kiffab Posted April 13, 2011 Share Posted April 13, 2011 Hi Is it possible to monitor the application section of the event log for a particular source? What I want to do is count the occurrences of error messages from a particular source and then alert me via a pop-up from an AutoIt app running in the sys tray. For example, if the same error occurs X times in 30mins - let me know about it. I can see an event log read and count in the help files but not sure how to count within a time frame etc. Appreciate any advice. Link to comment Share on other sites More sharing options...
MrMitchell Posted April 13, 2011 Share Posted April 13, 2011 I'm not sure how to use it, but this function (also in the help file) might be of interest: _EventLog_Notify($hEventLog, $hEvent) - Enables an application to receive event notifications.At least run the example in the help file and see if you can maybe alter it for your purposes... Link to comment Share on other sites More sharing options...
UEZ Posted April 13, 2011 Share Posted April 13, 2011 Here another WMI function I used in SIC2: expandcollapse popup;Coded by UEZ 2009 #AutoIt3Wrapper_Change2CUI=y #AutoIt3Wrapper_UseUpx=n #Include <Date.au3> $oMyError = ObjEvent("AutoIt.Error", "oMyError") ; Install a custom error handler Global $ip = "localhost" If $CmdLine[0] > 0 Then $ip = $CmdLine[1] $objWMIService = ObjGet("winmgmts:{impersonationLevel = impersonate}!\\" & $ip & "\root\cimv2") ConsoleWrite(GetWMI($ip)) Func GetWMI($srv, $d = 2, $n = "", $cat = "Application") Local $Eventlog_Err, $Eventlog_Err_Logfile, $Eventlog_Err_EventType, $Eventlog_Err_EventID, $Eventlog_Err_TimeGenerated, $Eventlog_Err_SourceName, $Eventlog_Err_InsertionStrings, $Eventlog_Err_Message Local $date_threshold, $days_threshold, $date_threshold_WQL, $now, $x;, $tmp $ping = Ping($srv) If $ping Then $days_threshold = -1 * $d ; how many days should be looked into the past for error - 0 = today $now = _NowCalc() $date_threshold = _DateAdd('d', $days_threshold, $now) ;get the date / time value fom past $date_threshold_WQL = StringLeft(StringReplace(StringReplace(StringReplace(_DateAdd('d', $days_threshold, $now), ":", ""), "/", ""), " ", ""), 8) ;convert to WQL-Supported Date Formats If $n = "" Then $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30) Else $colItems = $objWMIService.ExecQuery("SELECT Logfile, EventType, EventCode, TimeGenerated, SourceName, InsertionStrings, Message FROM Win32_NTLogEvent WHERE EventCode = '" & $n & "' And LogFile='" & $cat & "' AND TimeGenerated >= '" & $date_threshold_WQL & "' AND EventType=1", "WQL", 0x30) EndIf If IsObj($colItems) Then For $objItem In $colItems $Eventlog_Err_Logfile = $objItem.Logfile $Eventlog_Err_EventType = $objItem.EventType $Eventlog_Err_EventID = $objItem.EventCode ;$objItem.EventIdentifier $Eventlog_Err_TimeGenerated = WMIDateStringToDate2($objItem.TimeGenerated) $Eventlog_Err_SourceName = $objItem.SourceName $Eventlog_Err_InsertionStrings = "" For $x = 0 To UBound($objItem.InsertionStrings) - 1 If Number($objItem.InsertionStrings($x)) = 0 And StringLeft($objItem.InsertionStrings($x), 2) <> "%%" And $objItem.InsertionStrings($x) <> "" And StringLen($objItem.InsertionStrings($x)) > 1 Then ;skip unneeded strings $Eventlog_Err_InsertionStrings &= StringStripWS(StringReplace(StringReplace($objItem.InsertionStrings($x), Chr(10), ""), Chr(13), ""), 7) & ", " EndIf Next $Eventlog_Err_InsertionStrings = StringTrimRight($Eventlog_Err_InsertionStrings, 1) $Eventlog_Err_Message = StringStripWS(StringReplace(StringReplace($objItem.Message, Chr(10), ""), Chr(13), ""), 7) $Eventlog_Err &= $srv & ";" & $Eventlog_Err_Logfile & ";" & $Eventlog_Err_EventType & ";" & $Eventlog_Err_EventID & ";" & $Eventlog_Err_TimeGenerated & ";" & $Eventlog_Err_SourceName & ";" & $Eventlog_Err_InsertionStrings & ";" & $Eventlog_Err_Message & ";" & @CRLF Next Return $Eventlog_Err Else Return SetError(2, 0, "Error!") EndIf Else Return SetError(1, 0, "Host not reachable") EndIf EndFunc Func WMIDateStringToDate2($dtmDate) Return (StringMid($dtmDate, 7, 2) & "." & StringMid($dtmDate, 5, 2) & "." & StringLeft($dtmDate, 4) & " " & _ StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate, 13, 2)) EndFunc ;==>WMIDateStringToDate2 Func oMyError() Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !" & @CRLF & @CRLF & _ "err.description is: " & @TAB & $oMyError.Description & @CRLF & _ "err.windescription:" & @TAB & $oMyError.WinDescription & @CRLF & _ "err.number is: " & @TAB & Hex($oMyError.Number, 8) & @CRLF & _ "err.lastdllerror is: " & @TAB & $oMyError.LastDllError & @CRLF & _ "err.scriptline is: " & @TAB & $oMyError.Scriptline & @CRLF & _ "err.source is: " & @TAB & $oMyError.Source & @CRLF & _ "err.helpfile is: " & @TAB & $oMyError.Helpfile & @CRLF & _ "err.helpcontext is: " & @TAB & $oMyError.HelpContext _ , 20) EndFunc Br, UEZ Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
