Support > User Guides & Training Materials > Tutorials
Tutorial: Scope Action
Reporting all machines with specific Event Log entries
This tutorial explains how you can use a scope action to generate a report of specific event log entries for a set of machines.
Solution
In this example, we create a scope action which reports all Application
Event Log entries related to the source: Goverlan, on a set of machines.
Note: Reporting all event entries with a specific Event ID or other
criteria are very similar.
The Goverlan Scope Action feature doesn't include a native attribute set for event log entries. Therefore, we need to use WMI technology to accomplish our goal.
First, we need to find out which WMI class could assist us for this report. WMI contains a lot of classes. We need to find which one provides information on a single event entry of the event logs. Once we find the WMI class which encapsulates an Event Log Entry, we will need to build a WMI Query which targets only specific events.
This seems complicated, however, it can easily be done using the WMIX feature.
Open WMIX and open the WMI repository on the local machine (connect to 127.0.0.1).
Select the Query WMI tab. This tab allows you to create and test WMI Queries.
Click on Use Query Wizard.
Under Query Wizard : Select WMI Class.
Click on the down arrow of the selection control and select: Other Class at the bottom of the list.
In the Search for WMI window, enter Event in the search field.
Confirm that the Search In option is set to CIMV2 (default namespace).
Under Search Options, only enable Search object names.
Click on
Search...
The search results in tree entries: NT Eventlog File, NT EventLog
Provider Config and NT Log Event. The last entry is the one we need so
double click on it.
Click on Next.
Under Query Wizard : Select the Properties to return > select All Properties and click on Next.
Under Query Wizard : WMI Query Filter > select Configure a WMI query filter and click on Next.
This is where we define our event search criteria. We need to specify that we only want event entries from the Goverlan source.
Click on Add a new condition to this group.
Set the condition Property to Source Name, the condition to =
(equal) and the value to Goverlan. Click on OK.
Since multiple event logs exist on a machine, to reduce the amount of
processing time for this query, we add another filter which only targets
the Application log.
Click on Add a new condition to this group.
Set the condition Property to Log File, the condition to = (equal) and
the value to Application. Click on OK.
If you need to add other filters, repeat step 8. For instance, you can
search the events by event ID or severity.
Click on Finish.
The WMI Query Wizard has now generated the appropriate WQL query for
our needs. Let's test it on the local machine to make sure it returns
the expected results.
Click on the Transfer
to Query Field button and click on Run Query. The query is run against
your machine and the result event entries are returned in the Instances
Query Result pane. You can double click on any of the resulting objects
to view its properties and to confirm that the information is correct.
Now that we have created the WMI Query, we need to configure it into the Scope Action feature. Do not close WMIX yet as we may need it again.
Open Goverlan and select the Scope Action feature.
Create a new scope action, define its name and click on Next.
Under Scope, select the Computers object type and define the list of machines to process (see: Defining the Scope). Click on Next.
Under Actions, double click on Add New to start the Action Module property window.
Under Execute the following Action(s), click on Add/Remove > Report Computer Property > WMI Objects > Manage WMI Objects...
The list of WMI Objects accessible from a scope action can be configured using WMIX or by using a dedicated data set (see: Working with WMI and Scope Actions)
If you selected to use WMIX to define the list of WMI objects, go back to where we left off in WMIX then:
Click on the Add Query to Browser View... button
Enter the query display name, for instance, Goverlan Events.
Select 'No' when prompted to set the focus on this new object.
Close WMIX.
If you have selected to use a separate list:
Click on Manage Custom List.
Click on the button.
Select Add a new query object from the menu.
Enter the query object's display name, for instance, Goverlan Events.
Copy the WQL Query string we generated in the previous section from WMIX to the Query fields.
Click on OK.
Now we can select the WMI query as a report attribute
set.
Under Execute the following Action(s), click on Add/Remove > Report
Computer Property > WMI Objects > [Query] Goverlan Events > All [Query]
Goverlan Events Information.
Complete your scope action and run it.
To view the report of the scope action, right-click on it and select View Last Run's Report. From the Select Report Format window, select the HTML format - Report Model and click on OK.
Note: The HTML report includes an Export to CSV button. Click on it to save the data displayed into a comma separated value file or to view the data in Microsoft Excel.