Mining Windows Event Log

Mining Ore from the Windows Event Log and finding a way to make it portable


Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?



Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.



Let’s start with the Dr Scripto blog post from quite a while ago –


Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.


Example 1

Query Application Event Log for Severity, Event, and Event Data contains lync.exe

$query = @”


  <Query Id=”0″ Path=”Application”>

    <Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]

    and (Level=2) and (EventID=1002)]]

    and *[EventData[Data=’lync.exe’]]</Select>




Get-WinEvent -FilterXml $query


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
Lync.exe event example output




Use Get-WinEvent to use XML and filters from event viewer

The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent

Credit for this tip comes from Andrew Blumhardt!

See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’


Navigating via Event Viewer:

Hop onto your favorite server, or connect to another server via Event Viewer

Go to the Event Log > Click Filter Current Log

Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)

Use Get-WinEvent to use XML and filters from event viewer
SCVMM Application Log Event ID 25933

Switch to the XML tab (and note you can edit your query further!)

SCVMM query example screenshot
Event Viewer filter XML tab

You can copy the query from the Event Viewer into your Get-WinEvent syntax

$query = @”

<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>


Get-WinEvent -FilterXml $query


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
SCVMM query example screenshot





Example 3

Grab System Event Log, Event ID 5827  (NetLogon denied events)

get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
get-WinEvent filter by logname and event ID





MSFT DevBlogs

Gather Log Analytics/MMA agent version

Had some questions come up from the community to check the Log Analytics agent version.

Depending on how you are setup, the SCOM Integration makes this easy with Holman’s blog for the agent management pack.

If you have admin right in Operations Manager console then you can check this directly from SCOM server:

If you are an admin in SCOM, you can check from MS

$Server = “”
(Get-SCOMAgent -Name $ServerName).Version

Alternatively, from server registry:

(Get-ItemProperty “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\setup”)

# Just the Agent version variable

(Get-ItemProperty “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\setup”).AgentVersion

Log Analytics

Kusto query

// Servers and Versions

| project Computer,Version

// Specific version

| where Version == “8.0.10918.0”
| project Computer,Version

// Summarize by Version

| summarize by Version

If you’re visual

From the Portal > Log Analytics > workspace > Workspace Summary > Agent Health

Scroll right to agent version


Monitor > Overview > Agent Health Assessment

Scroll right to agent version

Azure Log Analytics for Windows Telemetry data



I blogged about this last year here



As best practice, the Upgrade Analytics script checks for far more than just injecting the workspace key and telemetry value.



FYI – This could also be managed in an SCCM Compliance setting.

Paul Fitzgerald – Platform PFE blogged about a non SCCM method here



Assess requirements for environment:


Barebones configuration requires Commercial ID, allow telemetry, and level of telemetry data to send

Optional – Create key for IEDataOptIn

Send data to Application Insights

Customer proxy setup



Script has 11 parameters specified, not all are needed (excerpt below from script)

# run mode (Deployment or Pilot)
[Parameter(Mandatory=$true, Position=1)]

# File share to store logs
[Parameter(Mandatory=$true, Position=2)]

# Commercial ID provided to you
[Parameter(Mandatory=$true, Position=3)]

# logMode == 0 log to console only
# logMode == 1 log to file and console
# logMode == 2 log to file only
[Parameter(Mandatory=$true, Position=4)]

#To enable IE data, set AllowIEData=IEDataOptIn and set IEOptInLevel

#IEOptInLevel = 0 Internet Explorer data collection is disabled
#IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones
#IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones
#IEOptInLevel = 3 Data collection is enabled for all sites


[string]$NoOfAppraiserRetries = 30,

[string]$ClientProxy = “Direct”,






Simple method to update machines to send Windows telemetry data:



PowerShell script

From PowerShell as Administrator

Set-Location HKLM:


$registryPath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies”

$Name = “DataCollection”

$Name2 = “AllowTelemetry”

$CommercialID = “00000000-0000-0000-0000-000000000000”

$value = “2”  # Values from 0-3 accepted

$vIEDataOptInPath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection”

$IEOptInLevel = “2”  # Values from 0-3 accepted


If ( (Test-Path $registryPath\$Name) ) { write-host -f green “Registry keys already exist” }

If ( ! (Test-Path $registryPath\$Name) )


New-ItemProperty -Path $registryPath -Name $name

New-ItemProperty -Path $registryPath -Name $CommercialID

New-ItemProperty -Path $vIEDataOptInPath -Name IEDataOptIn -Type DWord -Value $IEOptInLevel

New-ItemProperty -Path $registryPath\$Name -Name $name2 -Value $value `

    -PropertyType DWORD -Force | Out-Null

Write-host -f green “Registry keys added for Telemetry”







Configure telemetry

Get Started link

Win 7,8 Opt in link

Adding Management Solutions in Azure

Decoder ring applies!


