stefanhfli
(Fresh Scripter)
2017-10-17 10:58 AM
Read Information from Eventlog

Hello,

how can i read the information "BootTime", "MainPathBootTime", "BootPostBootTime" from the latest eventlog (Microsoft-Windows-Diagnostics-Performance/Operational) eventid 100 and write it into a txt file.

Sorry for my englisch :-)

JochenAdministrator
(KiX Supporter)
2017-10-17 11:33 AM
Re: Read Information from Eventlog

Hi and welcome,

for reading events try this udf by Jens:

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=189983

for writing Arrays to a file this function by Conrad always is handy:

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=187759

Hope this gets you started. If any problems arise.. you know, just ask.

stefanhfli
(Fresh Scripter)
2017-10-17 12:47 PM
Re: Read Information from Eventlog

I used these 2 Options with an example syntax:

$array = ReadEventlog('Security',4732)
$abs=WriteFile('c:\KIX\file.txt',$array)

For this example i get an output in the file.txt.

When i use the following syntax i donīt get an output and i donīt no why:

$array = ReadEventlog('Microsoft-Windows-Diagnostics-Performance/Operational',100)
$abs=WriteFile('c:\KIX\file.txt',$array)

JochenAdministrator
(KiX Supporter)
2017-10-17 12:56 PM
Re: Read Information from Eventlog

To filter the last event you will need to pass a WQL query including TimeGenerated and your 3 parameters to Readeventlog() and sort the resulting array using one of the sorting functions in the UDF library ;\)

JochenAdministrator
(KiX Supporter)
2017-10-17 12:58 PM
Re: Read Information from Eventlog

hmm ...
let's try the WQL query first. Maybe Jens' function just works for the main event logs System, Security and Appication (as it was written in 2001)

JochenAdministrator
(KiX Supporter)
2017-10-17 01:03 PM
Re: Read Information from Eventlog

as expected .. returns an empty string \:\(

stefanhfli
(Fresh Scripter)
2017-10-17 01:05 PM
Re: Read Information from Eventlog

Ok thanks for your help.

I think that is too complicated for me.

stefanhfli
(Fresh Scripter)
2017-10-17 01:26 PM
Re: Read Information from Eventlog

Is there no other way to get the 3 Informations?

JochenAdministrator
(KiX Supporter)
2017-10-17 01:48 PM
Re: Read Information from Eventlog

easy.. I have 2 ways now. Please be patient. Will come back to you after my meeting ;\)

JochenAdministrator
(KiX Supporter)
2017-10-17 04:19 PM
Re: Read Information from Eventlog

Ok, found something .. Win32_NTLogEvent class is not capable by default to read the new set of "Application and Services" logs introduced with Win7/Server 2008.

There is a workaround creating a registry key (for each logfile its own) \:\) (provided the user running the script has sufficient access)

In your case it is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational

Which is, to say the least, kinda annoying.

Furthermore I only managed by now to get a direct request to ReadEventlog() to work for me. Like ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) which is a pain to sort out as it returns a metric ton of data \:D

A WQL Query like this (tried of course other, simpler combinations) returns only empty strings

 Code:
if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog('SELECT InsertionStrings FROM Win32_NTLogEvent
                        WHERE Logfile="Microsoft-Windows-Diagnostics-Performance/Operational" AND EventCode=100')

if ubound($events,1) > -1
    "BootTime: " + split($events[0,0],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,0],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,0],@crlf)[19]   ?
endif
get $



[Edit]
the above query is of course nonsense. A quick peek at the class in wbemtest uncovers this. Still, using the correct statements like TimeGenerated and Message returns nothing
[/Edit]

[Edit2]
Meh, InsertionStrings holds the information we're looking for. Edited code above is working now. Please Note that it will return only the latest event. Of course $events hold all available events but events[0,0] is the latest
[/Edit2]

JochenAdministrator
(KiX Supporter)
2017-10-17 05:10 PM
Re: Read Information from Eventlog

Allright allright,

in the end just splitting the correct array element by crlf peeking the correct positions and bam:

 Code:
break on
$= setoption("WrapatEOL","ON")


if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100)

if ubound($events,1) > -1
    "BootTime: " + split($events[0,7],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,7],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,7],@crlf)[19]   ?
endif
get $


wonder if there is a more comfortable way using Powershell ... guess not!

stefanhfli
(Fresh Scripter)
2017-10-18 09:38 AM
Re: Read Information from Eventlog

Hello Jochen,

thanks for your help, you are great.

I have customized it for our environment and now i have what i want.

Thanks !!!

JochenAdministrator
(KiX Supporter)
2017-10-18 09:44 AM
Re: Read Information from Eventlog

You're welcome.

Please take note on my edits on the try with WQL statement. Works now too ;\)

stefanhfli
(Fresh Scripter)
2017-11-01 12:26 PM
Re: Read Information from Eventlog

Hello Jochen,

I need your help again.

When i try to get the BootStartTime from the eventlog with
"BootStartTime: " + split($events[0,7],@crlf)[1] ?
i get an empty string.

JochenAdministrator
(KiX Supporter)
2017-11-01 05:16 PM
Re: Read Information from Eventlog

Hi again,
doesn't work for me too. Same for BootEndTime \:\(

For BootStartTime we can use the information from the Message column (9).
Now it starts to get ugly. Note the split on ":[TAB]" and for format reasons the join split on ?/"". Next thing you need to know is that these are UTC times. so there will be a bit calculation work left for you to do.

 Code:
"BootStartTime: " + join(split(split($events[0,9],":	")[4],'?'),'') ?