Home > Archive > VBScript > September 2004 > Script to read the event log
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Script to read the event log
|
|
| David Doumani 2004-09-24, 3:55 am |
| I have created the following script mostly buy modifying other samples I
have fond on the internet, etc... For some reason it have "stopped"
working; and I can not find out my mistake that is causing the script to
bomb out... It asks for 3 cmd. line arguments (evnet log, ID and remote
system) and then does a scan/report for the requested information. Any
hints would be more than appreciated.
<cut here>
Dim Logfile, EventID, Host
'Process the main program
ParsecommandLine()
EventLogQuery()
Sub EventLogQuery()
On Error Resume Next
strComputer = Host
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where Logfile = Security")
'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where Logfile = '"&Logfile&"' and EventCode = '"&EventID&"'")
Set ColItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where
Logfile = 'Security' and 'EventCode = '"&EventID&"'")
For Each objItem in colItems
Wscript.Echo "Category: " & objItem.Category
Wscript.Echo "CategoryString: " & objItem.CategoryString
Wscript.Echo "ComputerName: " & objItem.ComputerName
Wscript.Echo "Data: " & objItem.Data
Wscript.Echo "EventCode: " & objItem.EventCode
Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
Wscript.Echo "EventType: " & objItem.EventType
Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
Wscript.Echo "Logfile: " & objItem.Logfile
Wscript.Echo "Message: " & objItem.Message
Wscript.Echo "RecordNumber: " & objItem.RecordNumber
Wscript.Echo "SourceName: " & objItem.SourceName
Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
Wscript.Echo "TimeWritten: " & objItem.TimeWritten
Wscript.Echo "Type: " & objItem.Type
Wscript.Echo "User: " & objItem.User
Next
Wscript.Echo "total of requested event: " & colItems.count
End Sub
'Get Commandline Arguments Subroutine
Sub ParseCommandLine()
Dim vArgs
set vArgs = WScript.Arguments
if vArgs.Count <> 3 then
DisplayUsage()
Else
Logfile = vArgs(0)
EventID = vArgs(1)
Host = vArgs(2)
End if
End Sub
'Usage Subroutine
Sub DisplayUsage()
WScript.Echo
WScript.Echo "Example: cscript " & WScript.ScriptName & " " & chr(34) &
"<logfile> <EventID> <Computer>" & chr(34)
WScript.Echo "Example for Local Machine: cscript " & WScript.ScriptName & "
" & chr(34) & "System 3 ." & chr(34)
WScript.Echo "Example for Remote Machine: cscript " & WScript.ScriptName &
" " & chr(34) & "System 3 NEENG" & chr(34)
WScript.Quit(0)
End Sub
| |
| Dave Patrick 2004-09-24, 3:55 am |
| Remove the 'On Error Resume Next' line and run it again.
--
Regards,
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
"David Doumani" wrote:
|I have created the following script mostly buy modifying other samples I
| have fond on the internet, etc... For some reason it have "stopped"
| working; and I can not find out my mistake that is causing the script to
| bomb out... It asks for 3 cmd. line arguments (evnet log, ID and remote
| system) and then does a scan/report for the requested information. Any
| hints would be more than appreciated.
