Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How to read the NT Event Log?
- Thread starter jimmYLepp
- Start date
![[lightsaber]](/data/assets/smilies/lightsaber.gif "[lightsaber] [lightsaber]")
DanaHallenbeck
IS-IT--Management
The only way I know if is using WMI. A sample script is listed below...I also included the available properties for the Win32_NTLogEvent object
'properties for Win32_NTLogEvent
' uint16 Category;
' string CategoryString;
' string ComputerName;
' uint8 Data[];
' uint16 EventCode;
' uint32 EventIdentifier;
' uint8 EventType;
' string InsertionStrings[];
' string Logfile;
' string Message;
' uint32 RecordNumber;
' string SourceName;
' datetime TimeGenerated;
' datetime TimeWritten;
' string Type;
' string User;
Dim i, compname
compname = "<computername here>"
Set events = GetObject("winmgmts:{impersonationLevel=impersonate}!" & compname).ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile='application'"
'or system or security
For Each i In events
WScript.Echo(i.eventcode)
WScript.Echo(i.message)
next
'properties for Win32_NTLogEvent
' uint16 Category;
' string CategoryString;
' string ComputerName;
' uint8 Data[];
' uint16 EventCode;
' uint32 EventIdentifier;
' uint8 EventType;
' string InsertionStrings[];
' string Logfile;
' string Message;
' uint32 RecordNumber;
' string SourceName;
' datetime TimeGenerated;
' datetime TimeWritten;
' string Type;
' string User;
Dim i, compname
compname = "<computername here>"
Set events = GetObject("winmgmts:{impersonationLevel=impersonate}!" & compname).ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile='application'"
'or system or securityFor Each i In events
WScript.Echo(i.eventcode)
WScript.Echo(i.message)
next
- Thread starter
- #3
if you want your server to notify you when i has new event logs you can set up permement event notification using WMI.
alternatively you could have a vbs running on the each server which has registered with WMI for event notification and using async event notification. havent got an example on me today
alternatively you could have a vbs running on the each server which has registered with WMI for event notification and using async event notification. havent got an example on me today
actually, i cant remember if the eventlogs provider supports this. if it doesnt you can still do it from the server side by polling every 10 minutes to see if anything has changed. that was you wont have to worry about comparing times of eventlog entries etc etc. i will have a read tonight and post an example, it might clarify what the hell i am talking about ( i dont seem to know).
richard
richard
ok example from MS on how to wait for an event.
the "WITHIN" is used as the win32_process provider doesnt support (whats the word im looking for) immediate notification of events and you have to poll. the 10 are seconds. change the 'Win32_Process' to Win32_NTLogEvent, as suggested above (i think you can also forget about the WITHIN clause) and whenever a new Win32_NTLogEvent occurs the commands in the Sub will run. you can filter for types of events (application, system etc) and also the eventid so you can do different things
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"
Set MySink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_"
WMIservices.ExecNotificationQueryAsync Sink, "SELECT * FROM __InstanceDeletionEvent" & _
"WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'"
WScript.Echo "Waiting for events..."
Sub SINK_OnObjectReady(objObject, objAsyncContext)
WScript.Echo (objObject.TargetInstance.Name)
End Sub
the "WITHIN" is used as the win32_process provider doesnt support (whats the word im looking for) immediate notification of events and you have to poll. the 10 are seconds. change the 'Win32_Process' to Win32_NTLogEvent, as suggested above (i think you can also forget about the WITHIN clause) and whenever a new Win32_NTLogEvent occurs the commands in the Sub will run. you can filter for types of events (application, system etc) and also the eventid so you can do different things
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"
Set MySink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_"
WMIservices.ExecNotificationQueryAsync Sink, "SELECT * FROM __InstanceDeletionEvent" & _
"WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'"
WScript.Echo "Waiting for events..."
Sub SINK_OnObjectReady(objObject, objAsyncContext)
WScript.Echo (objObject.TargetInstance.Name)
End Sub
Does anyone have anything that will do the security logs?
When I do the following it will only spit out Application and System logs.
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2"
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent",,48)
For Each objItem in colItems
wtf.writeline objItem.Logfile
next
When I do the following it will only spit out Application and System logs.
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2"
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent",,48)
For Each objItem in colItems
wtf.writeline objItem.Logfile
next
- Status
Similar threads
- Locked
- Question