Kaseya Community

How to parse an event viewer log file

This question is answered

Hi guys,

I've written a little script that, when certain conditions are met, and then uses eventcreate to write an entry in the event log. So far so good. Then I was gonna write a log parser to just pull out the appropriate info and create an alert if what it finds isn't to my liking. I thought this would be pretty easy, but when I actually took a look at the raw log file (i.e. opened it in notepad instead of through the Event Viewer), I can't really make head nor tails of it. Everything's just kind of jumbled together on one line, and although I can find the general area where the entry I want is located, I can't really tell where it begins and the previous entry ends. Here's a sample, copy/pasted directly from the log. :

 

       \       \   ¨   Ì   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   H W P R V   0 x 8 0 0 4 0 1 5 4   - Code: CORHWPWC00000298- Call: CORHWPWC00000242- PID:  00009544- TID:  00010860- CMD:  C:\WINDOWS\System32\vssvc.exe   - User: NT AUTHORITY\SYSTEM     - Sid:  S-1-5-18    |  p  LfLeâJ 0i´L0i´L0            \       \   ¨   À   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   0 x 8 0 0 4 0 1 5 4   - Code: CORHWPWC00000306- Call: CORHWPWC00000242- PID:  00009544- TID:  00010860- CMD:  C:\WINDOWS\System32\vssvc.exe   - User: NT AUTHORITY\SYSTEM     - Sid:  S-1-5-18    p  ü   LfLeãJ ;i´L;i´L|             n      b       ô   K a s e y a   A D V A N T A G E S S V R           E x c h a n g e   b a c k u p   t h a t   s h o u l d   h a v e   b e e n   c r e a t e d   t o d a y   i s   1   d a y s   o l d .       ü   |  LfLeäJ li´Lli´L             \       \   ¨   Ì   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   H W P R V   0 x 8 0 0 4 0 1 5 4   - Code: CORHWPWC00000298- Call: CORHWPWC00000242- PID:  00009544- TID:  00004592- CMD:  C:\WINDOWS\System32\vssvc.exe   - User: NT AUTHORITY\SYSTEM     - Sid:  S-1-5-18    |  p  LfLeåJ li´Lli´L0            \       \   ¨   À   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   0 x 8 0 0 4 0 1 5 4   - Code: CORHWPWC00000306- Call: CORHWPWC00000242- PID:  00009544- TID:  00004592- CMD:  C:\WINDOWS\System32\vssvc.exe   - User: NT AUTHORITY\SYSTEM     - Sid:  S-1-5-18    p  |  LfLeæJ li´Lli´L             \       \   ¨   Ì   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   H W P R V   0 x 8 0 0 4 0 1 5 4   - Code: CORHWPWC00000298- Call: CORHWPWC00000242- PID:  00009544- TID:  00004916- CMD:  C:\WINDOWS\System32\vssvc.exe   - User: NT AUTHORITY\SYSTEM     - Sid:  S-1-5-18    |  p  LfLeçJ li´Lli´L0            \       \   ¨   À   V S S   A D V A N T A G E S S V R   { 5 f c 8 4 5 e b - f 2 9 9 - 4 0 f 0 - 9 7 2 5 - 3 4 0 4 5 f 7 e a 8 b a }   0 x 8 0 0 4 0 1 5 4

I've higlighted the bit I believe to be my entry, but I can't really be sure. I'm sure I'm not the first person in the world who ever wanted to monitor the event log, so I'm wondering if there's any/a better way to do this, or if I'm just going about this completely wrong.

Verified Answer
  • "Monitor" was the clue there. Go to the Monitor module - Agent Monitoring - Alerts then in the main panel, set Select Alert Function to Event Logs, pick which one you want to monitor and define yourself an Event Set to look for what you're interested in. Select actions as appropriate, apply to the necessary machines and there you are, job done. That give you enough to be getting along with?

    Regards,

    Graham.

All Replies
  • "Monitor" was the clue there. Go to the Monitor module - Agent Monitoring - Alerts then in the main panel, set Select Alert Function to Event Logs, pick which one you want to monitor and define yourself an Event Set to look for what you're interested in. Select actions as appropriate, apply to the necessary machines and there you are, job done. That give you enough to be getting along with?

    Regards,

    Graham.

  • Good Lord, how silly of me. I always make these things far more complicated than they need be. Thank you so much!