Mining Windows Event Log

Mining Ore from the Windows Event Log and finding a way to make it portable


Use Get-WinEvent to use XML and filters from event viewer, to mine an event, including examples for a specific string, from a specific event, in a specific event log?



Hopefully this post will help with a few tips to simplify monitoring for events, whether in AzMon, SCOM, or via PowerShell.



Let’s start with the Dr Scripto blog post from quite a while ago –


Not sure how many people use get-WinEvent, but this is one tool in PowerShell that can help an admin parse the XML side of an event.


Example 1

Query Application Event Log for Severity, Event, and Event Data contains lync.exe

$query = @”


  <Query Id=”0″ Path=”Application”>

    <Select Path=”Application”>*[System[Provider[@Name=’Application Hang’]

    and (Level=2) and (EventID=1002)]]

    and *[EventData[Data=’lync.exe’]]</Select>




Get-WinEvent -FilterXml $query


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
Lync.exe event example output




Use Get-WinEvent to use XML and filters from event viewer

The Tip or Trick part of this – leverage your Event Viewer Filter as a query to use with get-WinEvent

Credit for this tip comes from Andrew Blumhardt!

See below for examples to ‘use Get-WinEvent to use XML and filters from event viewer’


Navigating via Event Viewer:

Hop onto your favorite server, or connect to another server via Event Viewer

Go to the Event Log > Click Filter Current Log

Build out your filter (i.e. choose specific Event Sources, exclude events, include severities, timeframe (start/end), etc.)

Use Get-WinEvent to use XML and filters from event viewer
SCVMM Application Log Event ID 25933

Switch to the XML tab (and note you can edit your query further!)

SCVMM query example screenshot
Event Viewer filter XML tab

You can copy the query from the Event Viewer into your Get-WinEvent syntax

$query = @”

<Query Id=”0″ Path=”Application”>
<Select Path=”Application”>*[System[Provider[@Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2012.Report.VMUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.EnableCredSSPClient’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Monitor.UserRoleQuotaUsageMonitor’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.ServiceUsageCollection’ or @Name=’Microsoft.SystemCenter.VirtualMachineManager.2016.Report.VMUsageCollection’] and (Level=2 or Level=3) and (EventID=25933)]]</Select>


Get-WinEvent -FilterXml $query


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
SCVMM query example screenshot





Example 3

Grab System Event Log, Event ID 5827  (NetLogon denied events)

get-WinEvent -FilterHashtable @{LogName=’System’; ID=’5827′;}


PowerShell output

Use Get-WinEvent to use XML and filters from event viewer
get-WinEvent filter by logname and event ID





MSFT DevBlogs

ADCS – Active Directory Certificate Services Addendum pack

Time to talk Certificates!
Certificate of Achievement


Hello again, it’s time to talk about ADCS – Active Directory Certificate Services Addendum!


First, I’d like to call out Bob Williams and Vance Cozier for their help and expertise!

SCOM-ADCS-Addendum download




ADCS is Active Directory Certificate Services, or what we would know as a Certificate Authority.  The goal was to improve the pack, because the focus is on how important certificates are to a modern enterprise.  Let’s begin the Active Directory Certificate Services Addendum pack review.


In this paragraph, let’s talk through the Certificate Services packs for 2016+, and how we as Microsoft consultants, and field engineers, recommend changes to the pack.  First, for some background, the collaboration process gets a better result improving Microsoft products.   Second, the collaboration result can vary.  Third, collaboration input can be based on customer input, or field engineer experience.  Most importantly, this is how we ‘would have liked’ the pack to work.


AD Certificate Services Monitoring

The Certificate services pack alerts on events/services.  Therefore, the pack does NOT monitor the SCEP URL.  For instance, a transaction web monitor was added.   The collaboration effort was focused on improving the ADCS pack, resulting in the creation of the Active Directory Certificate Services Addendum and customizations packs.


Download File

Let’s delve into the download file

SCOM-ADCS-Addendum download


Review file contents

  • Download.txt (in case you need to find it later!)
  • Version.Info.txt (MP version history, what was added & when)
  • XLS MP export of rules/monitors
  • ADCS Addendum & Customizations packs



Configuring Certificate Services docs site

ADCS download

Management Pack wiki

Setting up OMS Capacity and Performance


Do you know what your HyperV hosts are doing?

Not a HyperV fan, there’s a VMWare solution also here



Capacity dashboard





Troubleshooting dashboard

Windows Agents


Verify in Operations Manager if you have any error events

Event ID 4506 in this case is the Capacity and Performance Solution



Verify no proxy is set up (unless your network requires this)


Setting up OMS Service Map solution


Ever wonder what happened to BlueStripe?

Anyone else have experience using it with SCOM?

If you weren’t aware, Microsoft bought Blue Stripe back in 2015 link


Looks like BlueStripe FactFinder is now Service Map in Azure

Documentation here


Service Map is very easy to add and get value from right away with OMS

Download agent

You have two choices:

  1. Choose from documentation above, or from your OMS environmentdocsagentdownload
  2. From your OMS workspace, add the Service Map solution

Click on Home icon in top left hand corner


Click on Service Map pane

Click on Download Agent link as appropriate for Windows or Linux

Save file and install on your server(s)



Windows Server Installation

Execute the MSI file downloaded from OMS (NOTE may prompt with UAC prompt)

Click ‘I Agree’


Watch the Install


Click Finish


Now go back to OMS and look for updates (mine was that fast!)


Click on the Service Map pane to see more detail


To add additional machines is basically the same, just choose add machines



In case you caught that I have two (2) of the same named machines, it’s because I have that server set up for OMS separately.  Yes, it’s my lab, so I’m not following the best practice.



Basic Admin ‘How-to’ Series


This is a series of blog posts to help with SCOM best practices, and things that make SCOM easier to administer.


Associate MPX files in Notepad++ blog

Backup management packs via PowerShell blog

Get to know your monitor blog

Load Test MP with Report blog

Load Test MP Fragments blog

Maintenance Mode PowerShell blog

Manage DB storage with DWdataRP blog

Managing Subscriptions blog

PowerShell Rule/Monitor/PerfCounter MP and Fragments blog

Registry Key discovery MP Fragment clarification blog

Run As PowerShell monitor fragment blog

Sealing Management packs with 2012R2 and 2016 blog

Subscriptions blog

Subscription Set up Guide blog

Uncommon MP Fragments blog

Verifying Overrides blog


Best Practices

Agent Management pack KH Blog

Enable proxy as a default KH blog

How to be heard blog

Manage alerts/events/performance KH Blog

Office Analytics (find where all the time goes) blog

Optimize SQL blog

Recommended Registry tweaks KH blog

SCOM Agent Version Addendum KH blog

Set SCOM Agent to remotely managed KH Blog

SQL Engineering Blog

SYSTEM CENTER 2016 Operations Manager – Anti-Virus Exclusions blog

Update VMM MP’s for SCOM when SCVMM patched blog



MP Viewer blog

Download Notepad++ here

Kevin Holman blog on extracting scripts from MP’s using Transform tool from codeplex

Test fire events using EventLog Explorer here

Alternate tool to fire any events here