cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 9

Windows Event Log Monitor Regex filter not working as expected

I'm trying to use the "Matching Regular Expression Below" feature for "Include Events" in the Windows Event Log Monitor and it is not working how I expect it to.  Does someone have a working example for this feature?

The text that I want to match on is in the message of a standard, run of the mill, Windows Application event log.  The match works if I omit the "Include events" filter, but this is too generic for my use case.

This is a snippet of my text that I want to match.

One version of a regex:

I tried multiple iterations with both WMI and RPC:

(The request was aborted: Could not create SSL.TLS secure channel)

"(The request was aborted: Could not create SSL.TLS secure channel)"

(?ms)The request was aborted: Could not create SSL.TLS secure channel

"(?ms)The request was aborted: Could not create SSL.TLS secure channel"

Please Help!

@njoylif @designerfx @aLTeReGo

Labels (4)
0 Kudos
8 Replies
Level 17

whitespaces and special chars can break easily.

try:

"The request was aborted.*Could not create SSL.*TLS secure channel"

0 Kudos

Also, since it can be a pain to wait for testing here is a way to inject a log into event log via powershell...just change logname/source...
most common logname is "application" for the "windows"=>"application" logs in event viewer.

Injecting windows events into eventlog

#EventLog work:
get-eventlog -list

#CREATE:
new-eventlog -logname TestLog -source MyTest 

#LOCAL:
write-eventlog -logname TestLog -source MyTest -eventID 3001 -entrytype Information -message "MyApp added a user-requested feature to the display." -category 1 -rawdata 10,20
write-eventlog -logname System -source "Service Control Manager" -eventID 5719 -entrytype Error -message "TESTING NETLOGON ERROR EVENT." -category 1 -rawdata 10,20
#REMOTE: 
write-eventlog -computername Server01 -logname TestLog -source MyTest -eventID 3001 -message "MyApp added a user-requested feature to the display."

#REMOVE:
remove-eventlog -source #<name>
remove-eventlog -logname #<name> 

 

0 Kudos

Thank you, I have been creating my test events, but thank you for suggestion and example.

That regex did not work - I believe that this monitor does not look deep into the message body of the Microsoft Event Logs - just looks at the header values.

Who can confirm the feature/function of this monitor?

@njoylif 

Tags (1)
0 Kudos

it does look through details of message.

I've successfully included/excluded as needed based on details of msgs.

0 Kudos

what is the event viewer "structure" for the logs you want to evaluate?  only the top level are visible to SW/presented to WMI.

I've had my rear handed to me by it not being in that top tier structure.  here is a workaround if yours is not...

event logs generally available to queries are root levels under "Windows Logs" and "Applications and Services Logs"
sub folders below that are not visible so you need to put a "pointer" in for your logs. This is done by the below procedure.

Save as *.reg file and double click to insert into registry. “EXE and DLL” should match what you need it to show up as under application s and services logs (below img) File is Location of actual event log file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\EXE and DLL]
"File"="%SystemRoot%\\System32\\Winevt\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx"
"Flags"=dword:00000001

This is slightly tweaked [based on much testing/head banging] from this article: https://docs.datadoghq.com/integrations/faq/how-to-add-event-log-files-to-the-win32-ntlogevent-wmi-c...

 

see img as well.

0 Kudos

@njoylif Thank you for all of the detail. 

My example is an event in the Windows Application Event Log.  I'd like the monitor to search for all or part of the string "The request was aborted: Could not create SSL/TLS secure channel." for Windows Application Log, Event ID "1309"; Level "Application"

How would this be configured?  See the attachments.

0 Kudos

I'd go ahead and open a case with support if you don't have one already.

you can also test from generic to specific to see how far you get...

i.e., App -> ASP -> all warning/Error to ensure you are getting that source and alert works at that level

start adding specifics...try by event ID and verify it triggers

etc...

I couldn't get test [injected] to alert properly but the message format is different than native and I don't have time to figure it out currently.

0 Kudos
Level 9

Below is a portion of the message that I want to find in the exceptions block....

Event time: 2/29/2020 2:00:02 PM
Event time (UTC): 2/29/2020 7:00:02 PM
Event ID: 4524fef3522d41cfa59b8091a22a0663
Event sequence: 4
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT-1-132274764021126849
Trust level: Full
Application Virtual Path: /
Application Path: E:\websites\www.XXXXXXXXXXXX.com\
Machine name: XXXXXXXXXXXXX

Process information:
Process ID: 4424
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: TypeInitializationException
Exception message: The type initializer for 'XXX.Entities.Common.Utils' threw an exception.
at PoS.Entities.XXXXXX.Utils.get_XXXXCache()
at PoS.Entities.XXXXXX.Utils.RetrieveXXXXCache(String XXXPropertyName) in e:\tfbld1\_work\79\s\POSCore\Entities\XXX.Entities\Common\Utils.cs:line 1088
at PoS.Entities.XXXXXX.Utils.GetXXXProperty(String XXXPropertyName) in e:\tfbld1\_work\79\s\POSCore\Entities\PoS.Entities\Common\Utils.cs:line 1083
at ASP.homelogin_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in E:\websites\www.lXXXXXXXXXXXXXXXXX.com\HomeLogin.aspx:line 30
at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)
at System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
at System.Web.UI.Page.Render(HtmlTextWriter writer)
at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at System.Xml.XmlDownloadManager.GetNonFileStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy, RequestCachePolicy cachePolicy)
at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
at System.Xml.XmlTextReaderImpl.OpenUrlDelegate(Object xmlResolver)
at System.Threading.CompressedStack.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.CompressedStack.Run(CompressedStack compressedStack, ContextCallback callback, Object state)

0 Kudos