Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Read saved event log
- Thread starter pointman4
- Start date
Have a look here:
Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886
Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886
- Thread starter
- #3
one would hope you could use
Win32_NTLogEvent.Logfile
and specify the path to the .evt file.
i am presuming they are savedin .evt format.
never tried it though.
what format are the .evt files if you open then as a textstream? i cant believe there isnt a parser from M$ to do this is .LogFile doesnt work
Win32_NTLogEvent.Logfile
and specify the path to the .evt file.
i am presuming they are savedin .evt format.
never tried it though.
what format are the .evt files if you open then as a textstream? i cant believe there isnt a parser from M$ to do this is .LogFile doesnt work
- Thread starter
- #6
It may be that I just haven't found the parser and it does exist. Here is the code that I am using. The file EtormFS.evt is a system event log from another computer named Etormfs. Thank you for all of your responses.
Const NO_VALUE = Empty
Const OverwriteExisting = TRUE
Const DeleteReadOnly = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile "c:\etorm\ETORMFS.evt" , "c:\windows\system32\config\", OverwriteExisting
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\", NO_VALUE
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'ETORMFS'")
For Each objEvent in colLoggedEvents
if objEvent.SourceName = "Double-Take" then
Wscript.Echo "Category: " & objEvent.Category & objEvent.ComputerName & objEvent.EventCode & objEvent.Message & objEvent.RecordNumber & objEvent.SourceName & objEvent.TimeWritten & objEvent.Type & objEvent.User
end if
Next
WshShell.RegDelete "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\"
objFSO.DeleteFile("C:\windows\system32\config\ETORMFS.evt"), DeleteReadOnly
Const NO_VALUE = Empty
Const OverwriteExisting = TRUE
Const DeleteReadOnly = TRUE
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.CopyFile "c:\etorm\ETORMFS.evt" , "c:\windows\system32\config\", OverwriteExisting
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\", NO_VALUE
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'ETORMFS'")
For Each objEvent in colLoggedEvents
if objEvent.SourceName = "Double-Take" then
Wscript.Echo "Category: " & objEvent.Category & objEvent.ComputerName & objEvent.EventCode & objEvent.Message & objEvent.RecordNumber & objEvent.SourceName & objEvent.TimeWritten & objEvent.Type & objEvent.User
end if
Next
WshShell.RegDelete "HKLM\System\CurrentControlSet\Services\EventLog\ETORMFS\"
objFSO.DeleteFile("C:\windows\system32\config\ETORMFS.evt"), DeleteReadOnly
seems strange you cant do it the method you have shown.
you might want to try LogParser.msi, from M$ apparently it can read eventlogs, not sure if that is ones taht have been saved.
only other fudge i can think of is to
1. copy your Application logfile sideways
2. rename your ETOR evt file to what the Application one was
3. read the applucation log
4. copy your application log back again
or..save log files a csv format.
sorry cant be of any more help at the moment
you might want to try LogParser.msi, from M$ apparently it can read eventlogs, not sure if that is ones taht have been saved.
only other fudge i can think of is to
1. copy your Application logfile sideways
2. rename your ETOR evt file to what the Application one was
3. read the applucation log
4. copy your application log back again
or..save log files a csv format.
sorry cant be of any more help at the moment
- Status
