1

I am trying to use Task Scheduler to monitor an AD FS 2.0 event log on an AD FS 2.0 proxy which is located in a DMZ on a Windows 2008 R2 server. I am trying to monitor the log for a specific Event ID and data. I know the format works because I am able to trigger a task in the Application log using the following manual query:

    <QueryList>
      <Query Id="0" Path="Application">
        <Select Path="Application">*[System[(Level=2) and (EventID=1)]]
        and
        *[EventData[(Data='Testing')]]
        </Select>
      </Query>
    </QueryList>

If I use EVENTCREATE, I can create a test event with the following command to test the above scheduled task:

    EventCreate /ID 1 /L APPLICATION /T Error  /SO Test /D "Testing"

I can also trigger a scheduled task using the AD FS 2.0 log with the following query (and it works):

    <QueryList>
      <Query Id="0" Path="AD FS 2.0/Admin">
        <Select Path="AD FS 2.0/Admin">*[System[(Level=2) and (EventID=364)]]</Select>
      </Query>
    </QueryList>

However, once I try to also query for specific “data” from the log, the scheduled task is no longer triggered. The following query fails:

    <QueryList>
      <Query Id="0" Path="AD FS 2.0/Admin">
        <Select Path="AD FS 2.0/Admin">*[System[(Level=2) and (EventID=364)]]
        and
        *[EventData[(Data='Could not connect')]]
        </Select>
      </Query>
    </QueryList>

(I can’t seem to figure out how to use EVENTCREATE with the AD FS 2.0 log, I think the log path doesn’t work properly for EVENTCREATE, so I can’t generate test events)

Anyway, I am using the exact same query format with my AD FS scheduled task query that I used with the application log test query (and that format worked, so it seems that “EventData” does work). I know that I have the correct path to the log, because the query for AD FS works when I don’t use “EventData”. The only thing that I can think of that this is a Microsoft bug or something, where EventData queries of a Windows log won’t work when the log is under the “Applications and Services logs” tree maybe? Does anyone have any experience creating Scheduled Task Event Log queries and if so, how can I query the Windows Event log (not the normal Application, System or standard logs but I want to query the additional “Hardware Events”, “Windows PowerShell” type logs) for EventData data?

Thanks

SOSidb
  • 308
  • 1
  • 5
  • 13
  • `eventcreate.exe` can only use Application or System logs. [*"/L Specifies the name of the event log where the event will be created. The valid log names are APPLICATION and SYSTEM."*](http://technet.microsoft.com/en-us/library/cc755240.aspx) – jscott Jan 06 '15 at 19:18
  • Thanks - I was afraid of that but couldn't find info anywhere. All I have to figure out now is how to use Task Scheduler to query the log "data" itself, instead of just for Event ID or other general fields. – SOSidb Jan 06 '15 at 19:49

0 Answers0