OMS is Log Analytics is Azure Management Solutions.




Do you want to add solutions to your Azure subscription?

Pre-packaged visuals and insights on your data, whether azure or hybrid.




Adding Management Solutions

Login to the Azure Portal

Click on All Services

Type ‘solutions’, hit enter

Click star icon to favorite Solutions



Drag Solutions higher in your preferences (wasn’t in above screenshot)



Click Solutions





Click + to Add

Click on Security and Compliance



Click Create



Don’t forget solutions require MMA agents connected to a workspace to render any data/insights!






The Docs article lists how to use the management solutions


MMA Agent and SCOM Agent version numbers


FYI – Updated 24 June 2022


What are the MMA Agent and SCOM Agent version numbers?

This idea sprung from a discussion with Sr. PFE Brian Barrington, and it got me wondering…See below for more details on OMS/MMA, and SCOM agent versions, as well as how to verify agent from PowerShell.



FYI – If you’re running a SCOM agent, 2016 or above, various Log Analytics solutions may have pre-reqs.

The Content Dev team under Brian Wren added this to the site

SCOM 2022

SCOM 2019

SCOM 2016



Azure Monitor Agent

AMA (Azure Monitor Agent)/ALA/OMS/MMA Agent can run on Windows/Linux operations systems.  Name has changed over the years, where AMA (Azure Monitor Agent) will be the name going forward for the cloud based offer.  See docs article here.

This also has been updated on the Docs site

Download installer files here

Review what operating systems are covered here

Previously known as Windows OMS/ALA/MMA agent

Unfortunately, there’s no github repo that I’ve found.


As of 6 Sep 2018, MMA agent = 8.0.11103.0

As of 17 Oct 2018, MMA agent = 8.0.11136.0

Skipping forward to 2020, the MMA agent is 10.20.18040.0

[!WARNING] The Log Analytics agents are on a deprecation path and will no longer be supported after August 31, 2024.



OMS Gateway

Older product published in 2016 – Download link here

OMS Gateway requires Microsoft Monitoring Agent (MMA)

(agent version – 8.0.10900.0 or later)

Simple English, that means SCOM2016 RTM agent or above




OMSAgent for xPlat


(Linux/Universal Linux)

Sep 16, 2021      OMSAgent_v1.13.40-0
Mar 08, 2021      OMSAgent_v1.13.35-0
Nov 16, 2020      OMSAgent_v1.13.33-0
Support for Red Hat Enterprise Linux 8, CentOS 8, Oracle 8, Ubuntu 20.04, SLES…
Nov 14, 2019       OMSAgent_v1.12.15-0
Jun 17, 2019      OMSAgent_v1.11.0-9
Apr 23, 2019      OMSAgent_v1.10.0-1
Feb 12, 2019      OMSAgent_v1.9.0-0
Nov 05, 2018     OMSAgent_v1.8.1.256
Oct 30, 2018      OMSAgent_1.8.0-256
Sep 03, 2018      OMSAgent_v1.6.1.3



Windows SCOM Agent Version numbers 


Build Number KB Release Date Description Step-by-Step
8.0.10918.0 Evaluate Oct 2016 SCOM 2016 RTM Link
8.0.10931.0 KB3190029 Feb 2017 SCOM 2016 Update Rollup 1 Link
8.0.10949.0 KB3209591 March 2017 SCOM 2016 Update Rollup 2 Link
8.0.10970.0 KB4016126 May 2017 SCOM 2016 Update Rollup 3 Link
8.0.10977.0 KB4024941 Oct 2017 SCOM 2016 Update Rollup 4 Link
8.0.10990.0 KB4090987 April 2018 SCOM 2016 Update Rollup 5 None
8.0.11004.0 KB4459897 Oct 2018 SCOM 2016 Update Rollup 6 Link
8.0.11025.0 KB4492182 April 2019 SCOM 2016 Update Rollup 7 Link
8.0.11037.0 KB4514877 Sept 2019 SCOM 2016 Update Rollup 8 Link
8.0.11049.0 KB4546986 April 2020 SCOM 2016 Update Rollup 9 Link
8.0.11000.0 KB4580254 Dec 2020 SCOM 2016 Update Rollup 10 Link
7.2.12335.0 KB5006871 Oct 2021 SCOM 2016 Update Rollup 10 Hotfix Link

