WMI – Search Event Logs

Introduction – How to Search Event Logs with WMI

One key task for any network manager is to be alert for suspicious activity in their event logs.  The problem on a Window Server 2003 Domain Controller, is that not only are their 6 event logs, but also each log has thousands of events.  Finding the crucial errors manually is like looking for a needle in a haystack.  WMI and VBScript supply the control to detect crucial Event IDs automatically.

Topics for Searching the Event Logs

• Scripting the Event Logs with WMI
• Scenario for Scripting Windows Event Logs
• Stage One – Begin with Just FSO and VBScript
• Stage 2 – The Main Script to Check for Event ID 672 in the Security Log
• WMI Tutorial – Learning Points
• Summary – WMI Script to Search the Event Logs
• (PowerShell Eventlog Script)

 ♣

Scripting the Event Logs with WMI

A good starting point is to remember that a WMI script merely mimics actions that you perform manually.  Indeed, I often walk-through a task with the GUI so that I can be sure of the correct steps in my VBScript.  This manual walk-through has a hidden benefit in that it makes me plan precisely what I wish to achieve with WMI and VBScript.

VBScript will provide the hosting or linking function of the script, meanwhile at the heart of the script WMI uses winmgmts to connect to the CIM namespace.  The key object to interrogate the Event Logs is Win32_NTLogEvent.  VBScript provides the loop and FSO to output the results to a text file.

Also, remember that these are Example scripts and I hope that you will take the word example to heart.  What I mean is this, my greatest wish is that you will adapt the script to your network, for instance, my script uses Event ID 672, but you need to know about Event ID 680.  Easy you just change one variable.  Another change that you could make, my script deals with the Security Event Log, you could edit Security and replace with System.

Scenario for Scripting Windows Event Logs

This is the situation, we want to identify instances where people have been trying to  logon to a Windows network with an incorrect username.  From our research, we have discovered that the key Event is ID 672 in the Security log.  Incidentally, it would be straightforward to modify the script to track related security worries, for example people trying to guess the administrator’s password.

This is a job where we need to output to a file, rather than output on screen, so we will build a FSO (File System Object) section in our VBScript.  From the WMI point of view, the object to interrogate is Win32_NTLogEvent.  In addition, we employ the ‘Where’ clause to select the Security Log as opposed to any of the other 5 Event Logs.

My script will get you started, but it is worth understanding where you could change the values to suit your Windows network.

Guy Recommends: WMI Monitor and It’s Free!

Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems.  Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.

Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.

Download your free copy of WMI Monitor

Stage 1 – Begin with Just FSO and VBScript

Now that we have the complete brief for the FSO/ WMI / VBScript, I have decided to break down project into two stages, stage 1 merely gets the VBScript and FSO part working.  Once this shell is working and you can see how VBScript plays its part, then we are ready to add the WMI statement to actually extract the information from the Security Log.

Instructions for Stage 1 – Create a File

1. Pre-requisites.  For this script to work, you need access to a Windows computer with a Security Log.
2. To reduce the chance of an authentication problem, I would first run this script at a Domain Controller.  If that is not possible run the script from a member server on an XP machine and edit strComputer on line 14.
3. Check the strFolder and strFile values, where do you wish the script to appear?
4. Copy and paste into notepad, or a script editor.
5. Use the message box to find your text file!

Stage 1 – VBScript to Create a File (Getting Ready for the Security Events)

WMI Tutorial – Learning Points

1)  The point of this VBScript is to make sure that the basic shell is working.  Expect to find a file, but with only one line of data.  (Search with Explorer for the path specified by strPath.)

2)  Take the opportunity to master the FSO object. Experiment by changing the values of strFileName = "\Event672.txt"  and strFolder = "e:\logs".  To see the effect of: set objFile = nothing try removing or ‘remming out’ that line, then change the values of strFilename and strFolder.

Guy Recommends:  SolarWinds’ Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Stage 2 – The Main Script to Check for Event ID 672 in the Security Log

Stage 1 (above) showed us how VBScript creates the file, now it’s time to add the WMI commands to interrogate Event ID 672 in the Security Log.

See also Solarwinds Log and Event Manager »

WMI Tutorial – Learning Points

1) The first task for WMI is to connect to the CIM namespace with:
GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")

1b) Note (Security)  I thank Yitzchok Lavi for adding (Security).  Research indicates that you should always (Security) here in impersonationLevel=impersonate,(Security), even if you change the log to ‘Application’.

2) Observe how WMI executes a query for the Security Logfile with
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = ‘Security’" )
See how much easier PowerShell handles Win32_NTLogEvent.

3) Next WMI and VBScript combine to loop through all the Event IDs.  From our perspective, the important factor is the filter, which only writes Events to the file if their number is 672.  (Or what ever you specify as the value of intNumberID)
If objItem.EventCode = intNumberID Then

4) EventType = 5 means Security Failure. (4 = Security Success)  Other EventType = 1 Error.  2 = Warning  3 = Information.

Guy Idea.  If you are fed up with your script returning 0 entries, I challenge you to make two changes:
Line 20: intNumberID = 680 ‘ Event ID Number   and Line 65: If objItem.EventType= 4 then.  What this change does is to tell the script to record Security Success (not failure).

5) objItem.Xyz is the property of the Event ID, each line is written to the textfile found at strPath.

6) If you liked this script, or want a slightly more advanced example then see how to find out if anyone has been logging on as Administrator.

Summary – WMI Script to Search the Event Logs

Searching the event logs for crucial events, is time consuming.  Once you have researched the Event ID number that’s of interest, then you can amend my VBScript and have WMI automatically find all matching entries and write them to a text file.

See more VBScript file examples:

• VBScript to create folders   • VBScript to create files    • VBScript write file    • VBScript file copy

• PowerShell OutFile   • PowerShell Get-ChildItem   • PowerShell create folder • Event Log Administrator

• VBScript Event Log   • WMI Event Log • Event Log Example   • SolarWinds Log Event Manager