topic Re: Getting info from the details tab within Server 2008 event logs. in Getting Data In

Getting info from the details tab within Server 2008 event logs.

JSapienza — Wed, 03 Oct 2012 19:55:27 GMT

Does anyone know how to get the full output (including the details tab) or XML version of event logs out of Server 2008?
This is not very helpful in troubleshooting when I don't have the Details section:

Message=For more details for this event, please refer to the "Details" section

My input.conf:

[WinEventLog:Microsoft-Windows-CAPI2/Operational]
disabled = false

Actual captured event:

10/03/2012 03:42:48 PM
LogName=Microsoft-Windows-CAPI2/Operational
SourceName=Microsoft-Windows-CAPI2
EventCode=70
EventType=4
Type=Information
ComputerName=xxxxxxxx
User=SYSTEM
Sid=S-1-5-18
SidType=1
TaskCategory=Acquire Certificate Private Key
OpCode=Info
RecordNumber=207625
Keywords=Private Key
Message=For more details for this event, please refer to the "Details" section

Thanks !

Re: Getting info from the details tab within Server 2008 event logs.

JSapienza — Wed, 10 Oct 2012 13:48:49 GMT

Finally figured this one out. If you use wevtutil to dump the event log to XML it will show all details from the event. So, I ended up using a scripted input like such :

wevtutil qe Microsoft-Windows-CAPI2/Operational "/q:*[System[TimeCreated[timediff(@SystemTime)<=60000]]]" /F:xml

Its very Microsoft to not display the details in the text output and only in the XML format.

Re: Getting info from the details tab within Server 2008 event logs.

glen_drivas — Thu, 08 Jun 2017 15:14:30 GMT

If you use the Splunk Add-on for Microsoft Windows https://splunkbase.splunk.com/app/742/ you can use the following stanza in that app to capture the CAPI2 log.

[WinEventLog://Microsoft-Windows-CAPI2/Operational]
Sourcename=Microsoft-Windows-CAPI2
disabled = 0
renderXml = 1
current_only = 0