Device Details
|
Device Name |
MS Windows Event Logging XML - WMI |
|
Vendor |
N/A |
|
Device Type |
N/A |
|
Supported Model Name/Number |
N/A |
|
Supported Software Version |
N/A |
|
Collection Method |
MS Windows Event |
|
Configurable Log Output |
N/A |
|
Log Source Type |
MS Windows Event Logging XML - WMI |
|
Log Processing Policy |
LogRhythm Default V 2.0 |
|
Exceptions |
N/A |
|
Additional Information |
https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--event-logs |
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
|
Type |
Product Version |
Supported Schema Fields |
|---|---|---|
|
Catch-All |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname> |
|
EVID 1 : Event Sequence Start |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <sname>, <login>, <processid> |
|
EVID 2 : Events That Make Up Operation |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process> |
|
EVID 3 : Event Sequence Ended |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid> |
|
EVID 19 : Event Filters Registered |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <processid> |
|
EVID 20 : Event Consumers Registered |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <processid> |
|
EVID 21 : Event Subscription Registered |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname> |
|
EVID 50 : Generic Error Event |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname> |
|
EVID 100 : Degradation has been Detected |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <subject>, <object> |
|
EVID 101 : Task Scheduler Failed |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>, <reason> |
|
EVID 5857 : Operation Started |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <responsecode>, <process>, <processid> |
|
EVID 5858 : Client Failure |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <sname>, <domainorigin>, <login>, <processid>, <process>, <responsecode>, <reason> |
|
EVID 5859 : Ess Started |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainorigin>, <login>, <processid>, <reason> |
|
EVID 5860 : Temporary Ess Started |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainorigin>, <login>, <processid>, <sname>, <reason> |
|
EVID 5861 : Ess Consumer Binding |
N/A |
<vmid>, <severity>, <vendorinfo>, <result>, <dname>, <reason> |
Revision History
|
KB Version |
Log Type |
Change Type |
Details |
|---|---|---|---|
|
KB 7.1.XXX.X |
Syslog - MS Windows Event Logging XML - WMI |
New Device Documentation |
N/A |