|
|
| <cut here>
|
|
| Dim Logfile, EventID, Host
|
| 'Process the main program
| ParsecommandLine()
| EventLogQuery()
|
|
| Sub EventLogQuery()
| On Error Resume Next
| strComputer = Host
| Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
|
| 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
| Where Logfile = Security")
| 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
| Where Logfile = '"&Logfile&"' and EventCode = '"&EventID&"'")
| Set ColItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where
| Logfile = 'Security' and 'EventCode = '"&EventID&"'")
|
|
|
| For Each objItem in colItems
| Wscript.Echo "Category: " & objItem.Category
| Wscript.Echo "CategoryString: " & objItem.CategoryString
| Wscript.Echo "ComputerName: " & objItem.ComputerName
| Wscript.Echo "Data: " & objItem.Data
| Wscript.Echo "EventCode: " & objItem.EventCode
| Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
| Wscript.Echo "EventType: " & objItem.EventType
| Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
| Wscript.Echo "Logfile: " & objItem.Logfile
| Wscript.Echo "Message: " & objItem.Message
| Wscript.Echo "RecordNumber: " & objItem.RecordNumber
| Wscript.Echo "SourceName: " & objItem.SourceName
| Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
| Wscript.Echo "TimeWritten: " & objItem.TimeWritten
| Wscript.Echo "Type: " & objItem.Type
| Wscript.Echo "User: " & objItem.User
| Next
| Wscript.Echo "total of requested event: " & colItems.count
| End Sub
|
| 'Get Commandline Arguments Subroutine
| Sub ParseCommandLine()
| Dim vArgs
|
| set vArgs = WScript.Arguments
|
| if vArgs.Count <> 3 then
| DisplayUsage()
| Else
| Logfile = vArgs(0)
| EventID = vArgs(1)
| Host = vArgs(2)
| End if
| End Sub
|
| 'Usage Subroutine
| Sub DisplayUsage()
| WScript.Echo
| WScript.Echo "Example: cscript " & WScript.ScriptName & " " & chr(34) &
| "<logfile> <EventID> <Computer>" & chr(34)
| WScript.Echo "Example for Local Machine: cscript " & WScript.ScriptName &
"
| " & chr(34) & "System 3 ." & chr(34)
| WScript.Echo "Example for Remote Machine: cscript " & WScript.ScriptName &
| " " & chr(34) & "System 3 NEENG" & chr(34)
| WScript.Quit(0)
| End Sub
|
|
| |
| Jason Stanley 2004-09-24, 8:56 am |
| Does anyone have a script that reads remote event logs for only the last 24
hours and instead of listing all failed logins, counts the number for each
user and just logs the user once with the number of times it showed up?
Jason
"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
news:OnUAv7doEHA.3900@TK2MSFTNGP10.phx.gbl...
> Remove the 'On Error Resume Next' line and run it again.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "David Doumani" wrote:
> |I have created the following script mostly buy modifying other samples I
> | have fond on the internet, etc... For some reason it have "stopped"
> | working; and I can not find out my mistake that is causing the script to
> | bomb out... It asks for 3 cmd. line arguments (evnet log, ID and remote
> | system) and then does a scan/report for the requested information. Any
> | hints would be more than appreciated.
> |
> |
> | <cut here>
> |
> |
> | Dim Logfile, EventID, Host
> |
> | 'Process the main program
> | ParsecommandLine()
> | EventLogQuery()
> |
> |
> | Sub EventLogQuery()
> | On Error Resume Next
> | strComputer = Host
> | Set objWMIService = GetObject("winmgmts:\\" & strComputer &
> "\root\cimv2")
> |
> | 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> | Where Logfile = Security")
> | 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> | Where Logfile = '"&Logfile&"' and EventCode = '"&EventID&"'")
> | Set ColItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> Where
> | Logfile = 'Security' and 'EventCode = '"&EventID&"'")
> |
> |
> |
> | For Each objItem in colItems
> | Wscript.Echo "Category: " & objItem.Category
> | Wscript.Echo "CategoryString: " & objItem.CategoryString
> | Wscript.Echo "ComputerName: " & objItem.ComputerName
> | Wscript.Echo "Data: " & objItem.Data
> | Wscript.Echo "EventCode: " & objItem.EventCode
> | Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
> | Wscript.Echo "EventType: " & objItem.EventType
> | Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
> | Wscript.Echo "Logfile: " & objItem.Logfile
> | Wscript.Echo "Message: " & objItem.Message
