MS Windows Event Logging XML - WMI
Device Details
| Device Name | MS Windows Event Logging XML - WMI |
| Vendor | N/A |
| Device Type | N/A |
| Supported Model Name/Number | N/A |
| Supported Software Version | N/A |
| Collection Method | MS Windows Event |
| Configurable Log Output | N/A |
| Log Source Type | MS Windows Event Logging XML - WMI |
| Log Processing Policy | LogRhythm Default V 2.0 |
| Exceptions | N/A |
| Additional Information | https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--event-logs |
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Catch-All | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname> |
| EVID 1 : Event Sequence Start | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <sname>, <login>, <processid> |
| EVID 2 : Events That Make Up Operation | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process> |
| EVID 3 : Event Sequence Ended | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <processid> |
| EVID 19 : Event Filters Registered | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <processid> |
| EVID 20 : Event Consumers Registered | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <process>, <processid> |
| EVID 21 : Event Subscription Registered | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname> |
| EVID 50 : Generic Error Event | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname> |
| EVID 100 : Degradation has been Detected | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <subject>, <object> |
| EVID 101 : Task Scheduler Failed | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <object>, <reason> |
| EVID 5857 : Operation Started | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <responsecode>, <process>, <processid> |
| EVID 5858 : Client Failure | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <sname>, <domainorigin>, <login>, <processid>, <process>, <responsecode>, <reason> |
| EVID 5859 : Ess Started | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainorigin>, <login>, <processid>, <reason> |
| EVID 5860 : Temporary Ess Started | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <domainorigin>, <login>, <processid>, <sname>, <reason> |
| EVID 5861 : Ess Consumer Binding | N/A | <vmid>, <severity>, <vendorinfo>, <result>, <dname>, <reason> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.XXX.X | Syslog - MS Windows Event Logging XML - WMI | New Device Documentation | N/A |