|
|
|||||||
Hello, how can i read the information "BootTime", "MainPathBootTime", "BootPostBootTime" from the latest eventlog (Microsoft-Windows-Diagnostics-Performance/Operational) eventid 100 and write it into a txt file. Sorry for my englisch :-) |
||||||||
|
|
|||||||
Hi and welcome, for reading events try this udf by Jens: http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=189983 for writing Arrays to a file this function by Conrad always is handy: http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=187759 Hope this gets you started. If any problems arise.. you know, just ask. |
||||||||
|
|
|||||||
I used these 2 Options with an example syntax: $array = ReadEventlog('Security',4732) $abs=WriteFile('c:\KIX\file.txt',$array) For this example i get an output in the file.txt. When i use the following syntax i donīt get an output and i donīt no why: $array = ReadEventlog('Microsoft-Windows-Diagnostics-Performance/Operational',100) $abs=WriteFile('c:\KIX\file.txt',$array) |
||||||||
|
|
|||||||
To filter the last event you will need to pass a WQL query including TimeGenerated and your 3 parameters to Readeventlog() and sort the resulting array using one of the sorting functions in the UDF library |
||||||||
|
|
|||||||
hmm ... let's try the WQL query first. Maybe Jens' function just works for the main event logs System, Security and Appication (as it was written in 2001) |
||||||||
|
|
|||||||
as expected .. returns an empty string |
||||||||
|
|
|||||||
Ok thanks for your help. I think that is too complicated for me. |
||||||||
|
|
|||||||
Is there no other way to get the 3 Informations? |
||||||||
|
|
|||||||
easy.. I have 2 ways now. Please be patient. Will come back to you after my meeting |
||||||||
|
|
|||||||
Ok, found something .. Win32_NTLogEvent class is not capable by default to read the new set of "Application and Services" logs introduced with Win7/Server 2008. There is a workaround creating a registry key (for each logfile its own) (provided the user running the script has sufficient access) In your case it is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational Which is, to say the least, kinda annoying. Furthermore I only managed by now to get a direct request to ReadEventlog() to work for me. Like ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) which is a pain to sort out as it returns a metric ton of data A WQL Query like this (tried of course other, simpler combinations) returns only empty strings Code: if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") @error ?? endif $events = ReadEventlog('SELECT InsertionStrings FROM Win32_NTLogEvent WHERE Logfile="Microsoft-Windows-Diagnostics-Performance/Operational" AND EventCode=100') if ubound($events,1) > -1 "BootTime: " + split($events[0,0],@crlf)[5] ? "MainPathBootTime: " + split($events[0,0],@crlf)[6] ? "BootPostBootTime: " + split($events[0,0],@crlf)[19] ? endif get $ [Edit] the above query is of course nonsense. A quick peek at the class in wbemtest uncovers this. [/Edit] [Edit2] Meh, InsertionStrings holds the information we're looking for. Edited code above is working now. Please Note that it will return only the latest event. Of course $events hold all available events but events[0,0] is the latest [/Edit2] |
||||||||
|
|
|||||||
Allright allright, in the end just splitting the correct array element by crlf peeking the correct positions and bam: Code: break on $= setoption("WrapatEOL","ON") if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") @error ?? endif $events = ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) if ubound($events,1) > -1 "BootTime: " + split($events[0,7],@crlf)[5] ? "MainPathBootTime: " + split($events[0,7],@crlf)[6] ? "BootPostBootTime: " + split($events[0,7],@crlf)[19] ? endif get $ wonder if there is a more comfortable way using Powershell ... guess not! |
||||||||
|
|
|||||||
Hello Jochen, thanks for your help, you are great. I have customized it for our environment and now i have what i want. Thanks !!! |
||||||||
|
|
|||||||
You're welcome. Please take note on my edits on the try with WQL statement. Works now too |
||||||||
|
|
|||||||
Hello Jochen, I need your help again. When i try to get the BootStartTime from the eventlog with "BootStartTime: " + split($events[0,7],@crlf)[1] ? i get an empty string. |
||||||||
|
|
|||||||
Hi again, doesn't work for me too. Same for BootEndTime For BootStartTime we can use the information from the Message column (9). Now it starts to get ugly. Note the split on ":[TAB]" and for format reasons the join split on ?/"". Next thing you need to know is that these are UTC times. so there will be a bit calculation work left for you to do. Code: "BootStartTime: " + join(split(split($events[0,9],": ")[4],'?'),'') ? |