Hello,

As per the documentation, 5.3.3 it sounds like we could collect
Application and Services event logs as per the following writing:

-ON WINDOWS VISTA OR LATER, YOU CAN ALSO USE THE GET-WINEVENT CMDLET. IN
ADDITION TO CLASSIC EVENT LOGS, GET-WINEVENT CMDLET SUPPORTS THE
APPLICATION AND SERVICES EVENT LOGS.-

Unfortunately ... it doesn't seem to work "out of the box".
I've tried the following EventLogQuery:
"Microsoft-Windows-PrintService/Operational", EventCode = 307 but ... no
event is comming.

In WECS Logs, I see:
2014-05-21 09:43:15,853|STP SmartThreadPool Thread #19|DEBUG|Starting
real time query for
SM/BD3B7A51-BD2A-1031-B868-000C29C8DCA5@2k8-ps.acme.com/Microsoft-Windows-PrintService/Operational
2014-05-21 09:43:15,853|STP SmartThreadPool Thread #19|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
: starting query from 05/21/2014 05:43:10 to 05/21/2014 05:43:15
2014-05-21 09:43:15,853|STP SmartThreadPool Thread #19|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
: starting
SM/BD3B7A51-BD2A-1031-B868-000C29C8DCA5@2k8-ps.acme.com/Microsoft-Windows-PrintService/Operational
2014-05-21 09:43:15,853|STP SmartThreadPool Thread #19|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
: begin execution
2014-05-21 09:43:15,853|STP SmartThreadPool Thread #19|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
: executing query (Select * from Win32_NTLogEvent Where Logfile =
'Microsoft-Windows-PrintService/Operational' AND EventCode = 307 AND
TimeWritten >= '20140521054310.000000+000' AND TimeWritten <=
'20140521054315.000000+000')
2014-05-21 09:43:15,931|STP SmartThreadPool Thread #19|DEBUG|Task
(SM/BD3B7A51-BD2A-1031-B868-000C29C8DCA5@2k8-ps.acme.com/Microsoft-Windows-PrintService/Operational)
: exiting SendEvents
2014-05-21 09:43:15,931|STP SmartThreadPool Thread #19|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
: end executing
2014-05-21 09:43:15,931|29|DEBUG|Task
(BD3B7A51-BD2A-1031-B868-000C29C8DCA5:QueryRt-Microsoft-Windows-PrintService/Operational@2k8-ps.acme.com)
disposing
SM/BD3B7A51-BD2A-1031-B868-000C29C8DCA5@2k8-ps.acme.com/Microsoft-Windows-PrintService/Operational


When I use evtget.exe ... I get the same result ...

What did I miss ?
The Get-Winevent is working fine ... so it's not a problem of rights.
I guess there is a hidden parameter to instruct WECS to use the same
mechanism as Get-Winevent ...

Any Help welcome.


--
oruff_rn
------------------------------------------------------------------------
oruff_rn's Profile: https://forums.netiq.com/member.php?userid=4440
View this thread: https://forums.netiq.com/showthread.php?t=50905