> | Wscript.Echo "RecordNumber: " & objItem.RecordNumber
> | Wscript.Echo "SourceName: " & objItem.SourceName
> | Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
> | Wscript.Echo "TimeWritten: " & objItem.TimeWritten
> | Wscript.Echo "Type: " & objItem.Type
> | Wscript.Echo "User: " & objItem.User
> | Next
> | Wscript.Echo "total of requested event: " & colItems.count
> | End Sub
> |
> | 'Get Commandline Arguments Subroutine
> | Sub ParseCommandLine()
> | Dim vArgs
> |
> | set vArgs = WScript.Arguments
> |
> | if vArgs.Count <> 3 then
> | DisplayUsage()
> | Else
> | Logfile = vArgs(0)
> | EventID = vArgs(1)
> | Host = vArgs(2)
> | End if
> | End Sub
> |
> | 'Usage Subroutine
> | Sub DisplayUsage()
> | WScript.Echo
> | WScript.Echo "Example: cscript " & WScript.ScriptName & " " & chr(34)
> &
> | "<logfile> <EventID> <Computer>" & chr(34)
> | WScript.Echo "Example for Local Machine: cscript " & WScript.ScriptName
> &
> "
> | " & chr(34) & "System 3 ." & chr(34)
> | WScript.Echo "Example for Remote Machine: cscript " & WScript.ScriptName
> &
> | " " & chr(34) & "System 3 NEENG" & chr(34)
> | WScript.Quit(0)
> | End Sub
> |
> |
>
>
| |
| David Doumani 2004-09-26, 8:55 pm |
| That didn't seem to help matters; any other ideas?
"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
news:OnUAv7doEHA.3900@TK2MSFTNGP10.phx.gbl...
> Remove the 'On Error Resume Next' line and run it again.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "David Doumani" wrote:
> |I have created the following script mostly buy modifying other samples I
> | have fond on the internet, etc... For some reason it have "stopped"
> | working; and I can not find out my mistake that is causing the script to
> | bomb out... It asks for 3 cmd. line arguments (evnet log, ID and remote
> | system) and then does a scan/report for the requested information. Any
> | hints would be more than appreciated.
> |
> |
> | <cut here>
> |
> |
> | Dim Logfile, EventID, Host
> |
> | 'Process the main program
> | ParsecommandLine()
> | EventLogQuery()
> |
> |
> | Sub EventLogQuery()
> | On Error Resume Next
> | strComputer = Host
> | Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\cimv2")
> |
> | 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> | Where Logfile = Security")
> | 'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> | Where Logfile = '"&Logfile&"' and EventCode = '"&EventID&"'")
> | Set ColItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
> Where
> | Logfile = 'Security' and 'EventCode = '"&EventID&"'")
> |
> |
> |
> | For Each objItem in colItems
> | Wscript.Echo "Category: " & objItem.Category
> | Wscript.Echo "CategoryString: " & objItem.CategoryString
> | Wscript.Echo "ComputerName: " & objItem.ComputerName
> | Wscript.Echo "Data: " & objItem.Data
> | Wscript.Echo "EventCode: " & objItem.EventCode
> | Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
> | Wscript.Echo "EventType: " & objItem.EventType
> | Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
> | Wscript.Echo "Logfile: " & objItem.Logfile
> | Wscript.Echo "Message: " & objItem.Message
> | Wscript.Echo "RecordNumber: " & objItem.RecordNumber
> | Wscript.Echo "SourceName: " & objItem.SourceName
> | Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
> | Wscript.Echo "TimeWritten: " & objItem.TimeWritten
> | Wscript.Echo "Type: " & objItem.Type
> | Wscript.Echo "User: " & objItem.User
> | Next
> | Wscript.Echo "total of requested event: " & colItems.count
> | End Sub
> |
> | 'Get Commandline Arguments Subroutine
> | Sub ParseCommandLine()
> | Dim vArgs
> |
> | set vArgs = WScript.Arguments
> |
> | if vArgs.Count <> 3 then
> | DisplayUsage()
> | Else
> | Logfile = vArgs(0)
> | EventID = vArgs(1)
> | Host = vArgs(2)
> | End if
> | End Sub
> |
> | 'Usage Subroutine
> | Sub DisplayUsage()
> | WScript.Echo
> | WScript.Echo "Example: cscript " & WScript.ScriptName & " " & chr(34)
&
> | "<logfile> <EventID> <Computer>" & chr(34)
> | WScript.Echo "Example for Local Machine: cscript " & WScript.ScriptName
&
> "
> | " & chr(34) & "System 3 ." & chr(34)
> | WScript.Echo "Example for Remote Machine: cscript " & WScript.ScriptName
&
> | " " & chr(34) & "System 3 NEENG" & chr(34)
> | WScript.Quit(0)
> | End Sub
> |
> |
>
>
| |
| Dave Patrick 2004-09-26, 8:55 pm |
| It wasn't supposed to; other than exposing the error and line number.
