Querying Windows event logs using ConfigMgr hardware inventory

Written by Jeff Gilbert

The View Provider can be used to perform simple WQL queries during client hardware inventories. The below mof edit was created to demonstrate this for my inventory lab at MMS 2007, and I figured it would be a handy example to others when modifying their inventory for specific information.

Any valid WQL query using a simple select statement can be used in the ViewSources line, but remember to test these mof additions in a lab to ensure that what you are doing is acceptable in terms of the performance hit on clients when they perform hardware inventory.

The following example will query the client System event log looking for installed update events (4377 events) during hardware inventory:

//——————————- Data Class ————————————

#pragma namespace(“\\\\.\\root\\cimv2″)
ViewSources{“Select * FROM Win32_NTLogEvent WHERE LogFile = ‘System’ AND EventCode = 4377”},
Class NTLogEvent
[PropertySources(“LogFile”), Key] string LogFile;
[PropertySources(“RecordNumber”), Key] UINT32 Recordnumber;
[PropertySources(“Message”)] String Message;
[PropertySources(“TimeGenerated”)] DateTime TimeGenerated;

//————————– Reporting Class———————————–
#pragma namespace(“\\\\.\\root\\CIMV2\\SMS”)
SMS_Group_Name(“Installed Updates”),
SMS_Class_ID(“MICROSOFT|Win32_NTLogEvent|1.0”) ]
Class NTLogEvent: SMS_Class_Template
[SMS_Report(TRUE), Key] String LogFile;
[SMS_Report(TRUE), Key] UINT32 RecordNumber;
[SMS_Report(True)] String Message;
[SMS_Report(True)] DateTime TimeGenerated;

You can get this MOF edit (as a .txt file) by right clicking HERE and selecting Save As…

Hope this helps,

Related posts

Leave a Comment