dara Posted April 13, 2011 Share Posted April 13, 2011 (edited) Hi, I tried and this is what I ended up with. You can use this to monitor remote machine also if you got [domain\username]/[password] expandcollapse popup#cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.6.1 Author: dara Script Function: retrieve event log with limit on count and time #ce ---------------------------------------------------------------------------- #Include <Date.au3> const $LIMITCOUNT=2 const $LIMITMINUT=30 ;30 minutes local $tmpDate = ObjCreate("WbemScripting.SWbemDateTime") func readEvent($computer,$username,$passwd,$namespace,$wmiquery) if StringUpper($computer)=StringUpper(@ComputerName) then ;only for local query $objWMIService = ObjGet("winmgmts:{impersonationLevel=Impersonate}!\\"& $computer & "\" & $namespace) $colItems = $objWMIService.ExecQuery($wmiquery) Else ;only for remote computer http://msdn.microsoft.com/en-us/library/aa389292%28VS.85%29.aspx $objSWbemLocator = ObjCreate("WbemScripting.SWbemLocator") ; "MS_409", "ntlmdomain:" & $strDomain) $objWMIService = $objSWbemLocator.ConnectServer($computer,$namespace,$username, $passwd) if @error then return false ;check for com error 80020009 Class not registered $colItems = $objWMIService.ExecQuery($wmiquery) endif return $colItems EndFunc func vtdateToDate($vtdate) return StringLeft($vtdate,4) & "/" & stringmid($vtdate,5,2) & "/" & stringmid($vtdate,7,2) _ & " " &stringmid($vtdate,9,2) &":" & stringMid($vtdate,11,2)&":" & stringright($vtdate,2) EndFunc local $cptSameEvent=0 local $firstD=21990413200252 local $lastD=0 local $elapsed $oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application'") for $elem in $oResult if $elem.SourceName="MsiInstaller" then $cptSameEvent+=1 ConsoleWrite('Computer Name: ' & $elem.ComputerName & @crlf) ConsoleWrite('Category: ' & $elem.Category & @crlf) ConsoleWrite('Event Type: ' & $elem.Type & @crlf) ConsoleWrite('Event Code: ' & $elem.EventCode & @crlf) ConsoleWrite('Record Number: ' & $elem.RecordNumber & @crlf) ConsoleWrite('Source Name: ' & $elem.SourceName & @crlf) $tmpDate.Value=$elem.TimeWritten if $tmpDate.Value>$lastD then $lastD=$tmpDate.GetVarDate if $tmpDate.Value<$firstD then $firstD=$tmpDate.GetVarDate ConsoleWrite('Time Written: ' & $tmpDate.GetVarDate & @crlf) ConsoleWrite('User: ' & $elem.User & @crlf) ConsoleWrite('Message: ' & $elem.Message & @crlf) if ($cptSameEvent>=$LIMITCOUNT) then exitloop endif Next $elapsed=_datediff('n',vtdateToDate($firstD),vtdateToDate($lastD)) if $elapsed < $LIMITMINUT then msgbox(0,$elem.ComputerName&" " &$elem.SourceName,"appeared " & $cptSameEvent & " times in the last " _ & $elapsed & " minutes (limit was " &$LIMITCOUNT & " times in " & $LIMITMINUT & " minutes)") endif Edited April 13, 2011 by dara Link to comment Share on other sites More sharing options...
markd89 Posted July 25, 2018 Share Posted July 25, 2018 Hi, I have been hacking on your code here I would like to query and get only the stuff from the last hour. I can't seem to get the syntax right. $oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application' and TimeWritten> '20180723' ") seems to work OK. The following, where I try to get stuff after 1pm doesn't work. I have tried various combinations without success. $oResult=readEvent(@computername,"","","root\cimv2","Select * from Win32_NTLogEvent Where Logfile = 'Application' and TimeWritten> '201807231300' ") Any pointers much appreciated! Link to comment Share on other sites More sharing options...
markd89 Posted July 26, 2018 Share Posted July 26, 2018 (edited) Edit: I'm just going to use Powershell for this and AutoIT for everything else. Edited July 29, 2018 by markd89 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now