You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Advanced Scripting » reading eventlog
Register User       Forum List       Calendar       FAQ
Page 1 of 1 1
Topic Options
#65951 - 2002-05-31 05:52 PM reading eventlog
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
Is dumpel the only way to read the eventlog. I'd prefer to read it without outside exe's.

Can it be COM'd or WMI'd ??
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#65952 - 2002-05-31 06:12 PM Re: reading eventlog
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
You should be able to do this with the Win32_NTLogEvent Class.

The script below lists all "error" events. You could make your query more specific (and include timestamps, etc)
code:
$obj = GetObject("Winmgmts:").ExecQuery("Select * From Win32_NTLogEvent Where Type = 'error'")

For each $event in $obj
$event.EventCode 
" "
$event.Message
?
Next
For more information on this class, see:

http://msdn.microsoft.com/library/en-us/wmisdk/r_32os4_48ac.asp

Brian
Top
#65953 - 2002-05-31 06:13 PM Re: reading eventlog
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Rad, it can be wimmied, here's one that clears the application eventlog, tested on xp:

break on

$query = "select * from win32_nteventlogfile where logfilename='application'"

$eventlog = getobject("winmgmts:").execquery("$query")

for each $entry in $eventlog
 $= $entry.cleareventlog
next

exit 1



-Shawn
Top
#65954 - 2002-05-31 07:24 PM Re: reading eventlog
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
I can't get it to recognize:

For each $event in GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPUTER").ExecQuery("Select * From Win32_NTLogEvent Where source = 'ntbackup'")
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#65955 - 2002-05-31 08:05 PM Re: reading eventlog
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
Try using SourceName instead of source:

For each $event in GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPUTER").ExecQuery("Select * From Win32_NTLogEvent Where SourceName = 'ntbackup'")
Top
#65956 - 2002-06-03 03:56 PM Re: reading eventlog
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
what is the methodology for pulling an event at a time...

Basically, I want to pull the most recent 4 or 5 events.

current code:
code:
FUNCTION LISTPROC($COMPUTER,$PROC)
	$pidselect="select * from Win32_Process where Name='$PROC'"
	$processes=GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPUTER").ExecQuery("$pidselect") 
	For each $Process in $processes
		?$COMPUTER+ " " +$Process.Name + " is running. PID is " + $Process.ProcessId
		Next

	$ntbselect="Select * From Win32_NTLogEvent Where SourceName = 'ntbackup'"
	$ntbackup =GetObject("winmgmts:{impersonationLevel=impersonate}!//$COMPUTER").ExecQuery("$ntbselect")
	For each $event in $ntbackup
		$ec=$event.EventIdentifier
		$time=$event.TimeGenerated
		$year=substr("$time",1,4)
		$month=substr("$time",5,2)
		$day=substr("$time",7,2)

		? "$ec	$month/$day/$year"
		? $event.Message
		Next

	? $computer + " " +@serror
	ENDFUNCTION
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#65957 - 2002-06-03 04:09 PM Re: reading eventlog
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11165
Loc: Boston, MA, USA
Try
code:
SELECT TOP 5 * FROM Win32_Process WHERE Name=$PROC
You might also want to try sorting by time, would be something like
code:
SELECT TOP 5 * FROM Win32_Process WHERE Name=$PROC ORDER BY Date DESC Time DESC
Not sure about the 'Date' and 'Time' fields, you might need to replace this with the correct names.
_________________________
There are two types of vessels, submarines and targets.

Top
#65958 - 2002-06-03 05:29 PM Re: reading eventlog
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
nope...
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#65959 - 2002-06-03 10:35 PM Re: reading eventlog
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
I couldn't get the ORDER BY to work, either.. with ANYthing. Is this not supported in the getobject (actually ExecQuery) method?

Brian

[ 03 June 2002, 23:16: Message edited by: BrianTX ]
Top
#65960 - 2002-06-03 11:26 PM Re: reading eventlog
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
Hmm. the more i read (and test), the more I think that only basic WMI query's are supported, rather than extended (SMS 2.0 supports extended WQL I believe). The only keywords that I can find are supported are listed here:

http://msdn.microsoft.com/library/en-us/wmisdk/r_query_70yx.asp

Brian
Top
#65961 - 2002-06-04 04:18 PM Re: reading eventlog
BrianTX Offline
Korg Regular

Registered: 2002-04-01
Posts: 895
This is kind of crude, but this method finds how many days back you have to go to get at LEAST 5 events and cuts it off on that day... (It's also pretty slow.) The more I read about it, the more I realize that you can actually create a "Trigger" of sorts when an event occurs that will allow you to send email or whatever.

Here is the (kludgy) code I wrote:

code:
break on
$day1 = "@MDAYNO"
$month1 = "@MONTHNO"
$year1 = "@YEAR"
If LEN($day1) = 1 $day1 = "0" + $day1 Endif
If LEN($month1) = 1 $month1 = "0" + $month1 Endif
$time1 =  $year1 + $month1 + $day1
$count = 0
While $instancetarget < 5
$count = $count + 1
 $ntbackup =GetObject("winmgmts:").ExecQuery("Select * From Win32_NTLogEvent Where SourceName = 'ntbackup' AND TimeGenerated >= '" + $time1 + "'")
 $instancetarget = $ntbackup.count
$time1 =  VAl($time1) - 1
if $count > 200 $instancetarget = 5
Loop

  For each $event in $ntbackup
    $ec=$event.EventIdentifier
    $time=$event.TimeGenerated
    $year=substr("$time",1,4)
    $month=substr("$time",5,2)
    $day=substr("$time",7,2)
? $time
    ? "$month/$day/$year"
    ? $event.Message
    Next
Brian
Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 476 anonymous users online.
details
Newest Members
batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users
My Cookies · Mark all read Powered by UBB.threads™ Contact Us · KiXtart.org website · Top

Generated in 0.066 seconds in which 0.029 seconds were spent on a total of 12 queries. Zlib compression enabled.
Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org