1 Reply Latest reply on Oct 23, 2013 1:15 PM by rbonn

    Monitoring for event IDs. Windows Logs vs. Applications and Service Logs


      Everybody's favorite thing, CHANGE MANAGEMENT


      While attempting to monitor my Windows DHCP server for changes, to decided to use the Windows Event Log Monitor. However, I was unable to get the results I was looking for. Can anyone tell me why the Windows Event Log Monitor can find a log in the Windows Logs but not the Application and Service Logs?


      After digging in, I came across the issue and I am hoping someone can offer an alternative or just tell me what I am overlooking.


      Windows Logs are assigned a variable called EventSourceName.

      - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      - <System>

        <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" />

        <EventID Qualifiers="0">1020</EventID>


      Application and Service Logs are missing this variable.

      - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      - <System>

        <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" />

        • Re: Monitoring for event IDs. Windows Logs vs. Applications and Service Logs

          More information: The APM template is clearly matching ID and sourcename.


          Set lst_args = WScript.Arguments


          If lst_args.Count &gt;0 Then


             WScript.Echo "Message: Usage: wscript.exe WinEventLog.vbs ComputerName " &amp; vbCRLF _

             &amp; "-computer The computer name "  &amp; vbCRLF _

             &amp; "-area Name of Windows NT event log file. Together with RecordNumber, this is used to uniquely identify an instance of this class: Application, Security, System and etc." &amp; vbCRLF _

             &amp; "-type The Event Type: Error, Warning, Information, Success, Failure." &amp; vbCRLF _

            &amp; "-id Identifier of the event. This is specific to the source that generated the event log entry and is used, together with SourceName, to uniquely identify a Windows NT event type." &amp; vbCRLF _

             &amp; "-source Name of the source (application, service, driver, or subsystem) that generated the entry. It is used, together with EventIdentifier to uniquely identify a Windows NT event type" &amp; vbCRLF _

             &amp; "-exclusion Exclusions by Event Text" &amp; vbCRLF _

             &amp; "-match Content Matching Event Text" &amp; vbCRLF _

             &amp; "-timespan How many minutes old can the event be" &amp; vbCRLF

             WScript.Echo "Statistic: 0"

             WScript.Quit( FAIL )

          End If