|
|
|||||||
Is there a way to query the Application Log via a kix script and return a Yes value to a spreadsheet if Events 1030 or 1054 were found? |
||||||||
|
|
|||||||
Have a look at the UDF 'ReadEventlog' for the first bit. There is some sample code for creating & writing to an excel document in the Samples folder bundled with the Kix v4.6 zip file - called 'excel.kix'. Might give you some pointers. Below *should* determine if the events exist Code: $events_1030 = ReadEventlog('Application',1030) $events_1054 = ReadEventlog('Application',1054) IF $events_1030[0] <> "" "do stuff" ENDIF IF $events_1054[0] <> "" "do more stuff" ENDIF Luke |
||||||||
|
|
|||||||
that is fantastic, i'll give it a try. thanks! |
||||||||
|
|
|||||||
bummer, i don't think command exists in version 2010 (4.5). i searched through the manual and there is no mention of it. it is giving me this error: ERROR : expected ')'! Script: \\servername\NETLOGON\admin.kix Line : 239 is there a command that will work with ver 4.5? in fact, i don't see that command in the on-line command reference at all. |
||||||||
|
|
|||||||
It is not a build in function or command. It is a UDF created by one of the members to add functionality to kixtart that is not (yet) included. UDF Library » ReadEventlog() - Retrieves event from the eventlog KiXtart FAQ & How to's » How to use UDFs |
||||||||
|
|
|||||||
cool, i had since discovered that, so i will read the how-to and hopefully that will jump start me on what i need to do to use this UDF. thanks! |
||||||||
|
|
|||||||
okay, i just read through it and as expected (since i'm not a programmer guy), i am confused by what i need to do. am i to define it as a function? i feel like i'm close to getting this to work, i just need a little more guidance. thanks! |
||||||||
|
|
|||||||
Maybe start with something like this:
Now paste the UDF you found at the bottom Declare your variables under ;Declare variables Write your code under ;Code Maybe you can find your own way to structure your code afterwards |
||||||||
|
|
|||||||
sorry, don't mean to be ignorant, but now i am more confused. |
||||||||
|
|
|||||||
Do not forget the UDF code at the bottom |
||||||||
|
|
|||||||
what do you mean by personal UDF section and UDF section? i know the green light will go off in my head here in a little bit. |
||||||||
|
|
|||||||
Just a distinction I make between UDF I borrowed from the Internet and my personal ones |
||||||||
|
|
|||||||
so when you say to include the UDF portion, you mean define ReadEventlog as a function? |
||||||||
|
|
|||||||
so, this is the UDF portion?: function ReadEventlog() endfunction |
||||||||
|
|
|||||||
okay, so i copied and pasted the entire section of the post i found relative to the UDF. Now, when i run it, i get this error: ERROR : array reference out of bounds! Script: \\servername\NETLOGON\admin.kix Line : 246 Line 246 is: IF $events_1030[0] <> "" any ideas? |
||||||||
|
|
|||||||
All you need to do is paste the ReadEventLog code to the bottom of the script. Kix will read the code into memory and after that you can use the ReadEventLog function just like you would use the Exist or Writeline or any other build in function. You can just call upon it every time you need it. |
||||||||
|
|
|||||||
yes, i did that (finally!), but now i am getting the error i mentioned about the array. any ideas? |
||||||||
|
|
|||||||
Ok sorry I should read better. If there are no 1030 events the array will be empty so you might want to add a check to see If it is empty before using one or more of the elements in the array. Code: If Ubound($events_1030) <> "-1" ;do you stuff EndIf |
||||||||
|
|
|||||||
well, what's weird is i am running this against my workstation which is loaded with 1030 events. |
||||||||
|
|
|||||||
Weird indeed. Can you post the code you are using? I'll run it on my machine to see what goes wrong. |
||||||||
|
|
|||||||
i changed it to your code above and it works like a charm. thanks!! |
||||||||
|
|
|||||||
okay, next question - any way to have the UDF return the date and time the event was recorded in the user's log? |
||||||||
|
|
|||||||
or any way to specify that you only want it to look in the reg after a certain date and time? |
||||||||
|
|
|||||||
The ReadEventLog UDF returns an array for each event one of the columns is the time it was generated. Element 12 and/or 13 contain what you want to know. Quote: ; Column 0 = Category ; Column 1 = CategoryString ; Column 2 = ComputerName ; Column 3 = Data ; Column 4 = EventCode ; Column 5 = EventIdentifier (see http://support.microsoft.com/default.aspx?scid=kb;en-us;245222) ; Column 6 = EventType ; Column 7 = InsertionStrings ; Column 8 = Logfile ; Column 9 = Message ; Column 10 = RecordNumber ; Column 11 = Source Name ; Column 12 = TimeGenerated ; Column 13 = TimeWritten ; Column 14 = Type ; Column 15 = User |
||||||||
|
|
|||||||
Originally Posted By: endodave or any way to specify that you only want it to look in the reg after a certain date and time? Yes. Read the UDF header for a desciption of what each parameter is used for, for example: Code: ; DATETIME ; optional date/time string denoting the start date of the events in ; the form of YYYY/MM/DD HH:MM:SS, YYY/MM/DD, or HH:MM:SS If you pass this parameter you should only retrieve events since the date that you specify. You can also restrict the list by user, computer, event ID or even by passing your own WQL statement if you really want to get into it. |
||||||||
|
|
|||||||
guess i'll have to mess around with it more. i tried the date thing and it didn't work. here is my code: $events_1030 = ReadEventlog('Application',1030,'2008/01/01 00:00:00') i also tried this to no avail: $events_1030 = ReadEventlog('SELECT EventCode, TimeGenerated, User FROM Win32_NTLogEvent WHERE Logfile="Application" AND EventCode=1030 AND TimeGenerated>="2008/01/01 00:00:00:000"') |
||||||||
|
|
|||||||
I think the problem with Code: $events_1030 = ReadEventlog('Application',1030,'2008/01/01 00:00:00') Is that it's assigning '2008/01/01 00:00:00' to the 'optional $computer' variable. Have a look at the first 'code' line of the UDF ReadEventLog: Code: function ReadEventlog($eventlog, optional $eventid, optional $computer, optional $datetime, optional $username, optional $password) What I think is happening is it's entering the function with the following variables $eventlog = Application $eventid = 1030 $computer = 2008/01/01 00:00:00 $datetime = [Null] Try this instead: Code: $events_1030 = ReadEventlog('Application',1030,@WKSTA,'2008/01/01 00:00:00') @WKSTA just returns the name of the current computer. And see if it makes a difference. I dont know enough about kix or programming in general to know if you can tell the function to use only specific optional variables without recoding the UDF. As far as i'm aware, you will have to go left to right filling in any optional variables until you have got to the ones you wanted. Luke |
||||||||
|
|
|||||||
You may leave out any (or all) optional values, but you must keep the delimiters (commas) in place. Code: $events_1030 = ReadEventlog('Application',1030,,'2008/01/01 00:00:00') |
||||||||
|
|
|||||||
Oh really, well that does make sense, thanks for the info. Luke |