Windows Event Logs

This article covers how to record and analyze Windows events with ControlUp.

Event Collection and Recording

The ControlUp for Desktops Agent collects events and sends them to your tenant every minute. This means that there might be up to a one-minute delay between the event occurring on a device and the event appearing in ControlUp.

Events are recorded only if the agent is running at the time of the event. Events that occur when a device is starting might not be recorded because the agent is not yet running on the device.

Select Which Events to Record

The following events are always recorded:

• System log 1074 (shutdown)
• Application log 1000 (application crash)
• Application log 1002 (application hang)
• Application log 1033 (MSI install)
• Application log 1034 (MSI uninstall)

You can configure the agent to record additional events. To choose which additional events are recorded:

1. Go to ControlUp for Desktops > Configuration > Settings > Agent > Windows Event Log Collection. The Agent records the events listed in the table. Some events are included in the table by default.

2. Click Add Row.

3. In the Event Log column, enter the full name of the event log in which the event is stored. You can select from the dropdown list or type in the event log name (for example, Microsoft-Windows-WLAN-AutoConfig/Operational)
   

4. In the Event IDs column, enter a comma-separated list of event IDs that you want to record from the event log.

5. Optionally, if you want to collect events only from a specific source, use the Source column. Note that you must enter the Provider Name of the event, which is sometimes different from the source listed in Windows event viewer. To view the Provider Name of an event, open the properties for the event. If you don't enter a source, then all sources are recorded.
   

6. In the Description column, add a description to help you remember what the events mean. The description you enter doesn't appear anywhere else in ControlUp.

7. Click Save Windows Event Log Settings to save your changes.

After adding Windows events to the Windows Event Log Collection table, the agent will record future events meeting the conditions you specified. Changes to event log collection settings do not update historical data that was previously collected.

View Recorded Events

The Windows Event Log report shows all of the recorded events in your environment. To access the report, go to ControlUp for Desktops > Reports > Windows Event Log.

The report is built from the win_event_log data index. To view the raw data in the data index, go to Configuration > Data > win_event_log.

Set up Alerts and Automation Based on Events

You can use the win_event_log data index to create an automatic alert that triggers when a device has a specific Windows event. Learn how to create an alert from a data index.

Get Windows Events by Remote Controlling a Device

Another method to view events is to remote control into a device and view the events locally from the device. Learn more about remote control.

Get Windows Events by Running a Script on a Device

You can run a script on a device to scrape for events matching the conditions specified in the script.

The following script returns events with ID 1030, 1031, or 1032 in the Application log in the last 96 hours. Edit the script to adjust the search criteria. Uploading data to the System Events log using SIP EVENT BEGINS has a limit of 4000 characters, so you might need to change MaxEvents in the script to a number lower than 20 if the output is greater than 4000 characters.

Add the script to ControlUp and run it as Custom Action - System on the target device. Learn how to add a custom scripts.

$EventList = Get-WinEvent -MaxEvents 20 -ErrorAction SilentlyContinue -FilterHashtable @{ LogName = 'Application'; StartTime = (Get-Date).AddHours(-96); Id = 1030,1031,1032 }

Write-Output "### SIP EVENT BEGINS ###"
Write-Output ($EventList.Length)
Write-Output ($EventList  | Format-List)
Write-Output "### SIP EVENT ENDS ###"