--
Regards,
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
"David Doumani" wrote:
| That didn't seem to help matters; any other ideas?
| |
| David Doumani 2004-09-26, 8:55 pm |
| The scripts seems to run thru without on error resume next.... - just lists
0 events using local/remote machiens and knows event log entries.... any
other thoughts?
"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message
news:uVpkQACpEHA.868@TK2MSFTNGP10.phx.gbl...
> It wasn't supposed to; other than exposing the error and line number.
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "David Doumani" wrote:
> | That didn't seem to help matters; any other ideas?
>
>
| |
| Dave Patrick 2004-09-27, 3:55 am |
| See if this helps. I don't have security auditing turned on so I switched to
system log.
Dim Logfile, EventID, Host
'Process the main program
'ParsecommandLine()
EventLogQuery()
Sub EventLogQuery()
'strComputer = Host
EventID = 6005
'Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where Logfile = System")
'Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent
Where Logfile = '"&Logfile&"' and EventCode = '"& EventID &"'")
Set ColItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where
Logfile = 'System' and EventCode = '" & EventID &"'")
For Each objItem in ColItems
Wscript.Echo "Category: " & objItem.Category
Wscript.Echo "CategoryString: " & objItem.CategoryString
Wscript.Echo "ComputerName: " & objItem.ComputerName
Wscript.Echo "Data: " & objItem.Data
Wscript.Echo "EventCode: " & objItem.EventCode
Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
Wscript.Echo "EventType: " & objItem.EventType
Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
Wscript.Echo "Logfile: " & objItem.Logfile
Wscript.Echo "Message: " & objItem.Message
Wscript.Echo "RecordNumber: " & objItem.RecordNumber
Wscript.Echo "SourceName: " & objItem.SourceName
Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
Wscript.Echo "TimeWritten: " & objItem.TimeWritten
Wscript.Echo "Type: " & objItem.Type
Wscript.Echo "User: " & objItem.User
If msgbox("Exit Loop?",3) = 6 Then
exit for
End If
Next
Wscript.Echo "total of requested event: " & colItems.count
End Sub
'Get Commandline Arguments Subroutine
Sub ParseCommandLine()
Dim vArgs
set vArgs = WScript.Arguments
if vArgs.Count <> 3 then
DisplayUsage()
Else
Logfile = vArgs(0)
EventID = vArgs(1)
Host = vArgs(2)
End if
End Sub
'Usage Subroutine
Sub DisplayUsage()
WScript.Echo
WScript.Echo "Example: cscript " & WScript.ScriptName & " " & chr(34) &
"<logfile> <EventID> <Computer>" & chr(34)
WScript.Echo "Example for Local Machine: cscript " & WScript.ScriptName & "
" & chr(34) & "System 3 ." & chr(34)
WScript.Echo "Example for Remote Machine: cscript " & WScript.ScriptName &
" " & chr(34) & "System 3 NEENG" & chr(34)
WScript.Quit(0)
End Sub
--
Regards,
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
"David Doumani" wrote:
| The scripts seems to run thru without on error resume next.... - just
lists
| 0 events using local/remote machiens and knows event log entries.... any
| other thoughts?
| |
| Michael Harris \(MVP\) 2004-09-27, 3:55 am |
| David Doumani wrote:
> I have created the following script mostly buy modifying other
> samples I have fond on the internet, etc... For some reason it have
> "stopped" working; and I can not find out my mistake that is causing
> the script to bomb out... It asks for 3 cmd. line arguments (evnet
> log, ID and remote system) and then does a scan/report for the
> requested information. Any hints would be more than appreciated.
