A VBScript Tutorial for Writing Event Log Data to a File
My holy grail in writing these pages is to combine real world scenarios, with good examples of VBScript
commands. The purpose of this advanced script is to filter Event Log data then write the result into a text file.
On this page, I assume that you have mastered the basics of FSO (File System Object) and that you are looking for fresh examples
to apply the .writeline techniques. The usual VBScript commands will act as the cement which combines FSO and WMI to produce a powerful and adaptable script.
Our real life mission is to filter events from the System Log and then output the results into a text file. Let us pretend that we must review all W32Time errors on your server. A quick
research of the System (not Application) Log reveals that the data we are interested in held messages with an Event ID = 17.
My hidden agenda is that you will use this script as a template. I hope that you will amend the Event ID number so that you can write significant events on your network to a text file.
Possible troubleshooting scenarios are, researching DNS connectivity, Netlogon problems, Active Directory replication. Just investigate which Event ID records the data you are interested in and then
amend the intNumberID in the example script.
By introducing variables, we can choose not only the type of log, for Example Security, Application or System, but also the Event ID number.
What ever problem you are troubleshooting with the Event Viewer, the chances are you only need to analyze one or two of the
hundreds of Event IDs. VBScript, with its 'If ...then. End If' loops is an ideal vehicle for filtering Event Log IDs. You would not want to make life difficult by echoing
the results to screen, it is much more convenient to write the details to a text file.
Prerequisites
I recommend that you logon as administrator. This is a script that will execute equally well on a Windows server or an XP machine.
Instructions for Writing Event Log Data to a File
Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the value for the strxyz variables.
Double click and check Windows Explorer for your filtered Event Log details.
Sample Script to Write Event Log Data to a File
' EventLogFSOvbs ' Example VBScript to interogate the Event Log and create a file ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.8 - June 2005 '
---------------------------------------------------------' Option Explicit
Dim objFso, objFolder, objWMI, objItem, objShell, strEventLog Dim strFile, strComputer, strFolder, strFileName, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
' -------------------------------------------------------- ' Set the folder and file name ' Set numbers intNumberID = 17 ' Event ID
Number intRecordNum = 0
'
----------------------------------------------------- ' Section to create folder and hold file. Set objFso = CreateObject("Scripting.FileSystemObject") If objFSO.FolderExists(strFolder) Then Set
objFolder = objFSO.GetFolder(strFolder) Else Set objFolder = objFSO.CreateFolder(strFolder) Wscript.Echo "Folder created " & strFolder End If
Wscript.Echo " Press OK and Wait 30 seconds
(ish)" Set strFile = objFso.CreateTextFile(strPath, True) Set objWMI = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\cimv2") Set colLoggedEvents =
objWMI.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)
' ----------------------------------------- ' Next section loops through ID properties
For Each objItem
in colLoggedEvents If objItem.EventCode = intNumberID Then
' Second Loop to filter only if they tried Administrator strFile.WriteLine("Category: " & objItem.Category _ & " string " &
objItem.CategoryString) strFile.WriteLine("ComputerName: " & objItem.ComputerName) strFile.WriteLine("Logfile: " & objItem.Logfile _ & " source " & objItem.SourceName)
strFile.WriteLine("EventCode: " & objItem.EventCode) strFile.WriteLine("EventType: " & objItem.EventType) strFile.WriteLine("Type: " & objItem.Type) strFile.WriteLine("User: " & objItem.User)
strFile.WriteLine("Message: " & objItem.Message) strFile.WriteLine (" ") intRecordNum = intRecordNum +1 End If Next
' Confirms the script has completed and opens the file Set objShell =
CreateObject("WScript.Shell") objShell.run ("Explorer" &" " & strPath & "\" )
1) Once the script is working, you can have fun changing the values of the various variables, for example, selecting
different Event IDs. Take the time to investigate important events ids in other logs, for example the Application log. Another suggestions is to investigate the system log, but on a different machine.
2) strEventLog = " 'Security' " nearly drove me mad. You have to be precise with the
speech marks and the spaces. " ' Security '" has too much space between the single quotes and the name Security.
3) In this example, I have employed objShell.run to help the
reader
by opening the text file ready to examine the entries.
4) You may wish to review my other FSO examples and try adding lines that append the data rather than over-write.
When you are researching Event Logs, you may find it easier to handle the data if you filter
data for the Event ID under investigation. The combination of FSO, WMI and VBScript is ideal for reading the Event Logs and refining the data into a text file.
Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
Download my eBook:
Introduction to VBScript - only $6.25
