How to collect Applications and Services Logs from Windows event logs

Site24x7 AppLogs uses the Windows Management Instrumentation (WMI) query on the Site24x7 Server Monitoring agent to fetch event logs. The WMI module requires the registry entry below to read the event logs from the Applications and Services Log group.

Running the WMI query

For this, you have to first confirm if the log file can be accessed through Win32_NTLogEvent using the following WMI query in PowerShell. This is the same query that the Site24x7 Server Monitoring agent runs to collect the events.

Query: Get-WmiObject -Query "Select EventCode,SourceName,TimeGenerated,Type,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1

Here, LogFileName is the name of the category of events that you wish to collect.

From the examples we are considering here,  LogFileName can be Microsoft-Windows-PrintService/Admin or Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

If there are no results for this query, the log file cannot be accessed, and you need to add it through the Windows Registry.

A registry entry is not mandatory for all event type categories in the Applications and Services Log group. Check if your entry is present in WMI, and then add if not.

Adding through the Windows Registry

You can add event log files through the Windows Registry. For this, you have to navigate to the Windows Registry from your Windows machine and go to the Registry location.

Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

For example, if you want to collect logs from the Microsoft-Windows-PrintService/Admin category, then you need to add the below key in the Windows Registry.

Registry key: Microsoft-Windows-PrintService/Admin

When providing the Registry key, ensure that you enter the Channel value as a complete string in the registry. Follow these steps:

1. Navigate to Event Viewer > Applications and Services Logs.
2. Select the required category under your applications.
3. Click the Details tab.
4. Expand the System section.
5. Copy the Channel value as shown in the screenshot below.
6. Use this Channel value as a Registry key when adding to the Windows Registry, as shown in the screenshot above.
   

Once you add it to the Windows Registry, make sure to run the WMI query mentioned in the section "Running the WMI query," using the <LogFileName> as the registry key created above.

You have to enter this registry key while adding or editing a Log Profile for Windows event logs. For this:

1. Log in to Site24x7 and go to Admin > AppLogs > Log Profile and click Windows Event Logs. 
   
2. In the Edit Log Profile window that opens, paste the registry key in the field next to Windows Event Types.
   
3. Click Save.
   

Quoting another example, if you want to collect logs from the RemoteConnectionManager/Operational category, then enter the below key.

Registry key: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

In this case, paste the above key in the field next to Windows Event Types to collect remote control manager logs.

Similarly, you can paste the required keys next to the Windows Event Types field in the Log Profile to collect other Applications and Services Logs from Windows event logs. 

• Related Articles

• How to retrieve logs from different Site24x7 monitors

  The log location varies with different agents and monitors. View a consolidated list here: Site24x7 Server Monitoring agent Monitor or module OS Directory, path, or command Detailed reference Server Monitoring Agent Windows Installation directory > ...

• How to uninstall the Site24x7 Windows Server Monitoring Agent

  Method 1: To uninstall the Site24x7 Windows Server Monitoring Agent, click the link below: https://staticdownloads.site24x7.com/server/Site24x7WindowsAgentUninstall.zip Unzip and execute the Uninstall.bat file in the Command Prompt as an ...

• Executables and scripts to allow for Windows server monitoring

  One of the reasons you could not enable Site24x7 server monitoring could be your organization's group policy denying access to the executables, scripts, and batch files associated with Site24x7 server monitoring. Mark the following executables, ...

• No data for service and process in Windows server monitor

  If you see "No Data" for process and service metrics (such as CPU or memory usage of monitored services) in the Site24x7 Windows server monitor user interface, follow the troubleshooting steps below. Run PowerShell Commands Open PowerShell as ...

• Breakdown of the bulk action codes in the audit logs

  Use the below codes to read and understand the bulk actions in the audit logs: Bulk Action Codes Threshold Profile 0 Location Profile 1 Notification Profile 2 User Alert Groups 3 Check Frequency 4 IT Automation 5 Activate Monitor 6 Suspend Monitor 7 ...