8.0.13053.0 RTM


8.0.13067.0      General Availability release



Build Number KB Release Date Description Step-by-Step
10.19.10050.0 Evaluate March 2019 SCOM 2019 RTM Link
10.19.10311.0 KB4533415 Feb 2020 SCOM 2019 Update Rollup 1 Link
10.19.10407.0 KB4558752 Sept 2020 SCOM 2019 Update Rollup 2 Link
10.19.10505.0 KB4594078 March 2021 SCOM 2019 UR3 Link
10.19.10550.0 KB5006871 Oct 2021 SCOM 2019 UR3 Hotfix Link



  • @Larry LeBlanc – thank you for the SCOM Agent version updates!


Verify what version is installed

Via SCOM – use Holman’s Agent Version Addendum management pack


If you don’t have SCOM

From PowerShell

$Agent = get-itemproperty -path “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup”









SCOM Agent Version Addendum pack

SCOM Agent build numbers

Linux Agent can be downloaded from GitHub –

Installing and configuring the MMA agent via Command line

Command prompt


GUI install option, see blog

PowerShell Agent configuration, see blog

Updated 1 Feb 2023

Pre-reqs to build out an install script/package

MMA agent executable

ALA Workspace ID

ALA Workspace Primary Key



Download MMA agent

Click on Windows Servers from Connected Sources to download Windows Agent

Click on Linux Servers from Connected Sources to download Linux Agent





Obtain WorkspaceID

From the Azure Portal (

Click on Log Analytics, <your subscription >

Click on Advanced Settings

My view defaulted to Connected Sources > Windows Servers


Save the workspace ID and workspace key to notepad/OneNote for later






Build out command line for setup file

(optionally to include in Application Deployment package)


Grab pre-reqs above: (saved from above to build the command line)

Exe/msi file

Workspace ID

Workspace key


Craft out your command line (MECM super installer code updated by Neal Smith

SCOM MECM Agent Package Installer Command Line

The setup.exe or MSI command line parameters to pass are:

MMA-specific options Notes
NOAPM=1 Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE 1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_ID Workspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEY Workspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE Specify the cloud environment where the workspace is located

0 = Azure commercial cloud (default)

1 = Azure Government

OPINSIGHTS_PROXY_URL URI for the proxy to use
OPINSIGHTS_PROXY_USERNAME Username to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORD Password to access an authenticated proxy






Other helpful links

Docs site

Daniel Orneling Blog

TechNet gallery

Service Map SCOM pack configuration errors

Look for 6400 Event ID’s in the Operations Manager log on the management server if you do not have the correct information


Event ID 6400 in Operations Manager log helps show what’s missing with Azure AD error events


Follow steps outlined in the ‘Set up Azure Service Principal’ blog here



Sample 6400 event


Message: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS90002: Tenant XXXXXXXXX not found.

This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.

Trace ID: 89abf27f-4884-4191-b577-de2fce100600

Correlation ID: c8a2470e-2383-4325-b91f-86b5e20ade57

Timestamp: 2018-08-06 20:34:49Z —> System.Net.WebException: The remote server returned an error: (400) Bad Request.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()

— End of stack trace from previous location where exception was thrown —

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()

— End of inner exception stack trace —

at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)

at Microsoft.SystemCenter.ServiceMap.REST.Credentials.AdCredentials.GetToken()

at Microsoft.SystemCenter.ServiceMap.UI.SubscriptionData.TestConnection()

ErrorCode: invalid_request

StatusCode: 400


Inner Exception

Message: The remote server returned an error: (400) Bad Request.

Response URI:


Pragma: no-cache

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options: nosniff

client-request-id: c8a2470e-2383-4325-b91f-86b5e20ade57

x-ms-request-id: 89abf27f-4884-4191-b577-de2fce100600

x-ms-clitelem: 1,90002,0,,

Cache-Control: no-cache, no-store

Content-Type: application/json; charset=utf-8

Expires: -1


Set-Cookie: esctx=AQABAAAAAADXzZ3ifr-GRbDT45zNSEFEzFrPhp_xcoXIlYw2iOqAFXkz7NO-Hm1hJdVAn6298A0ylDD5VvX2VosFiRVxTDzmRz24sbVUbhiTuyHJsmeIkR47y1MU3SafDlFp6xPo91BwZhRqoDPtP6YTBi5D6mHGqy2lkSAEVQtg9D4lsWTmKipm9iLaB2twBZcYR0VkDhIgAA;; path=/; secure; HttpOnly,x-ms-gateway-slice=004; path=/; secure; HttpOnly,stsservicecookie=ests; path=/; secure; HttpOnly

Server: Microsoft-IIS/10.0

Date: Mon, 06 Aug 2018 20:34:48 GMT

Content-Length: 508

MMA Agent, cross platform, and Azure

Things that make you go hmmm….



