WMI - Search Event Logs
Introduction - How to Search Event Logs with WMI
One key task for any network manager is to be alert for suspicious
activity in their event logs. The problem on a Window Server 2003 Domain Controller, is that not only are their 6 event logs, but also each log has thousands of events. Finding the crucial errors
manually is like looking for a needle in a haystack. WMI and VBScript supply the control to detect crucial Event IDs automatically.
Topics for Searching the Event Logs
♣
A good starting point is to remember that a WMI script merely mimics actions that you perform manually. Indeed, I often walk-through a task with
the GUI so that I can be sure of the correct steps in my VBScript. This manual walk-through has a hidden benefit in that it makes me plan precisely what I wish to achieve with WMI and VBScript.
VBScript will provide the hosting or linking function of the script, meanwhile at the heart of the script WMI uses winmgmts to connect to the CIM namespace. The key object to interrogate the Event Logs is
Win32_NTLogEvent. VBScript provides the loop and FSO to output the results to a text file. Also, remember that these are Example scripts and I hope that you will take the word example to heart.
What I mean is this, my greatest wish is that you will adapt the script to your network, for instance, my script uses Event ID 672, but you need to know about Event ID 680. Easy you just change one
variable. Another change that you could make, my script deals with the Security Event Log, you could edit Security and replace with System.
This is the
situation, we want to identify instances where people have been trying to logon to a Windows network with an incorrect username. From our research, we have discovered that the key Event is ID
672 in the Security
log. Incidentally, it would be straightforward to modify the script to track related security worries, for example people trying to guess the administrator's password.
This is a job where we need to output to a file, rather than output on screen, so we will build a FSO (File System Object) section in our VBScript. From the WMI point of view, the object to interrogate is
Win32_NTLogEvent. In addition, we employ the 'Where' clause to select the Security Log as opposed to any of the other 5 Event Logs. My script will get you started, but it is worth understanding where you could change the values to suit your Windows network.
Guy
Recommends: WMI Monitor and It's Free!
Windows Management Instrumentation (WMI) is one of the hidden
treasures of Microsoft's operating systems. Fortunately, SolarWinds
have created a
Free WMI Monitor so that you can discover these gems of performance
information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the
operating system, Active Directory or Exchange Server. Give this WMI monitor a
try - it's free.
Download your free copy of WMI Monitor
Now that we have the complete brief for the FSO/ WMI / VBScript, I have decided to break down project into two stages, stage 1 merely gets the VBScript and FSO part working.
Once this shell is working and you can see how VBScript plays its part, then we are ready to add the WMI statement to actually extract the information from the Security Log.
Instructions for Stage 1 - Create a File
- Pre-requisites. For this script to work, you need access to a Windows computer with a Security Log.
- To reduce the chance of an authentication problem, I would first run this script at a Domain Controller. If that is not possible run the script from a member server on an XP machine and edit
strComputer on line 14.
- Check the strFolder and strFile values, where do you wish the script to appear?
- Copy and paste into notepad, or a script editor.
- Use the message box to find your text file!
Stage 1 - VBScript to Create a File (Getting Ready for the Security Events)
' EventLogFSO.vbs
' Sample VBScript to Create a file ready for WMI
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.5 - November 2010
'
-----------------------------------------------------------'
Option Explicit
Dim objFSO, objFolder, objFile ' Objects
Dim strComputer, strFileName, strFolder, strPath ' strings
'
--------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\Event672.txt"
strFolder = "e:\logs"
strPath = strFolder & strFileName
' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
'
Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
WScript.Echo "Just
created " & strFolder
End If
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder & strFileName
End If
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set
objFolder = nothing
' ----------------------------------------------------
' Write the information to the file
Set strFileName = objFSO.CreateTextFile(strPath, True)
strFileName.WriteLine("Computer to test " & strComputer)
Wscript.Echo "Check " & strPath
WScript.Quit
' End of Guy's FSO sample VBScript
WMI Tutorial - Learning Points1) The point of this VBScript is to make sure that the basic shell is working. Expect to find a file, but with only one line of data. (Search
with Explorer for the path specified by strPath.) 2) Take the opportunity to master the FSO object. Experiment by changing the values of strFileName = "\Event672.txt" and strFolder
= "e:\logs". To see the effect of: set objFile = nothing try removing or 'remming out' that line, then change the values of strFilename and strFolder.
