I have a set of performance counters alerts on windows 2008 server, which I configured to write in the Event Viewer once the alert is fired.
It does write in this event viewer "Applications and Services Logs/Microsoft/Windows/Diagnosis-PLA/Operational"
I am trying to write a WMI query, in vbscript file, against this event viewer to read the events there.
Here is my query:
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("select * from Win32_NtLogEvent where Logfile = 'Microsoft-Windows-Bits-Client%4Operational'")
The problem is: when I check colItems.count, it returns zero, however I know that there are events there, I can see them when I navigate to the event viewer.
The same query works fine if I query the 'Application' event viewer:
Set colItems = objWMIService.ExecQuery("select * from Win32_NtLogEvent where Logfile = 'Application'")
It returns the count correctly.
Any idea what the problem is in the first query?
WMI doesn't support Event Tracing for Windows event logs. The Application event log (for which your query is working) is a classic event log that does not use the Windows Eventing technology. The Win32_NtLogEvent exposes events logged in classic event logs, however it does not expose events from the more recent event logs (introduced in Vista). You can however read these logs using the PowerShell cmdlet Get-WinEvent.