Monitoring Event Log

[kiffab]

Hi

Is it possible to monitor the application section of the event log for a particular source? What I want to do is count the occurrences of error messages from a particular source and then alert me via a pop-up from an AutoIt app running in the sys tray. For example, if the same error occurs X times in 30mins - let me know about it.

I can see an event log read and count in the help files but not sure how to count within a time frame etc.

Appreciate any advice.

[MrMitchell]

I'm not sure how to use it, but this function (also in the help file) might be of interest: _EventLog_Notify($hEventLog, $hEvent) - Enables an application to receive event notifications.

At least run the example in the help file and see if you can maybe alter it for your purposes...

[UEZ]

Here another WMI function I used in SIC2:

expandcollapse popup

;Coded by UEZ 2009
#AutoIt3Wrapper_Change2CUI=y
#AutoIt3Wrapper_UseUpx=n
#Include <Date.au3>
$oMyError = ObjEvent("AutoIt.Error", "oMyError") ; Install a custom error handler

Global $ip = "localhost"
If $CmdLine[0] > 0 Then $ip = $CmdLine[1]

$objWMIService = ObjGet("winmgmts:{impersonationLevel = impersonate}!\\" & $ip & "\root\cimv2")

ConsoleWrite(GetWMI($ip))

Func GetWMI($srv, $d = 2, $n = "", $cat = "Application")
    Local $Eventlog_Err, $Eventlog_Err_Logfile, $Eventlog_Err_EventType, $Eventlog_Err_EventID, $Eventlog_Err_TimeGenerated, $Eventlog_Err_SourceName, $Eventlog_Err_InsertionStrings, $Eventlog_Err_Message
    Local $date_threshold, $days_threshold, $date_threshold_WQL, $now, $x;, $tmp
    $ping = Ping($srv)
    If $ping Then
        $days_threshold = -1 * $d ; how many days should be looked into the past for error - 0 = today
        $now = _NowCalc()
        $date_threshold = _DateAdd('d', $days_threshold, $now) ;get the date / time value fom past
        $date_threshold_WQL = StringLeft(StringReplace(StringReplace(StringReplace(_DateAdd('d', $days_threshold, $now), ":", ""), "/", ""), " ", ""), 8) ;convert to WQL-Supported Date Formats
        If $n = "" Then
            $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30)
        Else
            $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE EventCode = '" & $n & "' And LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30)
        EndIf
        If IsObj($colItems) Then
            For $objItem In $colItems
                $Eventlog_Err_Logfile = $objItem.Logfile
                $Eventlog_Err_EventType = $objItem.EventType
                $Eventlog_Err_EventID = $objItem.EventCode ;$objItem.EventIdentifier
                $Eventlog_Err_TimeGenerated = WMIDateStringToDate2($objItem.TimeGenerated)
                $Eventlog_Err_SourceName = $objItem.SourceName
                $Eventlog_Err_InsertionStrings = ""
                For $x = 0 To UBound($objItem.InsertionStrings) - 1
                    If Number($objItem.InsertionStrings($x)) = 0 And StringLeft($objItem.InsertionStrings($x), 2) <> "%%" And $objItem.InsertionStrings($x) <> "" And StringLen($objItem.InsertionStrings($x)) > 1 Then ;skip unneeded strings
                        $Eventlog_Err_InsertionStrings &= StringStripWS(StringReplace(StringReplace($objItem.InsertionStrings($x), Chr(10), ""), Chr(13), ""), 7) & ", "
                    EndIf
                Next
                $Eventlog_Err_InsertionStrings = StringTrimRight($Eventlog_Err_InsertionStrings, 1)
                $Eventlog_Err_Message = StringStripWS(StringReplace(StringReplace($objItem.Message, Chr(10), ""), Chr(13), ""), 7)
                $Eventlog_Err &= $srv & ";" & $Eventlog_Err_Logfile & ";" & $Eventlog_Err_EventType & ";" & $Eventlog_Err_EventID & ";" & $Eventlog_Err_TimeGenerated & ";" & $Eventlog_Err_SourceName & ";" & $Eventlog_Err_InsertionStrings & ";" & $Eventlog_Err_Message & ";" & @CRLF
            Next
            Return $Eventlog_Err
        Else
            Return SetError(2, 0, "Error!")
        EndIf
    Else
        Return SetError(1, 0, "Host not reachable")
    EndIf
EndFunc

Func WMIDateStringToDate2($dtmDate)
    Return (StringMid($dtmDate, 7, 2) & "." & StringMid($dtmDate, 5, 2) & "." & StringLeft($dtmDate, 4) & " " & _
            StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate, 13, 2))
EndFunc   ;==>WMIDateStringToDate2

Func oMyError()
  Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !"      & @CRLF  & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.Description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.WinDescription & @CRLF & _
             "err.number is: "         & @TAB & Hex($oMyError.Number, 8) & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.LastDllError   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.Scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.Source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.Helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.HelpContext _
            , 20)
EndFunc

Br,

UEZ

[dara]

Hi,

I tried and this is what I ended up with.

