Windows Event Logs

This article covers how to record and analyze Windows events with Edge DX.

Event Collection and Recording

The Edge DX agent collects events and sends them to your tenant every minute. This means that there might be up to a one-minute delay between the event occurring on a device and the event appearing in Edge DX.

Events are recorded only if the agent is running at the time of the event. Events that occur when a device is starting might not be recorded because the agent is not yet running on the device.

Select Which Events to Record

The following events are always recorded:

• System log 1074 (shutdown)
• Application log 1000 (application crash)
• Application log 1002 (application hang)
• Application log 1033 (MSI install)
• Application log 1034 (MSI uninstall)

You can configure the agent to record additional events. To choose which additional events are recorded:

1. Go to Configuration > Settings > Agent.

   

2. Scroll down to Windows Event Log Collection. The agent records the events listed in the table. Some events are included in the table by default.

   

3. Click Add Row.

4. In the Event Log column, enter the full name of the event log in which the event is stored. You can select from the dropdown list or type in the event log name (for example, Microsoft-Windows-WLAN-AutoConfig/Operational)
   

5. In the Event IDs column, enter a comma-separated list of event IDs that you want to record from the event log.

6. Optionally, enter a source for the events in the Source column. The agent records the event only if it comes from the source you enter. If you don't enter a source, then the agent records the event for all sources.

7. In the Description column, add a description to help you remember what the events mean. The description you enter doesn't appear anywhere else in Edge DX.

8. Click Save Windows Event Log Settings to save your changes.

After adding Windows events to the Windows Event Log Collection table, the agent will record future events meeting the conditions you specified. Changes to event log collection settings do not update historical data that was previously collected.

View Recorded Events

The Windows Event Log report shows all of the recorded events in your environment.

The report is built from the win_event_log data index. To view the raw data in the data index, go to Configuration > Data > win_event_log.

Set up Alerts and Automation Based on Events

You can use the win_event_log data index to create an automatic alert that triggers when a device has a specific Windows event. Learn how to create an alert from a data index.

Get Windows Events by Remote Controlling a Device

Another method to view events is to remote control into a device and view the events locally from the device. Learn more about remote control.

Get Windows Events by Running a Script on a Device

You can run a script on a device to scrape for events matching the conditions specified in the script.

The following script returns all events with ID 1030, 1031, or 1032 in the Application log in the last 96 hours. Edit the script to adjust the search criteria. Note that the output has a character limit, so you might need to change the -MaxEvents argument to a lower number if the output is greater than the character limit.

Add the script to Edge DX and run it as Custom Action - System on the target device. Learn how to add a custom script to Edge DX.

$EventList = Get-WinEvent -MaxEvents 20 -ErrorAction SilentlyContinue -FilterHashtable @{ LogName = 'Application'; StartTime = (Get-Date).AddHours(-96); Id = 1030,1031,1032 }

Write-Output "### SIP EVENT BEGINS ###"
Write-Output ($EventList.Length)
Write-Output ($EventList  | Format-List)
Write-Output "### SIP EVENT ENDS ###"