Loading...

Knowledge Center


Unable to add additional Windows event logs to a WMI datasource
Technical Articles ID:   KB81367
Last Modified:  8/21/2019

Environment

McAfee SIEM Enterprise Security Manager (ESM) 11.x.x, 10.x.x
McAfee SIEM Enterprise Event Receiver (Receiver) 11.x.x, 10.x.x

Problem

When you click Get Logs during the creation of a WMI datasource, you are presented with a limited number of Windows event logs. The list is incomplete. Other event logs that are available under Applications and Services logs (for example, Print Service) are not displayed. 

NOTE: If you try to type the log names manually, they are still not found and displayed.

Cause

The WMI Parser uses the registry to identify which Windows event logs it can obtain and present to the user. Because the registry does not contain an entry for the source that you require, you will not see it in the list.

Solution

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.


Create a registry entry and enable the WMI Parser to see the existence of the Windows Event log:
  1. Find the actual name of the event log. For example, PrintServer
  2. On the Windows system, open Event Viewer. Expand Windows LogApplications and Services LogsMicrosoftWindowsPrintServiceMicrosoft-Windows-PrintService/Admin.
  3. Go to Properties and copy the Full Name field.
  4. Click Start, Run, type regedit and then click OK.
  5. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
      
  6. Create a key using the full name that you copied earlier. For example, Microsoft-Windows-PrintService/Admin.
  7. Close the registry editor.
  8. Create the WMI datasource and use Get Logs in the same way that you did previously. This time, you can see and select the relevant source (in this example, Microsoft-Windows-PrintService/Admin).
  9. Write out the datasource.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.