KBI 310888 Issue Addressed: Could Not Filter Out Success Event Using WMI Method
Version
Argent for Compliance 3.1A-1401-E or below
Date
Thursday, 20 Mar 2014
Summary
Windows Event Log traditionally has event type ‘Error‘, ‘Warning‘, ‘Information‘, ‘Security Audit Success‘ and ‘Security Audit Failure‘
WMI class Win32_NTEventLog returns EventType value 1 – 5 according to the MSDN documentation
It has found that more recent Windows machines including W2008 can return EventType value 0, for example, WMI event 5715 though Event Log Viewer still shows the event as Informational
Technical Background
It is either MSDN documentation error or implementation error in WMI class Win32_NTEventLog
It has been compensated in Argent AT 1402-T4
Resolution
Upgrade to Argent Advanced Technology 3.1A-1401-T4 or later
If Customer cannot upgrade immediately, he can either switch to method ‘Read Event Log File Directly‘ or filter out the unwanted events using other criteria, for example, Event ID not equal to 5615 etc