Sign in to follow this  
Followers 0
kiffab

Monitoring Event Log

4 posts in this topic

Hi

Is it possible to monitor the application section of the event log for a particular source? What I want to do is count the occurrences of error messages from a particular source and then alert me via a pop-up from an AutoIt app running in the sys tray. For example, if the same error occurs X times in 30mins - let me know about it.

I can see an event log read and count in the help files but not sure how to count within a time frame etc.

Appreciate any advice. :unsure:

Share this post


Link to post
Share on other sites



I'm not sure how to use it, but this function (also in the help file) might be of interest: _EventLog_Notify($hEventLog, $hEvent) - Enables an application to receive event notifications.

At least run the example in the help file and see if you can maybe alter it for your purposes...

Share this post


Link to post
Share on other sites

Here another WMI function I used in SIC2:

;Coded by UEZ 2009
#AutoIt3Wrapper_Change2CUI=y
#AutoIt3Wrapper_UseUpx=n
#Include <Date.au3>
$oMyError = ObjEvent("AutoIt.Error", "oMyError") ; Install a custom error handler

Global $ip = "localhost"
If $CmdLine[0] > 0 Then $ip = $CmdLine[1]

$objWMIService = ObjGet("winmgmts:{impersonationLevel = impersonate}!\\" & $ip & "\root\cimv2")

ConsoleWrite(GetWMI($ip))

Func GetWMI($srv, $d = 2, $n = "", $cat = "Application")
    Local $Eventlog_Err, $Eventlog_Err_Logfile, $Eventlog_Err_EventType, $Eventlog_Err_EventID, $Eventlog_Err_TimeGenerated, $Eventlog_Err_SourceName, $Eventlog_Err_InsertionStrings, $Eventlog_Err_Message
    Local $date_threshold, $days_threshold, $date_threshold_WQL, $now, $x;, $tmp
    $ping = Ping($srv)
    If $ping Then
        $days_threshold = -1 * $d ; how many days should be looked into the past for error - 0 = today
        $now = _NowCalc()
        $date_threshold = _DateAdd('d', $days_threshold, $now) ;get the date / time value fom past
        $date_threshold_WQL = StringLeft(StringReplace(StringReplace(StringReplace(_DateAdd('d', $days_threshold, $now), ":", ""), "/", ""), " ", ""), 8) ;convert to WQL-Supported Date Formats
        If $n = "" Then
            $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30)
        Else
            $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE EventCode = '" & $n & "' And LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30)
        EndIf
        If IsObj($colItems) Then
            For $objItem In $colItems
                $Eventlog_Err_Logfile = $objItem.Logfile
                $Eventlog_Err_EventType = $objItem.EventType
                $Eventlog_Err_EventID = $objItem.EventCode ;$objItem.EventIdentifier
                $Eventlog_Err_TimeGenerated = WMIDateStringToDate2($objItem.TimeGenerated)
                $Eventlog_Err_SourceName = $objItem.SourceName
                $Eventlog_Err_InsertionStrings = ""
                For $x = 0 To UBound($objItem.InsertionStrings) - 1
                    If Number($objItem.InsertionStrings($x)) = 0 And StringLeft($objItem.InsertionStrings($x), 2) <> "%%" And $objItem.InsertionStrings($x) <> "" And StringLen($objItem.InsertionStrings($x)) > 1 Then ;skip unneeded strings
                        $Eventlog_Err_InsertionStrings &= StringStripWS(StringReplace(StringReplace($objItem.InsertionStrings($x), Chr(10), ""), Chr(13), ""), 7) & ", "
                    EndIf
                Next
                $Eventlog_Err_InsertionStrings = StringTrimRight($Eventlog_Err_InsertionStrings, 1)
                $Eventlog_Err_Message = StringStripWS(StringReplace(StringReplace($objItem.Message, Chr(10), ""), Chr(13), ""), 7)
                $Eventlog_Err &= $srv & ";" & $Eventlog_Err_Logfile & ";" & $Eventlog_Err_EventType & ";" & $Eventlog_Err_EventID & ";" & $Eventlog_Err_TimeGenerated & ";" & $Eventlog_Err_SourceName & ";" & $Eventlog_Err_InsertionStrings & ";" & $Eventlog_Err_Message & ";" & @CRLF
            Next
            Return $Eventlog_Err
        Else
            Return SetError(2, 0, "Error!")
        EndIf
    Else
        Return SetError(1, 0, "Host not reachable")
    EndIf
EndFunc