Guy Recommends: SolarWinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches - give LEM a whirl.
Download your FREE
trial of SolarWinds Log & Event Management tool.
Stage 1 (above) showed us how VBScript creates the file, now it's time to add the WMI commands to interrogate Event ID 672 in the
Security Log.
' EventIDSecurity.vbs
' Sample WMI to find and Event ID in the Security Log
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.7 - May 2006
'
-----------------------------------------------------------'
Option Explicit
Dim objFSO, objFolder, objFile, objWMI, objItem ' Objects
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
' --------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\Event672.txt"
strFolder = "e:\logs"
strPath = strFolder & strFileName
' Set numbers
intNumberID = 672 ' Event ID Number
intRecordNum = 0
' -----------------------------------------------------
'
Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Check that the strFolder folder exists
If
objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
WScript.Echo "Just created " & strFolder
End If
If
objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder
& strFileName
End If
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set objFolder = nothing
'
----------------------------------------------------
' Write the information to the file
Wscript.Echo " Press OK and Wait 30 seconds (ish)"
Set strFileOpen = objFSO.CreateTextFile(strPath, True)
' ----------------------------------------------------------
' WMI Core Section
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )
' ----------------------------------------------------------
' Next section loops through ID
properties
For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID Then
If objItem.EventType=5 then
strFileOpen.WriteLine("Category: " & objItem.Category _
& " string " &
objItem.CategoryString)
strFileOpen.WriteLine("ComputerName: " & objItem.ComputerName)
strFileOpen.WriteLine("Logfile: " & objItem.Logfile _
& " source " & objItem.SourceName)
strFileOpen.WriteLine("EventCode: " & objItem.EventCode)
strFileOpen.WriteLine("EventType: " & objItem.EventType)
strFileOpen.WriteLine("Type: " & objItem.Type)
strFileOpen.WriteLine("User: " &
objItem.User)
strFileOpen.WriteLine("Message: " & objItem.Message)
strFileOpen.WriteLine (" ")
intRecordNum = intRecordNum +1
End If
End If
Next
Wscript.Echo "Check " & strPath & " for "
& intRecordNum & " events"
WScript.Quit
' End of Guy's FSO sample VBScript See also
Solarwinds Log and Event Manager »
1) The first task for WMI is to connect to the CIM namespace with:
GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer &
"\root\cimv2") 1b) Note (Security) I thank Yitzchok Lavi for adding (Security). Research indicates that you should always (Security) here in impersonationLevel=impersonate,(Security),
even if you change the log to 'Application'. 2) Observe how WMI executes a query for the Security Logfile with
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile =
'Security'" )
See how much easier
PowerShell handles Win32_NTLogEvent. 3) Next WMI and VBScript combine to loop through all the Event IDs. From our perspective, the important factor is the filter, which only writes Events to the file if their
number is 672. (Or what ever you specify as the value of intNumberID)
If objItem.EventCode = intNumberID Then 4) EventType = 5 means Security Failure. (4 = Security Success)
Other EventType = 1 Error. 2 = Warning 3 = Information. Guy Idea. If you are fed up with your script returning 0 entries, I challenge you to make two changes:
Line 20:
intNumberID = 680 ' Event ID Number and Line 65: If objItem.EventType= 4 then. What this change does is to tell the script to record Security Success (not failure). 5) objItem.Xyz
is the property of the Event ID, each line is written to
the textfile found at strPath. 6) If you liked this script, or want a slightly more advanced example then see how to find out if anyone has been
logging on as Administrator. Searching the event logs for crucial events, is time consuming. Once you have researched
the Event ID number that's of interest, then you can amend my VBScript and have WMI automatically find all matching entries and write them to a text file.
If you like this page then please share it with your friends
See more VBScript file examples:
• VBScript to create folders •
VBScript to
create files •
VBScript write file •
VBScript file copy • PowerShell
OutFile •
PowerShell Get-ChildItem •
PowerShell create folder
• Event Log Administrator
• VBScript Event Log • WMI Event Log
• Event Log Example •
SolarWinds Log Event Manager
|