You can use this to monitor remote machine also if you got [domain\username]/[password]

expandcollapse popup

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.3.6.1
 Author:         dara

 Script Function:
    retrieve event log with limit on count and time
#ce ----------------------------------------------------------------------------
#Include <Date.au3>

const $LIMITCOUNT=2
const $LIMITMINUT=30 ;30 minutes


local $tmpDate = ObjCreate("WbemScripting.SWbemDateTime")

func readEvent($computer,$username,$passwd,$namespace,$wmiquery)    
    if StringUpper($computer)=StringUpper(@ComputerName) then ;only for local query
        $objWMIService = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\"& $computer & "\" & $namespace)
        $colItems = $objWMIService.ExecQuery($wmiquery)
    Else
        ;only for remote computer http://msdn.microsoft.com/en-us/library/aa389292%28VS.85%29.aspx
        $objSWbemLocator = ObjCreate("WbemScripting.SWbemLocator") 
        ; "MS_409", "ntlmdomain:" & $strDomain)
        $objWMIService = $objSWbemLocator.ConnectServer($computer,$namespace,$username, $passwd) 
        if @error then return false ;check for com error 80020009 Class not registered
        $colItems = $objWMIService.ExecQuery($wmiquery) 
    endif
    return $colItems
EndFunc

func vtdateToDate($vtdate)
    return StringLeft($vtdate,4) & "/" & stringmid($vtdate,5,2) & "/" & stringmid($vtdate,7,2) _
    & " " &stringmid($vtdate,9,2) &":" & stringMid($vtdate,11,2)&":" & stringright($vtdate,2)
EndFunc

local $cptSameEvent=0
local $firstD=21990413200252
local $lastD=0
local $elapsed

$oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application'")


for $elem in $oResult
    if $elem.SourceName="MsiInstaller" then
        $cptSameEvent+=1
        ConsoleWrite('Computer Name: ' & $elem.ComputerName & @crlf)
        ConsoleWrite('Category: ' & $elem.Category & @crlf)
        ConsoleWrite('Event Type: ' & $elem.Type & @crlf)       
        ConsoleWrite('Event Code: ' & $elem.EventCode & @crlf)      
        ConsoleWrite('Record Number: ' & $elem.RecordNumber & @crlf)
        ConsoleWrite('Source Name: ' & $elem.SourceName & @crlf)        
        $tmpDate.Value=$elem.TimeWritten
        if $tmpDate.Value>$lastD then $lastD=$tmpDate.GetVarDate
        if $tmpDate.Value<$firstD then $firstD=$tmpDate.GetVarDate
        ConsoleWrite('Time Written: ' & $tmpDate.GetVarDate & @crlf)        
        ConsoleWrite('User: ' & $elem.User & @crlf)
        ConsoleWrite('Message: ' & $elem.Message & @crlf)
        if ($cptSameEvent>=$LIMITCOUNT) then exitloop       
    endif
Next

$elapsed=_datediff('n',vtdateToDate($firstD),vtdateToDate($lastD))
if $elapsed < $LIMITMINUT then
    msgbox(0,$elem.ComputerName&" " &$elem.SourceName,"appeared " & $cptSameEvent & " times in the last " _
    & $elapsed & " minutes (limit was " &$LIMITCOUNT &  " times in " & $LIMITMINUT & " minutes)")
endif

Edited April 13, 2011 by dara

[markd89]

Hi,

I have been hacking on  your code here

I would like to query and get only the stuff from the last hour. I can't seem to get the syntax right.

$oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application' and TimeWritten> '20180723' ")

seems to work OK.

The following, where I try to get stuff after 1pm doesn't work. I have tried various combinations without success.

$oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application' and TimeWritten> '201807231300' ")

Any pointers much appreciated!

[markd89]

Edit: I'm just going to use Powershell for this and AutoIT for everything else.

Edited July 29, 2018 by markd89