Func WMIDateStringToDate2($dtmDate)
    Return (StringMid($dtmDate, 7, 2) & "." & StringMid($dtmDate, 5, 2) & "." & StringLeft($dtmDate, 4) & " " & _
            StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate, 13, 2))
EndFunc   ;==>WMIDateStringToDate2

Func oMyError()
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"      & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.Description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.WinDescription & @CRLF & _
             "err.number is: "         & @TAB & Hex($oMyError.Number, 8) & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.LastDllError   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.Scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.Source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.Helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.HelpContext _
            , 20)
EndFunc

Br,

UEZ


Please don't send me any personal message and ask for support! I will not reply!

Selection of finest graphical examples at Codepen.io

The own fart smells best!
Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!
¯\_(ツ)_/¯  ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Hi,

I tried and this is what I ended up with.

You can use this to monitor remote machine also if you got [domain\username]/[password]

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.3.6.1
 Author:         dara

 Script Function:
    retrieve event log with limit on count and time
#ce ----------------------------------------------------------------------------
#Include <Date.au3>

const $LIMITCOUNT=2
const $LIMITMINUT=30 ;30 minutes


local $tmpDate = ObjCreate("WbemScripting.SWbemDateTime")

func readEvent($computer,$username,$passwd,$namespace,$wmiquery)    
    if StringUpper($computer)=StringUpper(@ComputerName) then ;only for local query
        $objWMIService = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\"& $computer & "\" & $namespace)
        $colItems = $objWMIService.ExecQuery($wmiquery)
    Else
        ;only for remote computer http://msdn.microsoft.com/en-us/library/aa389292%28VS.85%29.aspx
        $objSWbemLocator = ObjCreate("WbemScripting.SWbemLocator") 
        ; "MS_409", "ntlmdomain:" & $strDomain)
        $objWMIService = $objSWbemLocator.ConnectServer($computer,$namespace,$username, $passwd) 
        if @error then return false ;check for com error 80020009 Class not registered
        $colItems = $objWMIService.ExecQuery($wmiquery) 
    endif
    return $colItems
EndFunc

func vtdateToDate($vtdate)
    return StringLeft($vtdate,4) & "/" & stringmid($vtdate,5,2) & "/" & stringmid($vtdate,7,2) _
    & " " &stringmid($vtdate,9,2) &":" & stringMid($vtdate,11,2)&":" & stringright($vtdate,2)
EndFunc

local $cptSameEvent=0
local $firstD=21990413200252
local $lastD=0
local $elapsed

$oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application'")


for $elem in $oResult
    if $elem.SourceName="MsiInstaller" then
        $cptSameEvent+=1
        ConsoleWrite('Computer Name: ' & $elem.ComputerName & @crlf)
        ConsoleWrite('Category: ' & $elem.Category & @crlf)
        ConsoleWrite('Event Type: ' & $elem.Type & @crlf)       
        ConsoleWrite('Event Code: ' & $elem.EventCode & @crlf)      
        ConsoleWrite('Record Number: ' & $elem.RecordNumber & @crlf)
        ConsoleWrite('Source Name: ' & $elem.SourceName & @crlf)        
        $tmpDate.Value=$elem.TimeWritten
        if $tmpDate.Value>$lastD then $lastD=$tmpDate.GetVarDate
        if $tmpDate.Value<$firstD then $firstD=$tmpDate.GetVarDate
        ConsoleWrite('Time Written: ' & $tmpDate.GetVarDate & @crlf)        
        ConsoleWrite('User: ' & $elem.User & @crlf)
        ConsoleWrite('Message: ' & $elem.Message & @crlf)
        if ($cptSameEvent>=$LIMITCOUNT) then exitloop       
    endif
Next

$elapsed=_datediff('n',vtdateToDate($firstD),vtdateToDate($lastD))
if $elapsed < $LIMITMINUT then
    msgbox(0,$elem.ComputerName&" " &$elem.SourceName,"appeared " & $cptSameEvent & " times in the last " _
    & $elapsed & " minutes (limit was " &$LIMITCOUNT &  " times in " & $LIMITMINUT & " minutes)")
endif
Edited by dara

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0