5 Replies Latest reply on Jul 23, 2015 4:11 PM by nicole pauls

    Application Log Event

    rbmadison

      We monitor logon events and produce a report of which admins logged on where for auditing purposes. I wrote a quick powershell prompt that asks them to input the reason why they are logging into the server each time. This information is written to the "Application event log" under the "User Profile Service" source. Is there any way to get this information out of LEM? I can't seem to find any of the events showing up in LEM. Is there a better Event log or source I should write to that LEM can pick up? I cannot write to the security log because it's owned by the system account on the server.

       

      Thanks for the help in advance!

        • Re: Application Log Event
          nicole pauls

          If you write with "Critical", "Warning", or "Error" severity, LEM will automatically pick it up, otherwise we'd have to tweak the Application Log connector.

          1 of 1 people found this helpful
            • Re: Application Log Event
              rbmadison

              Hi Nicole,

              I am writing the event as a warning but it's not showing up. Below are the details of the event I am writing. Maybe I'm not filtering in nDepth correctly. How would you filter for this event in nDepth? Thanks for the help on this!

              -----------------------------------------------------------------------

              Log Name:      Application
              Source:        Microsoft-Windows-User Profiles Service
              Date:          7/23/2015 11:28:03 AM
              Event ID:      30001
              Task Category: (1)
              Level:         Information
              Keywords:      Classic
              User:          N/A
              Computer:      abcserver.mydomain.com
              Description:
              The description for Event ID 30001 from source Microsoft-Windows-User Profiles Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

              If the event originated on another computer, the display information had to be saved with the event.

              The following information was included with the event:

              7/23/2015 11:28:03 AM_UserInfo:
              @{LOGONSERVER=\\abcserver; USERDNSDOMAIN=mydomain.com; USERDOMAIN=mydomain; USERNAME=adminabc; USERPROFILE=C:\Users\adminabc; HOMEPATH=\Users\adminabc; HOMEDRIVE=C:; APPDATA=C:\Users\adminabc\AppData\Roaming; LOCALAPPDATA=C:\Users\adminabc\AppData\Local}
              SessionInfo:
              r@{SESSIONNAME=RDP-Tcp#0; CLIENTNAME=adminabc-VM2; TEMP=C:\Users\adminabc\AppData\Local\Temp\1; TMP=C:\Users\adminabc\AppData\Local\Temp\1}
              Reason:
              checking disk space usage

              the message resource is present but the message is not found in the string/message table

              Event Xml:
              <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
                <System>
                  <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{12345}" EventSourceName="Microsoft-Windows-User Profiles Service" />
                  <EventID Qualifiers="0">30001</EventID>
                  <Version>0</Version>
                  <Level>4</Level>
                  <Task>1</Task>
                  <Opcode>0</Opcode>
                  <Keywords>0x80000000000000</Keywords>
                  <TimeCreated SystemTime="2015-07-23T16:28:03.000000000Z" />
                  <EventRecordID>38145</EventRecordID>
                  <Correlation />
                  <Execution ProcessID="0" ThreadID="0" />
                  <Channel>Application</Channel>
                  <Computer>DataServ3.mydomain.com</Computer>
                  <Security />
                </System>
                <EventData>
                  <Data>7/23/2015 11:28:03 AM_UserInfo:
              @{LOGONSERVER=\\abcserver; USERDNSDOMAIN=mydomain.com; USERDOMAIN=mydomain; USERNAME=adminabc; USERPROFILE=C:\Users\adminabc; HOMEPATH=\Users\adminabc; HOMEDRIVE=C:; APPDATA=C:\Users\adminabc\AppData\Roaming; LOCALAPPDATA=C:\Users\adminabc\AppData\Local}
              SessionInfo:
              r@{SESSIONNAME=RDP-Tcp#0; CLIENTNAME=adminabc-VM2; TEMP=C:\Users\adminabc\AppData\Local\Temp\1; TMP=C:\Users\adminabc\AppData\Local\Temp\1}
              Reason:
              checking disk space usage</Data>
                </EventData>
              </Event>