fortypoundhead.com

Using VBScript to manage Event Logs

Posted On 2008-06-07 by dwirch
Keywords:
Tags: Scripting Tutorial Windows
Views: 9416


Just a quick little post to share some VBScripts that could be handing for automating management of Windows Event Logs.

Adding a Support URL to an Event Log Entry

Writes an event to the Application event log that includes a support URL.

Const EVENT_FAILED = 1
Set objShell = Wscript.CreateObject("Wscript.Shell")
  objShell.LogEvent EVENT_FAILED, _
  "Payroll application could not be installed." _
  & "Additional information is available from http://www.fabrikam.com."

Adding WMI Data to an Event Log Entry

Writes an event that includes additional information such as user name and the amount of free disk space on the computer.

Const EVENT_FAILED = 2
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set objNetwork = Wscript.CreateObject("Wscript.Network")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colDiskDrives = objWMIService.ExecQuery _
  ("Select * from win32_perfformatteddata_perfdisk_logicaldisk")
For each objDisk in colDiskDrives
    strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes & VbCrLf
Next
strEventDescription = "Payroll application could not be installed on " _
  & objNetwork.UserDomain & "\" & objNetwork.ComputerName _
  & " by user " & objNetwork.UserName & _
  ". Free space on each drive is: " & strDriveSpace
objShell.LogEvent EVENT_FAILED, strEventDescription

Asynchronous Event Log Querying

Uses an asynchronous query to retrieve all the events recorded in all the event logs. This approach is faster than retrieving a large number of events using a synchronous query.

Const POPUP_DURATION = 10
Const OK_BUTTON = 0
Set objWSHShell = Wscript.CreateObject("Wscript.Shell")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent"
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _
  "Event Retrieval", OK_BUTTON)

Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)
   WScript.Echo "Asynchronous operation is done."
End Sub

Sub SINK_OnObjectReady(objEvent, objAsyncContext)
   Wscript.Echo "Category: " & objEvent.Category
   Wscript.Echo "Computer Name: " & objEvent.ComputerName
   Wscript.Echo "Event Code: " & objEvent.EventCode
   Wscript.Echo "Message: " & objEvent.Message
   Wscript.Echo "Record Number: " & objEvent.RecordNumber
   Wscript.Echo "Source Name: " & objEvent.SourceName
   Wscript.Echo "Time Written: " & objEvent.TimeWritten
   Wscript.Echo "Event Type: " & objEvent.Type
   Wscript.Echo "User: " & objEvent.User
End Sub

Backing Up and Clearing an Event Log

Backs up and clears the Application event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile where LogFileName=''Application''")
For Each objLogfile in colLogFiles
    errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
    If errBackupLog <> 0 Then
      Wscript.Echo "The Application event log could not be backed up."
    Else
      objLogFile.ClearEventLog()
    End If
Next

Backing Up and Clearing Large Event Logs

Backs up and clears am event log if the log file size is larger than 20 megabytes.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
  & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile")
For each objLogfile in colLogFiles
    If objLogFile.FileSize > 100000 Then
      strBackupLog = objLogFile.BackupEventLog _
       ("c:\scripts\" & objLogFile.LogFileName & ".evt")
      objLogFile.ClearEventLog()
    End If
Next

Configuring Event Log Properties

Sets the maximum size of all event logs to 250 megabytes, and enables the log to overwrite any events older than 14 days.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile")
For each objLogfile in colLogFiles
    strLogFileName = objLogfile.Name
    Set wmiSWbemObject = GetObject _
     ("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _
     & "Win32_NTEventlogFile.Name=''" & strLogFileName & "''")
    wmiSWbemObject.MaxFileSize = 2500000000
    wmiSWbemObject.OverwriteOutdated = 14
    wmiSWbemObject.Put_
Next

Copying Event Log Events to a Database

Retrieves events from all the event logs and records these in a database with the DSN Name EventLogs.

Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colRetrievedEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent")
For Each objEvent in colRetrievedEvents
    objRS.AddNew
    objRS("Category") = objEvent.Category
    objRS("ComputerName") = objEvent.ComputerName
    objRS("EventCode") = objEvent.EventCode
    objRS("Message") = objEvent.Message
    objRS("RecordNumber") = objEvent.RecordNumber
    objRS("SourceName") = objEvent.SourceName
    objRS("TimeWritten") = objEvent.TimeWritten
    objRS("Type") = objEvent.Type
    objRS("User") = objEvent.User
    objRS.Update
Next
objRS.Close
objConn.Close

Copying the Previous Day’s Event Log Events to a Database

Retrieves events from all the event logs that were recorded on the previous day, and writes these records to a database with the DSN Name EventLogs.

