Monitor Failovercluster and SMBServer events

Question

Hello All,

Good Morning.

I am looking for a method to monitor the event log for a particular event ID and description, if it matches, want to take action based on each eventID i am interested to watch for.

When i tried to monitor the Security log, the following script worked fine.
However if i use the same logic to monitor Microsoft-Windows-FailoverClustering/Diagnostic it doe not work. Though the eventID i am interested in does get created in the eventlog, still the script couldn't monitor that event and action is not called at all.

working script

Event log watch -- New User Creation on local system

$WMI = @{
Query = "select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Security' and (TargetInstance.EventCode = '4720')"
Action = {
$AccountCreated = $event.SourceEventArgs.NewEvent.TargetInstance.insertionstrings[0]
$CreatedBy = ("{0}{1}" -f $event.SourceEventArgs.NewEvent.TargetInstance.insertionstrings[5],$event.SourceEventArgs.NewEvent.TargetInstance.insertionstrings[4])
Write-Host -Foreground Green -Back Black ('New Account: {0} was created by: {1}' -f $ACcountCreated,$CreatedBy)
$Global:data = $Event
}
SourceIdentifier = "Account.Created"
}
$Null = Register-WMIEvent @WMI

Not working

$WMI1 = @{
Query = "select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NtLogEvent' and TargetInstance.logfile = 'Microsoft-Windows-FailoverClustering/Diagnostic' and (TargetInstance.EventCode = '2051')"
Action = {
Write-Host -Foreground Green -Back Black ('works ')
}
SourceIdentifier = "FailoverClustering"
}
$Null = Register-WMIEvent @WMI1

Register-CimIndicationEvent -Query $cq -SourceIdentifier cq

Any suggestions would really help.

Thanks in advance for the help.

Answer 1

Thank you so much for the pointers. Will explore it. Thanks again.