HI,

 

Im trying to do a query to find a particular Event ID number in Event viewer on all machines. how would i go about achieving this. My environment is SCCM R3.

 

thankyou

This won't be in realtime because it will only find the event ID when hardware inventory runs. If that's okay with you then you can use SCCM. If you need realtime you should use SCOM.

You will have to extend hardware inventory to include that event ID. This should get you started.

http://sms2003-sccm2007.blogspot.com/2008/11/mof-file-for-lowdisk-space-event-id.html

 

 

Hey John, 

I'm attempting to use this solution to find an event ID on all of my systems. Just one additional question. How do you go about viewing the results?

Thanks in advance.. :-)

The data will show up with your hardware inventory and therefore you can query it using either WQL or SQL, just like any other Hardware Inventory item.

Okay good. Thanks Garth. I'll give it a shot.

Garth, et all, 

I'm not having any luck creating a query without syntax error. Would it be possible to get an example of the location and format as to how to create the search for results please?

Also, just as a sanity check, attached is an example of the verbiage I used for my end of my configuration.mof edit.


};

#pragma namespace ("\\\\.\\root\\cimv2")

//========================
// Win32_NTLogEvent
//========================
#pragma namespace("\\\\.\\root\\cimv2")

[Union,ViewSources{"Select * FROM Win32_NTLogEvent WHERE LogFile = 'Application' AND EventCode = 4377"},
ViewSpaces{"\\\\.\\root\\cimv2"},
dynamic,provider("MS_VIEW_INSTANCE_PROVIDER")]

Class NTLogEvent
{
     [PropertySources("LogFile"), Key] string LogFile;
     [PropertySources("RecordNumber"), Key] UINT32 Recordnumber;
     [PropertySources("Message")] String Message;
     [PropertySources("TimeGenerated")] DateTime TimeGenerated;
};

//-------------------------- Reporting Class-----------------------------------
//The following line is not needed for Configuration Manager hardware inventory modifcations
#pragma namespace("\\\\.\\root\\CIMV2\\SMS")

[SMS_Report(TRUE), 
SMS_Group_Name("Installed Updates"),
SMS_Class_ID("MICROSOFT|Win32_NTLogEvent|1.0") ]

Class NTLogEvent: SMS_Class_Template
{
     [SMS_Report(TRUE), Key] String LogFile;
     [SMS_Report(TRUE), Key] UINT32 RecordNumber;
     [SMS_Report(True)] String Message;
     [SMS_Report(True)] DateTime TimeGenerated;
}; 

//========================
// Added extensions end
//========================

Any suggestions or recommendations would be greatly appreciated.

Thanks!

What exactly does you query look like?

I'm not really well versed in creating these queries. I've tried using the select statement that came from the web instruction, but that doesn't work at all. I'm also trying to use the Simple Value attribute in Query Criterion Properties selector and am unable to find any corresponding values in the Attribute Class that correspond to the NTLogEvent or Event ID values. 

I know it something staring me right in the face, but I cant see it.