Collect and Parse FSLogix Event Log

I’ve been doing more and more with Windows Virtual Desktop (WVD) lately. From building custom images with Azure Image Builder and putting custom software on it. But as always I come back to monitoring. In trying to create some KPIs for the environment, we decided we wanted to collect the FSLogix Event log.

Collect FSLogix Event Log

On every session host in WVD, FSLogix creates and utilizes an Event Log. In the operational log you get profile load and unload times.

On your sessions hosts the FSLogix Log will appear under Applications and Services as ‘FSLogixs Apps’ and underneath it has Admin and Operational. For my purposes I just need Operational. However simply putting in “FSLogix Apps” in Log Analytics was not working. Despite having the ability to collect event logs with spaces in them, Log Analytics was not collecting any.

One thing I found out you can do is look at the XML output from the Event Log


<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='FSLogix-Apps' Guid='{b9819571-bbb1-4f0d-965f-2bbb58b801a7}'/>
<EventID>25</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2020-08-26T13:52:14.063575600Z'/><EventRecordID>244</EventRecordID><Correlation ActivityID='{5d70850a-4cf7-0005-ea3e-b43e3479d601}'/><Execution ProcessID='3820' ThreadID='7828'/>
<Channel>FSLogix-Apps/Operational</Channel>

This provides the Provider Name and Channel. Both of which we can use. So as it turns out there is a hyphen in the Provider Name, which doesn’t render in the actual Windows Event Log.

So the full event log to add to Log Analytics is FSLogix-Apps/Operational

Collect FSLogix Event Log

 

Parse FSLogix Event Log

Now we have Event Logs in, it turns out the log isn’t exactly as desired.


Event
| where Source == 'FSLogix-Apps'
| where EventID == 25
We can get profile loads with EventID 25 where our Source is FSLogix-Apps.
Collect FSLogix Event Log
The renderedDesecription has multiple values in it and in particular UserName is always NT Authority\system.
Not idea. However, we can use the Parse operator to extract the data we want. In my case I wanted the UserName.

Event
| where Source == 'FSLogix-Apps'
| where EventID == 25
| parse RenderedDescription with * "Username: " UserName:string " " *
This code parses RenderedDescription for Username and creates a new field called UserName as a string. The * on each side tell Kusto to trash everything before and after the quotes.
Collect FSLogix Event Log

Leave a Comment