Dealing with XML Events


With Windows Vista/2008 the “Crimson” event API’s were added.  The idea was to allow events to be searchable/parse-able beyond treating the event description as a big block of text.

This was already addressed in a MOM Team blog post back in 2008: http://blogs.technet.com/b/momteam/archive/2008/02/01/authoring-event-rules-in-opsmgr.aspx  Here we are introduced to what SCOM calls event parameters, which are the Data nodes inside the EventData node of a Crimson event.

Another, more recent MOM Team blog post expanded on parsing the event XML with a namespace: http://blogs.technet.com/b/momteam/archive/2013/04/16/alerting-on-asp-net-exceptions-thru-the-windows-azure-management-pack.aspx

I recently had a challenge which required me to deeply dive into the UserData node of an event, which I tinkered with off-and-on before piecing together a solution.  I needed to monitor the CAPI2 logs for issues with expired or missing intermediate certificates on Windows 2008 R2.  The event description is not useful, and the event does not have an EventData node, so neither description parsing nor event parameters would help me.  There are other error event 30’s in the same log that mean different things, so event ID and source alone were not adequate.  Here’s a sample event:

Log Name:      Microsoft-Windows-CAPI2/Operational
Source:        Microsoft-Windows-CAPI2
Date:          3/26/2013 4:39:01 PM
Event ID:      30
Task Category: Verify Chain Policy
Level:         Error
Keywords:      Path Validation
User:          SYSTEM
Computer:      xxxx.xxxx.xxxx
Description:
For more details for this event, please refer to the “Details” section
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event“>
  <System>
    <Provider Name=”Microsoft-Windows-CAPI2″ Guid=”{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}” />
    <EventID>30</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>30</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000001</Keywords>
    <TimeCreated SystemTime=”2013-03-26T16:39:01.654237800Z” />
    <EventRecordID>1696692</EventRecordID>
    <Correlation />
    <Execution ProcessID=”520″ ThreadID=”11928″ />
    <Channel>Microsoft-Windows-CAPI2/Operational</Channel>
    <Computer>xxxx.xxxx.xxxx</Computer>
    <Security UserID=”S-1-5-18″ />
  </System>
  <UserData>
    <CertVerifyCertificateChainPolicy>
      <Policy type=”CERT_CHAIN_POLICY_NT_AUTH” constant=”6″ />
      <Certificate fileRef=”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.cer” subjectName=”Firstname Lastname” />
      <CertificateChain chainRef=”{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}” />
      <Flags value=”40000000″ BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_END_ENTITY_FLAG=”true” />
      <Status chainIndex=”0″ elementIndex=”1″ />
      <EventAuxInfo ProcessName=”lsass.exe” impersonateToken=”S-1-5-18″ />
      <CorrelationAuxInfo TaskId=”{C286F78D-8E50-45EE-8A99-DC086979AD08}” SeqNumber=”1″ />
      <Result value=”800B0112″>A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.</Result>
    </CertVerifyCertificateChainPolicy>
  </UserData>
</Event>

What I was asked to go after was the “type” attribute of the “Policy” node.  The tricky part is the XML Namespace.  When dealing with known/standard SCOM event log parameters you don’t have to deal with it, but when doing a raw XPATH query, you do.  All of the [local-name()=’xxxx’] bits are for getting around the XML namespace.  items that start with * indicate a node, and items that start with @* indicate an attribute.  Here is the XML and a screen shot of the event data source I used.

  <ComputerName>$Target/Host/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/NetworkName$</ComputerName>
  <LogName>Microsoft-Windows-CAPI2/Operational</LogName>
  <Expression>
    <And>
      <Expression>
        <SimpleExpression>
          <ValueExpression>
            <XPathQuery Type=”UnsignedInteger”>EventDisplayNumber</XPathQuery>
          </ValueExpression>
          <Operator>Equal</Operator>
          <ValueExpression>
            <Value Type=”UnsignedInteger”>30</Value>
          </ValueExpression>
        </SimpleExpression>
      </Expression>
      <Expression>
        <RegExExpression>
          <ValueExpression>
            <XPathQuery Type=”String”>PublisherName</XPathQuery>
          </ValueExpression>
          <Operator>ContainsSubstring</Operator>
          <Pattern>CAPI2</Pattern>
        </RegExExpression>
      </Expression>
      <Expression>
        <SimpleExpression>
          <ValueExpression>
            <XPathQuery Type=”Integer”>EventLevel</XPathQuery>
          </ValueExpression>
          <Operator>Equal</Operator>
          <ValueExpression>
            <Value Type=”Integer”>1</Value>
          </ValueExpression>
        </SimpleExpression>
      </Expression>
      <Expression>
        <SimpleExpression>
          <ValueExpression>
            <XPathQuery Type=”String”>EventData/DataItem/*[local-name()=’UserData’]/*[local-name()=’CertVerifyCertificateChainPolicy’]/*[local-name()=’Policy’]/@*[local-name()=’type’]</XPathQuery>
          </ValueExpression>
          <Operator>Equal</Operator>
          <ValueExpression>
            <Value Type=”String”>CERT_CHAIN_POLICY_NT_AUTH</Value>
          </ValueExpression>
        </SimpleExpression>
      </Expression>
    </And>
  </Expression>

  Here is how to put some of that data into the alert description:

  <Priority>1</Priority>
  <Severity>2</Severity>
  <AlertOwner></AlertOwner>
  <AlertMessageId>$MPElement[Name=”Live.LSD.TerminalService.Monitoring.CAPI2.CERT_CHAIN_POLICY_NT_AUTH.Error.AlertMessage”]$</AlertMessageId>
  <AlertParameters>
    <AlertParameter1>$Target/Host/Host/Property[Type=”Windows!Microsoft.Windows.Computer”]/PrincipalName$</AlertParameter1>
    <AlertParameter2>$Data/EventDisplayNumber$</AlertParameter2>
    <AlertParameter3>$Data/EventSourceName$</AlertParameter3>
    <AlertParameter4>$Data/Channel$</AlertParameter4>
    <AlertParameter5>$Data/EventDescription$</AlertParameter5>
    <AlertParameter6>$Data/EventData/DataItem$</AlertParameter6>
    <AlertParameter7>$Data/EventData/DataItem/*[local-name()=’UserData’]/*[local-name()=’CertVerifyCertificateChainPolicy’]/*[local-name()=’Policy’]/@*[local-name()=’type’]$</AlertParameter7>
  </AlertParameters>
  <Suppression>
    <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
    <SuppressionValue>$Data/PublisherName$</SuppressionValue>
    <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
    <SuppressionValue>$Data/EventLevel$</SuppressionValue>
  </Suppression>
  <Custom1></Custom1>
  <Custom2></Custom2>
  <Custom3></Custom3>
  <Custom4></Custom4>
  <Custom5></Custom5>
  <Custom6></Custom6>
  <Custom7></Custom7>
  <Custom8></Custom8>
  <Custom9></Custom9>
  <Custom10></Custom10>

 $Data/EventData/DataItem$ appears to return the text of the XML.  Although I’m not sure if it would return all text, or just the text of the first or last node that has text.  In this particular example, only one node has text.  Everything else is attributes.

Comments (3)

  1. Anonymous says:

    If you want the time property of the event to appear in the alert description, you can use this:

    Event Time: $Data/EventData/DataItem/@time$

  2. lucy says:

    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.

    I will come back & read all your posts soon. Regards, Lucy.

  3. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application