Event Viewer Customizations for NAP RRS feed

  • General discussion

  • Hello everyone,


    After successfully demonstrating and rolling out NAP within my company, I wanted to post something that may help with visibility.


    Hopefully it will be of use to others.


    In Server 2008's Event Viewer, you are able to create custom views of events.  What I wanted was to create a custom view of all Noncompliant pc's coming in.  Since customized event viewers can be tricky, I thought I'd post my basic code.


     <Query Id="0" Path="System">
      <Select Path="System">*[System[Provider[@Name='HRA']]]
      <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-HCAP']]]
      <Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID = 6278)]] and *[EventData[Data="NAP DHCP Noncompliant"]]


    Fairly simple, basically I removed the first Select from the standard Network Access Protection Event View because it would litter this view with NPS events of 4400 (successful LDAP connection to domain controller). The EventID of 6278 relates to the event that houses compliance data.  The EventData then filters all that have a Data field of "NAP DHCP Noncompliant".  This may differ from yours because of how you named your Network Policy.


    Next, just attach a task to this view and off you go!  Just be sure to review as to what the user the task is running under and that it will run even while logged out.


    Some things I want to do:


    I want to be able to either attach the event or the event line in the log file that corresponds to this one. VBScript?  OR

    I want to be able to distinguish the compliance data to search for key text (such as hex values for components that the NPS validates - AV, windows updates, etc).  Since this field is one giant blob of information, I'm not sure how to parse it for pieces of information.  The wildcard (*) doesn't work within the parameters I'm using in my XML view.


    Any ideas would be great, but I hope that it may help someone else.

    Thursday, December 2, 2010 5:26 PM