WMI - Search Event Logs
Introduction - How to Search Event Logs with WMI
One key task for any network manager is to be alert for suspicious activity in their event logs. The problem on a Window Server 2003 Domain Controller, is that not only are their 6 event logs, but also each log has thousands of events. Finding the crucial errors manually is like looking for a needle in a haystack. WMI and VBScript supply the control to detect crucial Event IDs automatically.
Topics for Searching the Event Logs
A good starting point is to remember that a WMI script merely mimics actions that you perform manually. Indeed, I often walk-through a task with the GUI so that I can be sure of the correct steps in my VBScript. This manual walk-through has a hidden benefit in that it makes me plan precisely what I wish to achieve with WMI and VBScript.
VBScript will provide the hosting or linking function of the script, meanwhile at the heart of the script WMI uses winmgmts to connect to the CIM namespace. The key object to interrogate the Event Logs is Win32_NTLogEvent. VBScript provides the loop and FSO to output the results to a text file.
Also, remember that these are Example scripts and I hope that you will take the word example to heart. What I mean is this, my greatest wish is that you will adapt the script to your network, for instance, my script uses Event ID 672, but you need to know about Event ID 680. Easy you just change one variable. Another change that you could make, my script deals with the Security Event Log, you could edit Security and replace with System.
This is the situation, we want to identify instances where people have been trying to logon to a Windows network with an incorrect username. From our research, we have discovered that the key Event is ID 672 in the Security log. Incidentally, it would be straightforward to modify the script to track related security worries, for example people trying to guess the administrator's password.
This is a job where we need to output to a file, rather than output on screen, so we will build a FSO (File System Object) section in our VBScript. From the WMI point of view, the object to interrogate is Win32_NTLogEvent. In addition, we employ the 'Where' clause to select the Security Log as opposed to any of the other 5 Event Logs.
My script will get you started, but it is worth understanding where you could change the values to suit your Windows network.
Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft's operating systems. Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try - it's free.
Now that we have the complete brief for the FSO/ WMI / VBScript, I have decided to break down project into two stages, stage 1 merely gets the VBScript and FSO part working. Once this shell is working and you can see how VBScript plays its part, then we are ready to add the WMI statement to actually extract the information from the Security Log.
Instructions for Stage 1 - Create a File
Stage 1 - VBScript to Create a File (Getting Ready for the Security Events)
WMI Tutorial - Learning Points
1) The point of this VBScript is to make sure that the basic shell is working. Expect to find a file, but with only one line of data. (Search with Explorer for the path specified by strPath.)
2) Take the opportunity to master the FSO object. Experiment by changing the values of strFileName = "\Event672.txt" and strFolder = "e:\logs". To see the effect of: set objFile = nothing try removing or 'remming out' that line, then change the values of strFilename and strFolder.
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.
Stage 1 (above) showed us how VBScript creates the file, now it's time to add the WMI commands to interrogate Event ID 672 in the Security Log.
1) The first task for WMI is to connect to the CIM namespace with:
1b) Note (Security) I thank Yitzchok Lavi for adding (Security). Research indicates that you should always (Security) here in impersonationLevel=impersonate,(Security), even if you change the log to 'Application'.
2) Observe how WMI executes a query for the Security Logfile with
3) Next WMI and VBScript combine to loop through all the Event IDs. From our perspective, the important factor is the filter, which only writes Events to the file if their
number is 672. (Or what ever you specify as the value of intNumberID)
4) EventType = 5 means Security Failure. (4 = Security Success) Other EventType = 1 Error. 2 = Warning 3 = Information.
Guy Idea. If you are fed up with your script returning 0 entries, I challenge you to make two changes:
5) objItem.Xyz is the property of the Event ID, each line is written to the textfile found at strPath.
6) If you liked this script, or want a slightly more advanced example then see how to find out if anyone has been logging on as Administrator.
Searching the event logs for crucial events, is time consuming. Once you have researched the Event ID number that's of interest, then you can amend my VBScript and have WMI automatically find all matching entries and write them to a text file.
If you like this page then please share it with your friends
See more VBScript file examples:
Windows Management Instrumentation (WMI) is most useful for PowerShell scripting.
SolarWinds have produced this Free WMI Monitor to take the guess work out of which WMI counters to use for applications like Microsoft Active Directory, SQL or Exchange Server.
Author: Guy Thomas Copyright © 1999-2016 Computer Performance LTD All rights reserved.
Please report a broken link, or an error to: