Site24x7 AppLogs uses the Windows Management Instrumentation (WMI) query on the Site24x7 Server Monitoring agent
to fetch event logs. The WMI module requires the registry entry below to read the event logs from the Applications and Services Log group.
Running the WMI query
For this, you have to first confirm if the log file can be accessed through Win32_NTLogEvent using the following WMI query in PowerShell. This is the same query that the Site24x7 Server Monitoring agent runs to collect the events.
Query: Get-WmiObject -Query "Select EventCode,SourceName,TimeGenerated,Type,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1
Here, LogFileName is the name of the category of events that you wish to collect.
From the examples we are considering here, LogFileName can be Microsoft-Windows-PrintService/Admin or Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
If there are no results for this query, the log file cannot be accessed, and you need to add it through the Windows Registry.
A registry entry is not mandatory for all event type categories in the Applications and Services Log group. Check if your entry is present in WMI, and then add if not.
Adding through the Windows Registry
You can add event log files through the Windows Registry. For this, you have to navigate to the Windows Registry from your Windows machine and go to the Registry location.
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
For example, if you want to collect logs from the Microsoft-Windows-PrintService/Admin category, then you need to add the below key in the Windows Registry.
Registry key: Microsoft-Windows-PrintService/Admin
- Log in to Site24x7 and go to Admin > AppLogs > Log Profile and click Windows Event Logs.
- In the Edit Log Profile window that opens, paste the registry key in the field next to Windows Event Types.
- Click Save.
Quoting another example, if you want to collect logs from the RemoteConnectionManager/Operational category, then enter the below key.
Registry key: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
In this case, paste the above key in the field next to Windows Event Types to collect remote control manager logs.
Similarly, you can paste the required keys next to the Windows Event Types field in the Log Profile to collect other Applications and Services Logs from Windows event logs.