Ran across a scenario where we were trying to connect Azure Cross-platform (Linux) VM’s and MMA/SCOM agents to SCOM management group.


Management group was 2012R2, discovery wizard from SCOM console, failed to install agent, certificate errors.


Researching, found this article first

Windows Azure VM monitoring blog

There’s a version history for the Azure Monitor VM extension here


SCOM2012R2 after UR12 or SCOM 2016 UR2+ deprecated the SHA1 certificate


Deprecating SHA1 certificates
Tech Community blog


Product team nicely published a TechNet gallery script to help!

Gallery download – Script to update SHA1 certificates to SHA256 on cross-platform agents – SCOM

TechNet Gallery Download



Set up Azure Service Principal


Azure Service principal is like a Mech ID that does work for you behind the scenes

Stack Overflow states it plainly

An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.
Docs site defines it as a Security identity object
We will need the AAD Tenant ID, Application ID (service principal, and Password (key)

AAD Tenant ID


For Service Map, the Tenant ID is the Azure Active Directory, Directory ID


From Azure Portal

Select Azure Active Directory > Properties > Directory ID in the Azure portal

See Docs site link

Save this to notepad, somewhere for safe keeping – password safe

Tenant ID

This is where you setup the Service Principal for an application
Azure Active Directory is NOT required
From Azure Portal
Click on Azure Active Directory
Click on Properties
Copy the Directory ID
From OMS
Click on Overview, Settings
Click on Accounts, Manage Users
Copy the Tenant ID
Once you have the Directory ID copied to notepad, you need to set up an App registration

App Registration ID

From Azure Portal
Click Azure Active Directory
Click App Registrations
Click + New application registration
Create name and URL
My example is ‘ServiceMap-App’ with my domain
Click Create
Click Settings
Click Keys
Recommend setting 2 keys, and save to notepad, and somewhere secure
I did 1 year and 2 year keys
Enter name for Description, Duration box, and click Save
Value will be displayed
Copy the value


Don’t exit without grabbing the keys!  You will have to delete the App-Registration and start over
After creation, copy the values from Notepad for Tenant ID, Application ID, and keys


Service Map – Setting up SCOM management group


It’s time to get my SCOM MG running Service Map

Nothing like seeing what an application actually does, mapping ports a server is using, and who the server talks to!

From the docs site –


Download Management Pack

Let’s start with the pack download

Download Management Pack



Install Management pack

Choose your preference

PowerShell (as admin)

Import-SCOMManagementPack -FullName “S:\monadmin\backup\$date”

In case you need help – TechNet article


Lab Example

Import-SCOMManagementPack -FullName “S:\MonAdmin\SCOM\Management packs\Service Map – Blue Stripe for SCOM – OMS\v1.0.0.6\Microsoft.SystemCenter.ServiceMap.mpb”



Import via SCOM Console




Configure the Service Map integration

In SCOM Console, click on Administration Tab

Navigate to the Operations Management Suite, and expand for the Service Map selection


Click ‘Add workspace’

Paste in your Tenant ID, Application ID, and Service Principal Key that you set up prior

Click Next



Verify Workspace Information
Click Next



Two options – if you don’t have any Windows Computer based groups in your MG, skip down to Server Selection


If there are Machine Groups to add, click ‘Add/Remove’



Click Next to select individual servers

Click Add

Click OK to close window



Click Next to move to next window



  • Speed to fetch information is based on a rule see docs site
  • In the Server Selection window, you configure the Service Map Servers Group with the servers that you want to sync between Operations Manager and Service Map. Click Add/Remove Servers.

For the integration to build a distributed application diagram for a server, the server must be:

  • Managed by Operations Manager
  • Managed by Service Map
  • Listed in the Service Map Servers Group


From <>



Setup proxy if needed

Click Add Workspace






Use Service Map

Time to Use the tool –




Verifying Servers specified in Service Map

Verify group

SCOM Console > Authoring Tab > Groups

Look for > Service Map

View Group members or look at Explicit tab





On Management Server (MS), Operations Manager Event log


get-eventlog -logname “Operations Manager” -newest 25


# This command will help if you get stuck on the workspace

get-eventlog -logname “Operations Manager” -Source “Operations Manager” -newest 25 | ? {$_.eventID -eq 6400 } |fl



Filter by Error,Warning