How to collect Applications and Services Logs from Windows event logs
Applications Manager AppLogs uses the Windows Management Instrumentation (WMI) query on the Applications Manager FSO agent to fetch event logs. The WMI module requires the registry entry below to read the event logs from the Applications and Services Log group.
Running the WMI query
For this, you have to first confirm if the log file can be accessed through Win32_NTLogEvent using the following WMI query in PowerShell. This is the same query that the Applications Manager FSO agent runs to collect the events.
Query:
PowerShell
- Get-WmiObject -Query "Select EventCode,SourceName,TimeGenerated,Type,Message,Logfile from Win32_NTLogEvent WHERE ( LogFile = '<LogFileName>' )" | select -First 1
- Here, LogFileName is the name of the category of events that you wish to collect.
Ex: we are considering here, LogFileName can be Microsoft-Windows-PrintService/Admin or Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.
If there are no results for this query, the log file cannot be accessed, and you need to add it through the Windows Registry.
Note: A registry entry is not mandatory for all event type categories in the Applications and Services Log group. Check if your entry is present in WMI, and then add if not.
Adding through the Windows Registry
You can add event log files through the Windows Registry. For this, you have to navigate to the Windows Registry from your Windows machine and go to the Registry location.
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLogFor example: if you want to collect logs from the Microsoft-Windows-PrintService/Admin category, then you need to add the below key in the Windows Registry.
Registry key: Microsoft-Windows-PrintService/AdminFinding the correct Channel value:
When providing the Registry key, ensure that you enter the Channel value as a complete string in the registry. Follow these steps:
- Navigate to Event Viewer → Applications and Services Logs.
- Select the required category under your applications.
- Click the Details tab.
- Expand the System section.
- Copy the Channel value as shown in the screenshot below.
- Use this Channel value as a Registry key when adding to the Windows Registry, as shown in the screenshot above.
- Once you add it to the Windows Registry, make sure to run the WMI query mentioned in the section "Running the WMI query" using the <LogFileName> as the registry key created above.
Configuring the Log Profile:
Once you add it to the Windows Registry, make sure to run the WMI query mentioned in the section "Running the WMI query," using the <LogFileName> as the registry key created above.
You have to enter this registry key while adding or editing a Log Profile for Windows event logs. For this:
- Navigate to Settings → AppLogs Configuration → Log Profiles and click on the edit icon of the Windows Event Log profile you've configured.
- In the Edit Log Profile window that opens, paste the registry key in the field next to Windows Event Types.
- Click Save.
Quoting another example, if you want to collect logs from the RemoteConnectionManager/Operational category, then enter the below key.
Registry key: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
In this case, paste the above key in the field next to Windows Event Types to collect remote connection manager logs.
Similarly, you can paste the required keys next to the List of files to search for logs field in the Log Profile to collect other Applications and Services Logs from Windows event logs.
New to ADSelfService Plus?
Related Articles
How to monitor Event Logs in "Applications and Services Log" ?
Explanation : Upon investigation, we discovered that the Win32_NTLogEvent WMI class, by default, includes only standard Event Log categories found under "Windows Logs." To access specific log names under "Applications and Services Logs," a ...Filtering Windows event logs before uploading
You can filter Windows event logs on the agent side before uploading them to Applications Manager. You can configure to eliminate the unwanted event IDs, so that you can skip them while uploading. You can set these field configurations while adding a ...Using Kerberos Authentication with ManageEngine Applications Manager for Windows Monitoring
What is Kerberos? Kerberos is a secure authentication protocol used in Active Directory (AD) domains. It uses encrypted "tickets" instead of passwords to allow ManageEngine Applications Manager to connect to a target server securely. When a server is ...How to install .NET agent on Azure app services?
You can track the performance of your .NET and .NET Core web app's key metrics like response time, throughput, and Apdex score via the APM Insight .NET agent hosted in Azure App Services. Installing APM Insight extension via Azure portal 1. Log in to ...Services Installed by the Windows Server Monitoring Agent in Applications Manager
Based on the applications available in your environment, the Applications Manager Windows server monitoring agent will run the following services: ManageEngine Applications Manager Full-Stack Agent: This is the main service responsible for monitoring ...