WMI Query Help

[Nunos]

I am trying to learn how to write a script that will query the Event Logs for a specific field to see if a certain event has occured and then display the results. Below is a script that is generated in AutoIT Scriptomatic. What I would like to learn how to do is run the WMI query on multiple fields like EventIdentifier and Date so I can get a specific event and only if it has occured in the last 24 hours. I am not sure how to structure the query to say limit the results or filter them. Sorry I am probably not using the right terms. Any help is greatly appreciated.

; Generated by AutoIt Scriptomatic June 09, 2012

$wbemFlagReturnImmediately = 0x10

$wbemFlagForwardOnly = 0x20

$colItems = ""

$strComputer = "localhost"

$Output=""

$Output &= "Computer: " & $strComputer & @CRLF

$Output &= "==========================================" & @CRLF

$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")

$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent", "WQL", _

$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then

For $objItem In $colItems

$Output &= "Category: " & $objItem.Category & @CRLF

$Output &= "CategoryString: " & $objItem.CategoryString & @CRLF

$Output &= "ComputerName: " & $objItem.ComputerName & @CRLF

$strData = $objItem.Data(0)

$Output &= "Data: " & $strData & @CRLF

$Output &= "EventCode: " & $objItem.EventCode & @CRLF

$Output &= "EventIdentifier: " & $objItem.EventIdentifier & @CRLF

$Output &= "EventType: " & $objItem.EventType & @CRLF

$strInsertionStrings = $objItem.InsertionStrings(0)

$Output &= "InsertionStrings: " & $strInsertionStrings & @CRLF

$Output &= "Logfile: " & $objItem.Logfile & @CRLF

$Output &= "Message: " & $objItem.Message & @CRLF

$Output &= "RecordNumber: " & $objItem.RecordNumber & @CRLF

$Output &= "SourceName: " & $objItem.SourceName & @CRLF

$Output &= "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerated) & @CRLF

$Output &= "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF

$Output &= "Type: " & $objItem.Type & @CRLF

$Output &= "User: " & $objItem.User & @CRLF

if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop

$Output=""

Next

Else

Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTLogEvent" )

Endif

Func WMIDateStringToDate($dtmDate)

Return (StringMid($dtmDate, 5, 2) & "/" & _

StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _

& " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))

EndFunc

[water]

A reference for WQL (SQL for WMI) can be found here.

Details for the Win32_NTLogEvent class can be found here.

[Nunos]

Thank you Water I will read those and see if I can make sense of what I am trying to do.