My holy grail in writing these pages is to combine real world scenarios, with good examples of VBScript
commands. The purpose of this advanced script is to filter Event Log data then write the result into a text file.
On this page, I assume that you have mastered the basics of FSO (File System Object) and that you are looking for fresh examples
to apply the .writeline techniques. The usual VBScript commands will act as the cement which combines FSO and WMI to produce a powerful and adaptable script.
Our real life mission is to filter events from the System Log and then output the results into a text file. Let us pretend that we must review all W32Time errors on your server. A quick
research of the System (not Application) Log reveals that the data we are interested in held messages with an Event ID = 17.
My hidden agenda is that you will use this script as a template. I hope that you will amend the Event ID number so that you can write significant events on your network to a text file.
Possible troubleshooting scenarios are, researching DNS connectivity, Netlogon problems, Active Directory replication. Just investigate which Event ID records the data you are interested in and then
amend the intNumberID in the example script.
By introducing variables, we can choose not only the type of log, for Example Security, Application or System, but also the Event ID number.
What ever problem you are troubleshooting with the Event Viewer, the chances are you only need to analyze one or two of the
hundreds of Event IDs. VBScript, with its 'If ...then. End If' loops is an ideal vehicle for filtering Event Log IDs. You would not want to make life difficult by echoing
the results to screen, it is much more convenient to write the details to a text file.
Prerequisites
I recommend that you logon as administrator. This is a script that will execute equally well on a Windows server or an XP machine.
Instructions for VBScript Event Log
Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the value for the strxyz variables.
Double click and check Windows Explorer for your filtered Event Log details.
Sample Script to Write Event Log Data to a File
' EventLogFSOvbs ' Example VBScript Event Log to create a file ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.8 - June 2010 '
---------------------------------------------------------' Option Explicit
Dim objFso, objFolder, objWMI, objItem, objShell, strEventLog Dim strFile, strComputer, strFolder, strFileName, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
' --------------------------------------------- ' Set the folder and file name ' Set numbers intNumberID = 17 ' Event ID
Number intRecordNum = 0
'
--------------------------------------------- ' Section to create folder and hold file. Set objFso = CreateObject("Scripting.FileSystemObject") If objFSO.FolderExists(strFolder) Then Set
objFolder = objFSO.GetFolder(strFolder) Else Set objFolder = objFSO.CreateFolder(strFolder) Wscript.Echo "Folder created " & strFolder End If
Wscript.Echo " Press OK and Wait 30 seconds
(ish)" Set strFile = objFso.CreateTextFile(strPath, True) Set objWMI = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\cimv2") Set colLoggedEvents =
objWMI.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)
' ----------------------------------------- ' Next section loops through ID properties
For Each objItem
in colLoggedEvents If objItem.EventCode = intNumberID Then
' Second Loop to filter only if they tried Administrator strFile.WriteLine("Category: " & objItem.Category _ & " string " &
objItem.CategoryString) strFile.WriteLine("ComputerName: " & objItem.ComputerName) strFile.WriteLine("Logfile: " & objItem.Logfile _ & " source " & objItem.SourceName)
strFile.WriteLine("EventCode: " & objItem.EventCode) strFile.WriteLine("EventType: " & objItem.EventType) strFile.WriteLine("Type: " & objItem.Type) strFile.WriteLine("User: " & objItem.User)
strFile.WriteLine("Message: " & objItem.Message) strFile.WriteLine (" ") intRecordNum = intRecordNum +1 End If Next
' Confirms the script has completed and opens the file Set objShell =
CreateObject("WScript.Shell") objShell.run ("Explorer" &" " & strPath & "\" )
WScript.Quit
' End of Guy's Sample FSO VBScript
Guy Recommends: SolarWinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches - give LEM a whirl.
1) Once the script is working, you can have fun changing the values of the various variables, for example, selecting
different Event IDs. Take the time to investigate important events ids in other logs, for example the Application log. Another suggestions is to investigate the system log, but on a different machine.
2) strEventLog = " 'Security' " nearly drove me mad. You have to be precise with the
speech marks and the spaces. " ' Security '" has too much space between the single quotes and the name Security.
3) In this example, I have employed objShell.run to help the
reader
by opening the text file ready to examine the entries.
4) You may wish to review my other FSO examples and try adding lines that append the data rather than over-write.
Example
VBScript Event Log - Interrogate the
System Log
Scenario:
You want to extract a particular event ID from the system
log. Let us pretend that you have become paranoid about synchronizing
the time on all servers. Following a little research of the system log, you want a list
of all records showing WinTime Event ID:12.
Talking of dilemma's. I was torn between putting in an extra
message box to show that something was happening, and just leaving you to
wait for an eternity before your first file is created. In the event I
put in two message boxes. Warning, remember that you must dismiss the
FIRST message box so that the script will continue processing.
Suggestion, once you realise how long the script needs to process the logs, then ' Rem out the WScript.Echo " Press OK.."
Instructions
Pre-requisites. For this script to work, you need any modern
operating system Windows 2000, 2003 or XP.
Copy and paste the script below into notepad. Important: Check the Variables section of the script, make alterations to
strFolder.
Save the file with .vbs extension e.g. Event12.vbs.
