I'm trying to use the "Matching Regular Expression Below" feature for "Include Events" in the Windows Event Log Monitor and it is not working how I expect it to. Does someone have a working example for this feature?
The text that I want to match on is in the message of a standard, run of the mill, Windows Application event log. The match works if I omit the "Include events" filter, but this is too generic for my use case.
This is a snippet of my text that I want to match.
One version of a regex:
I tried multiple iterations with both WMI and RPC:
(The request was aborted: Could not create SSL.TLS secure channel)
"(The request was aborted: Could not create SSL.TLS secure channel)"
(?ms)The request was aborted: Could not create SSL.TLS secure channel
"(?ms)The request was aborted: Could not create SSL.TLS secure channel"
Also, since it can be a pain to wait for testing here is a way to inject a log into event log via powershell...just change logname/source...
most common logname is "application" for the "windows"=>"application" logs in event viewer.
Injecting windows events into eventlog
#EventLog work: get-eventlog -list #CREATE: new-eventlog -logname TestLog -source MyTest #LOCAL: write-eventlog -logname TestLog -source MyTest -eventID 3001 -entrytype Information -message "MyApp added a user-requested feature to the display." -category 1 -rawdata 10,20 write-eventlog -logname System -source "Service Control Manager" -eventID 5719 -entrytype Error -message "TESTING NETLOGON ERROR EVENT." -category 1 -rawdata 10,20
#REMOTE: write-eventlog -computername Server01 -logname TestLog -source MyTest -eventID 3001 -message "MyApp added a user-requested feature to the display." #REMOVE: remove-eventlog -source #<name> remove-eventlog -logname #<name>
Thank you, I have been creating my test events, but thank you for suggestion and example.
That regex did not work - I believe that this monitor does not look deep into the message body of the Microsoft Event Logs - just looks at the header values.
Who can confirm the feature/function of this monitor?
what is the event viewer "structure" for the logs you want to evaluate? only the top level are visible to SW/presented to WMI.
I've had my rear handed to me by it not being in that top tier structure. here is a workaround if yours is not...
event logs generally available to queries are root levels under "Windows Logs" and "Applications and Services Logs"
sub folders below that are not visible so you need to put a "pointer" in for your logs. This is done by the below procedure.
Save as *.reg file and double click to insert into registry. “EXE and DLL” should match what you need it to show up as under application s and services logs (below img) File is Location of actual event log file
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\EXE and DLL] "File"="%SystemRoot%\\System32\\Winevt\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" "Flags"=dword:00000001
This is slightly tweaked [based on much testing/head banging] from this article: https://docs.datadoghq.com/integrations/faq/how-to-add-event-log-files-to-the-win32-ntlogevent-wmi-c...
see img as well.
@njoylif Thank you for all of the detail.
My example is an event in the Windows Application Event Log. I'd like the monitor to search for all or part of the string "The request was aborted: Could not create SSL/TLS secure channel." for Windows Application Log, Event ID "1309"; Level "Application"
How would this be configured? See the attachments.
I'd go ahead and open a case with support if you don't have one already.
you can also test from generic to specific to see how far you get...
i.e., App -> ASP -> all warning/Error to ensure you are getting that source and alert works at that level
start adding specifics...try by event ID and verify it triggers
I couldn't get test [injected] to alert properly but the message format is different than native and I don't have time to figure it out currently.
Below is a portion of the message that I want to find in the exceptions block....
Event time: 2/29/2020 2:00:02 PM
Event time (UTC): 2/29/2020 7:00:02 PM
Event ID: 4524fef3522d41cfa59b8091a22a0663
Event sequence: 4
Event occurrence: 1
Event detail code: 0
Application domain: /LM/W3SVC/1/ROOT-1-132274764021126849
Trust level: Full
Application Virtual Path: /
Application Path: E:\websites\www.XXXXXXXXXXXX.com\
Machine name: XXXXXXXXXXXXX
Process ID: 4424
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception type: TypeInitializationException
Exception message: The type initializer for 'XXX.Entities.Common.Utils' threw an exception.
at PoS.Entities.XXXXXX.Utils.RetrieveXXXXCache(String XXXPropertyName) in e:\tfbld1\_work\79\s\POSCore\Entities\XXX.Entities\Common\Utils.cs:line 1088
at PoS.Entities.XXXXXX.Utils.GetXXXProperty(String XXXPropertyName) in e:\tfbld1\_work\79\s\POSCore\Entities\PoS.Entities\Common\Utils.cs:line 1083
at ASP.homelogin_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in E:\websites\www.lXXXXXXXXXXXXXXXXX.com\HomeLogin.aspx:line 30
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)
at System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at System.Web.UI.Page.Render(HtmlTextWriter writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
The request was aborted: Could not create SSL/TLS secure channel.
at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
at System.Threading.CompressedStack.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.