appears in log. Xymon can read the log; if I manually edit the $logenries I get the Defender entries in the client file. $logentries = @(get-winevent -logname "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 50)
I also have a question about the Max payload value ($maxpayloadlength) and how it is handled. Is that for the total of all the log files together, or per each log? If total, then a chatty log would prevent any entries in the other logs from being reported on? I would rather have most recent from each, and the value be 'per log'.
Lastly as an aside, in the client data file there are two Event Log Summary sections that appear to be redundant. Is there a purpose for one vs. the other? We do have the Summary show under msgs column data.
[EventlogSummary]
Max(K) Retain OverflowAction Entries Log
16,384 0 OverwriteAsNeeded 10,046 Application 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 15,168 7 OverwriteOlder 2 Microsoft-ServerManagementExperience 16,384 0 OverwriteAsNeeded 10,183 Security 16,384 0 OverwriteAsNeeded 45,885 System 15,360 0 OverwriteAsNeeded 3,421 Windows PowerShell
[msgs:EventlogSummary]
Max(K) Retain OverflowAction Entries Log
16,384 0 OverwriteAsNeeded 10,046 Application 20,480 0 OverwriteAsNeeded 0 HardwareEvents 512 7 OverwriteOlder 0 Internet Explorer 20,480 0 OverwriteAsNeeded 0 Key Management Service 15,168 7 OverwriteOlder 2 Microsoft-ServerManagementExperience 16,384 0 OverwriteAsNeeded 10,183 Security 16,384 0 OverwriteAsNeeded 45,885 System 15,360 0 OverwriteAsNeeded 3,421 Windows PowerShell
Thanks for your continuing support of a valuable tool! I'll keep playing with it, and post an update if I get a version working.
Tim Williams VCU Computer Center