Set objConn = CreateObject("ADODB.Connection") Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where TimeWritten >= ''" _
  & dtmStartDate & "'' and TimeWritten < ''" & dtmEndDate & "''")
For each objEvent in colEvents
    objRS.AddNew
    objRS("Category") = objEvent.Category
    objRS("ComputerName") = objEvent.ComputerName
    objRS("EventCode") = objEvent.EventCode
    objRS("Message") = objEvent.Message
    objRS("RecordNumber") = objEvent.RecordNumber
    objRS("SourceName") = objEvent.SourceName
    objRS("TimeWritten") = objEvent.TimeWritten
    objRS("Type") = objEvent.Type
    objRS("User") = objEvent.User
    objRS.Update
Next
objRS.Close
objConn.Close

Creating a Custom Event Log

Creates a custom event log named Scripts.

Const NO_VALUE = Empty
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite _
  "HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", NO_VALUE

Creating Unique File Names for Event Log Backups

Backs up and clears the Application event log, generating a unique file name for each backup based on the current date.

dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile where LogFileName=''Application''")
For Each objLogfile in colLogFiles
    objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _
      "_application.evt")
    objLogFile.ClearEventLog()
Next

Querying an Event Log for Stop Events

Queries the System event log for any events written in regards to a stop event (blue screen).

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where Logfile = ''System''" _
  & " and SourceName = ''SaveDump''")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Event date: " & objEvent.TimeGenerated
    Wscript.Echo "Description: " & objEvent.Message
Next

Querying a Specific Event Log

Retrieves all the events from the System event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where Logfile = ''Application''")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Retrieving Specific Events from an Event Log

Retrieves all events with an event code of 6008 from the System event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where Logfile = ''System'' and " _
  & "EventCode = ''6008''")
Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count

Retrieving All Events from an Event Log

Retrieves all the events from all the event logs on a computer. Note: This is primarily a demonstration script. It can take several hours, or more, to run, depending on the number of events recorded in your event logs.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where Logfile = ''Application''")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

Retrieving Event Log Properties

Retrieves a list of properties for all the event logs on a computer, except the Security event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objInstalledLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile")
For each objLogfile in objInstalledLogFiles
    Wscript.Echo "Name: " & objLogfile.LogFileName
    Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
    If objLogfile.OverWriteOutdated > 365 Then
      Wscript.Echo "Overwrite Outdated Records: Never." & VbCrLf
    ElseIf objLogfile.OverWriteOutdated = 0 Then
      Wscript.Echo "Overwrite Outdated Records: As needed." & VbCrLf
    Else
      Wscript.Echo "Overwrite Outdated Records After: " & _
      objLogfile.OverWriteOutdated & " days" & VbCrLf
    End If
Next

Retrieving Events For One Day From An Event Log

Retrieves all the events recorded on a specific date from all the event logs.

Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("2/18/2002")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where TimeWritten >= ''" _
  & dtmStartDate & "'' and TimeWritten < ''" & dtmEndDate & "''")
For each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
    Wscript.Echo objEvent.LogFile
Next

Retrieving Security Log Properties

Retrieves properties for the Security event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile where LogFileName=''Security''")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
    Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
Next

Reports the number of events currently recorded in the System event log.

Reports the number of events currently recorded in the System event log.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
  ("Select * from Win32_NTEventLogFile where LogFileName=''System''")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
Next

Writing to a Custom Event Log Using EventCreate

Uses the EventCreate.exe utility to write an event to a custom event log named Scripts.

Set WshShell = WScript.CreateObject("WScript.Shell")
strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
  Chr(34) & "Test event." & Chr(34)
WshShell.Run strcommand

Writing Events to the Local Event Log

Writes an event to the Application event log on the local computer.

Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
  "Payroll application successfully installed."

Writing Events to a Remote Event Log

Writes an event to the Application event log on a remote computer named PrimaryServer.

Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
  "Payroll application successfully installed." , "\\PrimaryServer"


About the Author

dwirch has posted a total of 181 articles.

You can find more information from dwirch by visiting http://www.derekwirch.com.


Comments On This Post

By: AnonymousCoward
Date: 2015-02-20

Can I get a basic VB Script to count all the errors only from my server?

By: dwirch
Date: 2015-02-20

Modify this as needed to query for specific events in specific logs. Note this outputs to a message box, so you may want to change where the output goes. If you have a lot of events that match the criteria, you'll be clicking OK a lot.  Watch out for line wrap in the code below:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = ''System'' and " & "EventCode = ''6008''")
Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count

 


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.158.238.108

Before you can post, you need to prove you are human. If you log in, this test goes away.




Recent Forum Posts

Advanced search added
dwirch posted on September 23, 2017 at about 13:44 in Site News

Job Spammer: Gaurav Mehta - AgreeYa Solutions
dwirch posted on September 22, 2017 at about 10:35 in Spammers

Job Spammer: Prutha Siri - Javelin Systems
dwirch posted on September 10, 2017 at about 6:15 in Spammers

New security implemented
dwirch posted on September 7, 2017 at about 7:16 in Site News

Malicious IP Checker Companion Tool
dwirch posted on August 12, 2017 at about 20:24 in Site News

Job Spammer: Steve Adams
dwirch posted on August 8, 2017 at about 7:44 in Spammers