Can wmi send logs from a partition

JoseMauricioGomez 21 Reputation points
2020-11-24T22:13:25.007+00:00

Hello team,

I setup wmi to send some service stop/start logs from a F:\ partition and unable to be sent. Other file system logs are sent. What would be the issue?

Thanks in advance

Jose Mauricio

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,821 questions

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JoseMauricioGomez 21 Reputation points
    2020-11-25T22:11:45.907+00:00

    Hi,

    thanks for getting back to me; There's a software called "Monitor Plus" as virtual supervisor collect the "stop services" which are installed in a F:\ partition. These logs are supposed to be sent to a SIEM application in the same virtual environment; the other logs that are located in the C:\ drive are successfully received by the SIEM application. We try using WS 2012 and WS 2019 and it works. This version is WS 2016. Please let me know!

  2. MotoX80 31,561 Reputation points
    2020-11-25T22:41:28.92+00:00

    Please let me know!

    This is not a support forum for Monitor Plus or for a "SIEM Application". Forum users here have no special insight into what YOUR servers are doing. If you can provide an error message or error code or give us a command that we could recreate the error on one of our systems then we might be able to help you.

    Without any diagnostic information to analyze, the best we can do is to make suggestions to help you troubleshoot your problem.

    Are these applications executing WMI calls like this:

    https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--files-and-folders

    If so, do you have a way to capture the output from the failure? What is the error? Can you use Powershell or WMIC.exe to recreate the WMI call?

    Sorry, we can't really help you without some actual information to analyze.

    Update: Is the file in use by some running process? Can you copy the file with the Windows explorer?

    0 comments
  3. JoseMauricioGomez 21 Reputation points
    2020-11-27T15:33:32.023+00:00

    One more question:

    When setting up wmi to send logs at what point I should specify the partition?
    would you please provide the wmidiag download link, I can't find it

    Many thanks

    0 comments
  4. JoseMauricioGomez 21 Reputation points
    2020-11-27T15:47:54.147+00:00

    Line 87760: 2020-11-17T10:12:26.513071-03:00 accelopsva phPerfMonitor[4107]: [PH_JOB_STAT]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phJobExecuteStatus.cpp,[lineNumber]=214,[jobId]=88911969,[jobType]=1,[jobDetail]=WMI lookup for Win32_PerfRawData_PerfDisk_LogicalDisk failed for BASTION-MS(10.16.16.201): Retrieve result data.NTSTATUS: NT code 0xc002001b - NT code 0xc002001b,[hostIpAddr]=10.16.16.201,[hostName]=BASTION-MS,[jobName]=SYS_DISKIO_UTIL,[jobDesc]=Disk I/O Util via WMI,[jobStatus]=1,[pollIntv]=180,[eventTime]=1605618731,[phLogDetail]=
    Line 87760: 2020-11-17T10:12:26.513071-03:00 accelopsva phPerfMonitor[4107]: [PH_JOB_STAT]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phJobExecuteStatus.cpp,[lineNumber]=214,[jobId]=88911969,[jobType]=1,[jobDetail]=WMI lookup for Win32_PerfRawData_PerfDisk_LogicalDisk failed for BASTION-MS(10.16.16.201): Retrieve result data.NTSTATUS: NT code 0xc002001b - NT code 0xc002001b,[hostIpAddr]=10.16.16.201,[hostName]=BASTION-MS,[jobName]=SYS_DISKIO_UTIL,[jobDesc]=Disk I/O Util via WMI,[jobStatus]=1,[pollIntv]=180,[eventTime]=1605618731,[phLogDetail]=
    Line 88072: 2020-11-17T10:14:26.652134-03:00 accelopsva phPerfMonitor[4107]: [PH_JOB_STAT]:[eventSeverity]=PHL_INFO,[procName]=phPerfMonitor,[fileName]=phJobExecuteStatus.cpp,[lineNumber]=214,[jobId]=88911969,[jobType]=1,[jobDetail]=Success,[hostIpAddr]=10.16.16.201,[hostName]=BASTION-MS,[jobName]=SYS_DISKIO_UTIL,[jobDesc]=Disk I/O Util via WMI,[jobStatus]=0,[pollIntv]=180,[eventTime]=1605618847,[phLogDetail]=

    0 comments
  5. MotoX80 31,561 Reputation points
    2020-11-28T15:50:58.603+00:00

    Good, I see that it is accessing Win32_PerfRawData_PerfDisk_LogicalDisk and getting a 0xc002001b error. A search on that code says that it is an RPC failure, which really doesn't help us much.

    So let's see if you can access all logical drives and get a list of files in the root. Log on to that machine, open Powershell_ISE and run this script. 

    cls  
"Your machine has these Logical drives."  
Get-CimInstance -query "SELECT * FROM Win32_PerfRawData_PerfDisk_LogicalDisk" |Where-Object -Property Name -match : | Format-Table -Property Name  
$vols = Get-CimInstance -query "SELECT * FROM Win32_PerfRawData_PerfDisk_LogicalDisk" |Where-Object -Property Name -match :  
foreach ($vol in $vols) {  
    "List of files in {0}" -f $vol.name  
    $query =  'Drive="' + $vol.name + '" and Path="\\"'  
    Get-CimInstance CIM_DataFile -filter $query  | Format-Table -Property Name   
    ""  
}

    It should look like this.

    43493-capture.jpg

    You can use the info in this site to modify the script and display the log files that you are trying to access.

    https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/accessing-individual-files-and-folders-remotely-via-wmi

    0 comments