Double click. Press OK to dismiss the first Message Box. I
hope you didn't get a 'Path not found error' if you did check 3.
WARNING, Note well, nothing more will happen until you dismiss the First Message box.
Use the second the message box to find your text file!
' EventID12.vbs ' VBScript Event Log example to check the Event ID.
' Version 1.9
' Guy Thomas 1st August 2010
Option Explicit
Dim objFso, objFolder, objWMI, objEvent ' Objects
Dim strFile, strComputer, strFolder, strFileName, strPath ' Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
' --------------------------------------------
' Set your variables
intNumberID = 12 ' Event ID Number
intEvent = 1
intRecordNum = 1
' ----------------------------------------
' Section to create folder to hold file.
Set objFso = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
Wscript.Echo "Folder created " & strFolder
End If
Set strFile = objFso.CreateTextFile(strPath, True)
'--------------------------------------------
' Next section creates the file to store Events
' Then creates WMI connector to the Logs
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System'" )
Wscript.Echo " Press OK and Wait 30 seconds (ish)"
' -----------------------------------------
' Next section loops through ID properties
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Analyzer because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
Give this permissions monitor a try - it's free!
Option Explicit - This forces me to declare my variables, which I do with Dim
(dimension) statements. Guy loosely follows the Hungarian convention
where the 'str' prefix means a string variable where as 'int' means an integer or number. Guess what obj means? Yes object.
Note 2: ' Set your variables
If Guy wrote the script, then always check the script for variables. Whilst I try to
design scripts which run as automatically as possible, there are occasions -
such as this script, where you need to adjust a variable. It would be boring if I set the path to C:\,
so change strPath to match a file in a folder on your machine. In the
case of this
script, I hope that editing strPath will make you think, 'Where should I
look for the output?'
The variables beginning with 'int' are for numbers.
Note 3: FSO - Primer.
How can we output the information? WScript.Echo has its place, but
in this example it would swamp you with data and give you RSI from clicking
the message boxes. No, we need a different vehicle for the output.
This is where FSO comes in handy, use objFSO to create a file object
corresponding to strFile. We
can then fill strFile with data from the event logs. The idea is that we use notepad
to read the events at our leisure. As a matter of interest,
'True' in this context means over-write the file referenced by strPath.
Time to take a break from our long journey to find those events log IDs.
Please find the time to admire how the script creates the c:\GuyScripts
folder. Once again, check how FSO uses those 'Get' and 'Create' statements,
as in GetFolder and CreateFolder.
Note 4: Pure WMI.
WMI stands for Windows Management Interface, in practice this means the
script's direct line to the operating system's information store. In
logon scripts, you may have seen CreateObject("wscript.network"), well here
with WMI, the
key object is winmgmts. Windows, or to be precise - winmgmts,
knows about WIN32_xyz objects, for example, printers, computers or disks. In
our case, the object that we are interested in is the event log - to be
precise WIN32_NTLogEvent. Incidentally a good scripting program like
VBsEdit will show you all these WMI objects and assist you in interrogating
them.
Note the tiny word 'Set'. So often in VBScript the 'Set'
command is essential to create, form or hold the object you are working on.
'Impersonate' sets the security credentials, in this case just accept
that we use the
default security settings.
The operating system, and its front end - the registry are
huge places. "\root\cimv2" tells WMI where to connect, or where to
begin, in its search for the winmgmts objects.
Col or ColLoggedEvents means collation rather like a collection.
This instruction makes
sense for Event Logs which have zillions of properties. Think of col as part of the mechanism to
extract information and write it to a file.
With scripting, each and every word is important, here we see an SQL
transact type statement: "Select * from Win32_NTLogEvent Where Logfile =
'System'. I would like to draw your attention to the 'Where'.
What is happening is that the script is searching through the System Log as
opposed to the Application or Security log. Useful information if you
wanted to amend my script.
Guy
Recommends: WMI Monitor and It's Free!
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft's operating systems. Fortunately, SolarWinds
have created a
Free WMI Monitor so that you can discover these gems of performance
information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the
operating system, Active Directory or Exchange Server. Give this WMI monitor a
try - it's free.
The scripting work is practically finished, all that is left is a logic or business decision about which properties to record in strFile. In cases where you are not interested in a particular property,
simply comment out the lines, or be ruthless and just delete the offending line.
So much of the power of a script, any script, comes from the ability to mechanically cycle through data. Here we employ not the simple For... Next loop, but the more advanced, For EACH .... Next
loop.
In order to filter the data, we have one of the oldest. but most versatile commands, 'If
Then... End If. Remember that in our featured script we only want a specific Event ID, a number
held by the intNumberID variable, perfect for an If statement. (Just remember that End If.)
The final method featured by this script is: .writeline.
Our script needs to be instructed what to do with the objEvent property; writeline
provides that link and outputs the events to strFile. If you remember,
strFile is the variable that holds the filename for
the script output.
When you are researching Event Logs, you may find it easier to handle the data if you filter
data for the Event ID under investigation. The combination of FSO, WMI and VBScript is ideal for reading the Event Logs and refining the data into a text file.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is
most useful for PowerShell scripting.
SolarWinds
have produced this
Free WMI Monitor to take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
