Jump to content

Collecting Event Logs Question


Recommended Posts

I have been trying to get a script that I can use to collect events from the EventLog's in windows based on their EventIdentifier. I am using a script that I generated with the AutoIT Scriptomatic tool I found in the examples forum. So far with some help I have figured out how to modify it to search for just the specific event I want and then write that to a text file. Not pretty or ideal but I am hoping someone can point me down another rabbit hole so I can make it better. First off the wmi query gets all of the events for a specific one, while great , it would be better to only have one instance written to the text file so I am wondering how you guys filter down to get just one event instead of say 200. Next I was wondering if the returned data could possibly be written to a gui window that has a scroll bar to fit it all with like a Next button and a Close button? I am not sure how I would get the data from the text file into it or how it even look so if this seems like a bad idea let me know. I will post what I have below if you see things that could be done better please advise and give me a direction to go learn. AutoIT is my first and only scripting knowledge so I am not great at it but I would like to learn how to do things properly. Thank you in advance for your time and comments.

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

Local $sLogFile = @ScriptDir & "\EventLog_" & ".txt"
Local $file = FileOpen("EventLog.txt", 1)

; Check if file opened for writing OK
If $file = -1 Then
MsgBox(0, "Error", "Unable to open file.")
Exit
EndIf

$Output=""
$Output &= "Computer: " & $strComputer & @CRLF
$Output &= "==========================================" & @CRLF
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE EventIdentifier = 1073742825", "WQL", _
$wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
For $objItem In $colItems
$Output &= "Category: " & $objItem.Category & @CRLF
$Output &= "CategoryString: " & $objItem.CategoryString & @CRLF
$Output &= "ComputerName: " & $objItem.ComputerName & @CRLF
$strData = $objItem.Data(0)
$Output &= "Data: " & $strData & @CRLF
$Output &= "EventCode: " & $objItem.EventCode & @CRLF
$Output &= "EventIdentifier: " & $objItem.EventIdentifier & @CRLF
$Output &= "EventType: " & $objItem.EventType & @CRLF
$strInsertionStrings = $objItem.InsertionStrings(0)
$Output &= "InsertionStrings: " & $strInsertionStrings & @CRLF
$Output &= "Logfile: " & $objItem.Logfile & @CRLF
$Output &= "Message: " & $objItem.Message & @CRLF
$Output &= "RecordNumber: " & $objItem.RecordNumber & @CRLF
$Output &= "SourceName: " & $objItem.SourceName & @CRLF
$Output &= "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerated) & @CRLF
$Output &= "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF
$Output &= "Type: " & $objItem.Type & @CRLF
$Output &= "User: " & $objItem.User & @CRLF
if FileWrite($file,$Output) = 2 then ExitLoop
$Output=""
Next
Else
Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTLogEvent" )
Endif


Func WMIDateStringToDate($dtmDate)

Return (StringMid($dtmDate, 5, 2) & "/" & _
StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
& " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc
Link to comment
Share on other sites

Sounds like you want to recreate the event viewer. Also, don't use the loop if all you want is the last item put into the log, put an exitloop after the FileWrite and it will jump out of the loop with only the last item in the file.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

Thank you BrewManNH. You are write putting the results in a GUI is probably overly redundant. I will try the other change you have suggested to make it get just one event and writing it to the text file. ;)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...