Need help with list of computers names for WMI to grab

We're using Meraki MX400 security appliances.  The Meraki devices use WMI to grab information about who's logged into what. The issue I'm having is that on many occasions when people log onto a VMware View linked clone desktop, Meraki will misidentify the name of the client as a desktop in a pool that hasn't been in existence for many many months.  I have checked ADUC, DNS, DHCP and WINS and have confirmed that those names do not exist anywhere in my network,

The Meraki tech has wanted me to gather AD logs on WMI Queries. I sent him the one listed in the event log area of the DC we'd be using to log in for this and he says its the wrong log, but has no information as to what log I should be pulling. I am not a WMI expert by any means. His words to me are:

The MX uses WMI queries to pull info for log on events on particular clients.
If you could grab the logs for a client on the AD that corroborate or conflict with the MX's output I can use that to scope the problem.

And then when I sent him the "wrong" log:

I don't think this is the correct log. This log shows instances of WMI queries occurring on the device, not the information a WMI query would grab.
If you're unsure how to gather and interpret the logs from AD I would recommend getting in touch with the relevant support.

And then finally when I reiterated that I've not been able to find anything:

If it appears that the MX is seeing false positive log on events for particular clients we'll need to check to see that there are no log on events for those clients in the AD server for the WMI to pull.

Can anyone help with this?

LVL 28
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobertSystem AdminCommented:
I don't have the Meraki system however from the sounds of it they are just pulling the windows security event logs with specific event id's for user logons.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jhyieslaAuthor Commented:
I'm pretty sure from reading their documentation for web filtering and client identification that they're doing more than just pulling from the event log.
jhyieslaAuthor Commented:
Turns out that's exactly what they're doing
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.