>
To access the Security log, you need to explicitly request the Security
privilege...
See: Google Groups: View Thread "Extracting from Security Log"
Google Groups: View Thread
http://groups.google.com/groups?th=dd80a8b651f731d6
>
> <cut here>
>
>
> Dim Logfile, EventID, Host
>
> 'Process the main program
> ParsecommandLine()
> EventLogQuery()
>
>
> Sub EventLogQuery()
> On Error Resume Next
> strComputer = Host
> Set objWMIService = GetObject("winmgmts:\\" & strComputer &
> "\root\cimv2")
>
> 'Set colItems = objWMIService.ExecQuery("Select * from
> Win32_NTLogEvent Where Logfile = Security")
> 'Set colItems = objWMIService.ExecQuery("Select * from
> Win32_NTLogEvent Where Logfile = '"&Logfile&"' and EventCode =
> '"&EventID&"'")
> Set ColItems = objWMIService.ExecQuery("Select * from
> Win32_NTLogEvent Where Logfile = 'Security' and 'EventCode =
> '"&EventID&"'")
>
>
>
> For Each objItem in colItems
> Wscript.Echo "Category: " & objItem.Category
> Wscript.Echo "CategoryString: " & objItem.CategoryString
> Wscript.Echo "ComputerName: " & objItem.ComputerName
> Wscript.Echo "Data: " & objItem.Data
> Wscript.Echo "EventCode: " & objItem.EventCode
> Wscript.Echo "EventIdentifier: " & objItem.EventIdentifier
> Wscript.Echo "EventType: " & objItem.EventType
> Wscript.Echo "InsertionStrings: " & objItem.InsertionStrings
> Wscript.Echo "Logfile: " & objItem.Logfile
> Wscript.Echo "Message: " & objItem.Message
> Wscript.Echo "RecordNumber: " & objItem.RecordNumber
> Wscript.Echo "SourceName: " & objItem.SourceName
> Wscript.Echo "TimeGenerated: " & objItem.TimeGenerated
> Wscript.Echo "TimeWritten: " & objItem.TimeWritten
> Wscript.Echo "Type: " & objItem.Type
> Wscript.Echo "User: " & objItem.User
> Next
> Wscript.Echo "total of requested event: " & colItems.count
> End Sub
>
> 'Get Commandline Arguments Subroutine
> Sub ParseCommandLine()
> Dim vArgs
>
> set vArgs = WScript.Arguments
>
> if vArgs.Count <> 3 then
> DisplayUsage()
> Else
> Logfile = vArgs(0)
> EventID = vArgs(1)
> Host = vArgs(2)
> End if
> End Sub
>
> 'Usage Subroutine
> Sub DisplayUsage()
> WScript.Echo
> WScript.Echo "Example: cscript " & WScript.ScriptName & " " &
> chr(34) & "<logfile> <EventID> <Computer>" & chr(34)
> WScript.Echo "Example for Local Machine: cscript " &
> WScript.ScriptName & " " & chr(34) & "System 3 ." & chr(34)
> WScript.Echo "Example for Remote Machine: cscript " &
> WScript.ScriptName & " " & chr(34) & "System 3 NEENG" & chr(34)
> WScript.Quit(0)
> End Sub
--
Michael Harris
Microsoft.MVP.Scripting
Sammamish WA US
|
|
|
|
|