Page 1 of 1 1
Topic Options
#212750 - 2017-10-17 10:58 AM Read Information from Eventlog
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
Hello,

how can i read the information "BootTime", "MainPathBootTime", "BootPostBootTime" from the latest eventlog (Microsoft-Windows-Diagnostics-Performance/Operational) eventid 100 and write it into a txt file.

Sorry for my englisch :-)


Edited by stefanhfli (2017-10-17 11:25 AM)

Top
#212751 - 2017-10-17 11:33 AM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Hi and welcome,

for reading events try this udf by Jens:

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=189983

for writing Arrays to a file this function by Conrad always is handy:

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=187759

Hope this gets you started. If any problems arise.. you know, just ask.
_________________________



Top
#212752 - 2017-10-17 12:47 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
I used these 2 Options with an example syntax:

$array = ReadEventlog('Security',4732)
$abs=WriteFile('c:\KIX\file.txt',$array)

For this example i get an output in the file.txt.

When i use the following syntax i donīt get an output and i donīt no why:

$array = ReadEventlog('Microsoft-Windows-Diagnostics-Performance/Operational',100)
$abs=WriteFile('c:\KIX\file.txt',$array)

Top
#212753 - 2017-10-17 12:56 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
To filter the last event you will need to pass a WQL query including TimeGenerated and your 3 parameters to Readeventlog() and sort the resulting array using one of the sorting functions in the UDF library ;\)
_________________________



Top
#212754 - 2017-10-17 12:58 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
hmm ...
let's try the WQL query first. Maybe Jens' function just works for the main event logs System, Security and Appication (as it was written in 2001)
_________________________



Top
#212755 - 2017-10-17 01:03 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
as expected .. returns an empty string \:\(
_________________________



Top
#212756 - 2017-10-17 01:05 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
Ok thanks for your help.

I think that is too complicated for me.

Top
#212757 - 2017-10-17 01:26 PM Re: Read Information from Eventlog [Re: stefanhfli]
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
Is there no other way to get the 3 Informations?
Top
#212758 - 2017-10-17 01:48 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
easy.. I have 2 ways now. Please be patient. Will come back to you after my meeting ;\)
_________________________



Top
#212762 - 2017-10-17 04:19 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Ok, found something .. Win32_NTLogEvent class is not capable by default to read the new set of "Application and Services" logs introduced with Win7/Server 2008.

There is a workaround creating a registry key (for each logfile its own) \:\) (provided the user running the script has sufficient access)

In your case it is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational

Which is, to say the least, kinda annoying.

Furthermore I only managed by now to get a direct request to ReadEventlog() to work for me. Like ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) which is a pain to sort out as it returns a metric ton of data \:D

A WQL Query like this (tried of course other, simpler combinations) returns only empty strings

 Code:
if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog('SELECT InsertionStrings FROM Win32_NTLogEvent
                        WHERE Logfile="Microsoft-Windows-Diagnostics-Performance/Operational" AND EventCode=100')

if ubound($events,1) > -1
    "BootTime: " + split($events[0,0],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,0],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,0],@crlf)[19]   ?
endif
get $



[Edit]
the above query is of course nonsense. A quick peek at the class in wbemtest uncovers this. Still, using the correct statements like TimeGenerated and Message returns nothing
[/Edit]

[Edit2]
Meh, InsertionStrings holds the information we're looking for. Edited code above is working now. Please Note that it will return only the latest event. Of course $events hold all available events but events[0,0] is the latest
[/Edit2]



Edited by Jochen (2017-10-18 09:47 AM)
_________________________



Top
#212764 - 2017-10-17 05:10 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Allright allright,

in the end just splitting the correct array element by crlf peeking the correct positions and bam:

 Code:
break on
$= setoption("WrapatEOL","ON")


if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100)

if ubound($events,1) > -1
    "BootTime: " + split($events[0,7],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,7],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,7],@crlf)[19]   ?
endif
get $


wonder if there is a more comfortable way using Powershell ... guess not!
_________________________



Top
#212766 - 2017-10-18 09:38 AM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
Hello Jochen,

thanks for your help, you are great.

I have customized it for our environment and now i have what i want.

Thanks !!!

Top
#212767 - 2017-10-18 09:44 AM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
You're welcome.

Please take note on my edits on the try with WQL statement. Works now too ;\)
_________________________



Top
#212800 - 2017-11-01 12:26 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli Offline
Fresh Scripter

Registered: 2015-01-29
Posts: 7
Loc: Germany
Hello Jochen,

I need your help again.

When i try to get the BootStartTime from the eventlog with
"BootStartTime: " + split($events[0,7],@crlf)[1] ?
i get an empty string.

Top
#212802 - 2017-11-01 05:16 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Hi again,
doesn't work for me too. Same for BootEndTime \:\(

For BootStartTime we can use the information from the Message column (9).
Now it starts to get ugly. Note the split on ":[TAB]" and for format reasons the join split on ?/"". Next thing you need to know is that these are UTC times. so there will be a bit calculation work left for you to do.

 Code:
"BootStartTime: " + join(split(split($events[0,9],":	")[4],'?'),'') ?
_________________________



Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 248 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.077 seconds in which 0.021 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org