Jump to content
Sign in to follow this  
lgvlgv

Question about events in eventlog.

Recommended Posts

lgvlgv

I have been looking on topics here to find some way to have a program/script monitor eventlogs in real time, but had come up short.

Any one have any idea where to look or id there are some api or something that can be used to pick up these in real time and not scan the logfiles every x min/sec?

//Regards

Share this post


Link to post
Share on other sites
careca

Hi, maybe you can read the file really fast, each 100ms or something, and that would be almost realtime.

But what do you mean with monitor? do you mean, to show new text being added to the log?


Spoiler

Paster - Main function is to paste text, but has more functions. (No longer mantained, switched to String Trigger)

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Firefox Profile Backup - Backup/restore previously saved profile.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Share this post


Link to post
Share on other sites
lgvlgv

i found this witch i think i can put in a loop, what du u guys think?

to have in in real time i realise isent neccesary, in the end it will generate a mail and if more then 20 or so "stop".

ignore the wrong Do statement :)

#include
#include

Global $iMemo

_Main()

Func _Main()
Local $hEventLog, $aEvent

; Create GUI
GUICreate("EventLog", 400, 300)
$iMemo = GUICtrlCreateEdit("", 2, 2, 396, 300, 0)
GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
GUISetState()

; Read most current event record
Do
$hEventLog = _EventLog__Open("", "System")
$aEvent = _EventLog__Read($hEventLog, True, False) ; read last event
;~ $hEventLog = _EventLog__Open("", "System")
;~ $aEvent = _EventLog__Read($hEventLog)
;~ $aEvent = _EventLog__Read($hEventLog, True, False)
If $aEvent[8]="Error" Or $aEvent[8]="Fel" Then
ConsoleWrite("Result ............: " & $aEvent[0]& @CRLF)
ConsoleWrite("Record number .....: " & $aEvent[1]& @LF)
ConsoleWrite("Submitted .........: " & $aEvent[2] & " " & $aEvent[3]& @LF)
ConsoleWrite("Generated .........: " & $aEvent[4] & " " & $aEvent[5]& @LF)
ConsoleWrite("Event ID ..........: " & $aEvent[6]& @LF)
ConsoleWrite("Type ..............: " & $aEvent[8]& @LF)
ConsoleWrite("Category ..........: " & $aEvent[9]& @LF)
ConsoleWrite("Source ............: " & $aEvent[10]& @LF)
ConsoleWrite("Computer ..........: " & $aEvent[11]& @LF)
ConsoleWrite("Username ..........: " & $aEvent[12]& @LF)
ConsoleWrite("Description .......: " & $aEvent[13]& @LF)
$aEvent=-1
EndIf

_EventLog__Close($hEventLog)
$sMessage=""
$aEvent=""
Sleep(1000)
; Loop until user exits
Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc ;==>_Main

; Write a line to the memo cont
Edited by lgvlgv

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • mdwerne
      By mdwerne
      Hello,
      I'm working on a script that writes detailed application event logs, and I'd like to know if there is a way with Autoit to write multiple lines of XML EventData (see example below):
      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> <EventRecordID>86554</EventRecordID> <Channel>Application</Channel> <Computer>YOUR_COMPUTER</Computer> <Security /> </System> <EventData> <Data>DeskTop Agent: Mike</Data> <Data>Observer Username: Miguel</Data> etc... </EventData> </Event> So far, using EventCreate, everything I send end's up in a single <data> entry (see below):
      <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> <EventRecordID>86554</EventRecordID> <Channel>Application</Channel> <Computer>YOUR_COMPUTER</Computer> <Security /> </System> <EventData> <Data>DeskTop Agent: Mike Observer Username: Miguel</Data> </EventData> </Event> Here is the code I'm using thus far (which does not work the way I'd like):
      $LogData = @CRLF & "DeskTop Agent: " & @UserName & @CRLF & "Observer Username: " & $DTObserver & @CRLF & "File name/s with extension: " & $FilenameWextension & @CRLF & "Action Performed: " & $ActionPerformed & @CRLF & "Explanation: " & $Explanation & @CRLF & "Machine Name: " & @ComputerName & @CRLF & "IP Address: " & @IPAddress1 & @CRLF & "App1Installed: " & $App1 & @CRLF & "App2Installed: " & $App2 Run("eventcreate /T Information /ID 100 /L Application /SO DTALog /D " & Chr(34) & "DTALog Details: " & $LogData & Chr(34), "", @SW_HIDE, 2) I found a Stackoverflow post that talks about doing it in C# (https://stackoverflow.com/questions/7694276/how-to-add-multiple-lines-of-eventdata-to-an-eventlog-in-windows)
      but I'd like to determine if it can be accomplished with AutoIt!.
      Thanks for your time,
      -Mike
    • PINTO1927
      By PINTO1927
      Hello guys,
      I analyzed script that you find below and I planned to add more information to the ListView, type:
      - Username login
      - Now the computer power
      You think you can take this information and show them in the table?
      #include <Array.au3> #include <WindowsConstants.au3> #include <GUIConstantsEx.au3> #include <GuiListView.au3> Dim $aBrowdcast[4] $aBrowdcast[0]=@IPAddress1 $aBrowdcast[1]=@IPAddress2 $aBrowdcast[2]=@IPAddress3 $aBrowdcast[3]=@IPAddress4 $filemaclist="MACLIST.DAT" Dim $MACAddressList[1] $MACAddressList[0] = "08000e42faa7" ; =================================================================== ; Gui ; ; =================================================================== $mainwindow=GUICreate("WOLLE",450,300) $mwbtnExit=GUICtrlCreateButton("Exit",350,150,100) $mwbtnGetMac=GUICtrlCreateButton("Get Mac adresses",10,150,100) $mwbtnWakeupall=GUICtrlCreateButton("Wake up all in list",130,150,100) $mwbtnWakeupSelected=GUICtrlCreateButton("Wake up selected",240,150,100) $mwlblIpRange=GUICtrlCreateLabel("Enter Start and End IP for search, will only search for last segment, sorry....",10,115,200,30) $mvinpIpStart=GUICtrlCreateInput("192.168.0.1",250,120,100,15) $mvinpIpStop=GUICtrlCreateInput("192.168.0.10",350,120,100,15) $mvinpWakeupTimeHH=GUICtrlCreateCombo("0",10,220,40) $mvinpWakeupTimeMM=GUICtrlCreateCombo("00",50,220,40) $mvinpWakeupTimeSS=GUICtrlCreateCombo("00",90,220,40) FillTimeCombos() $mwbtnActivateTimer=GUICtrlCreateButton("Activate Timer",290,220,120) $mwbtnSetTimertoNow=GUICtrlCreateButton("Set Timer to now",160,220,120) $mwbtnReadMacListFile=GUICtrlCreateButton("MACLIST.DAT",260,50,120) $mwlvMacadresses=GUICtrlCreateListView("MacAdresses |IP ",10,10,250,100) $mwlblStatus=GUICtrlCreateLabel("Status:",10,180,400) readmacfile() setTimertoNow() $boolTimerActive=0 GUISetState(@SW_SHOW) While 1 $msg = GUIGetMsg() select case $msg = $GUI_EVENT_CLOSE ExitLoop case $msg = $mwbtnExit ExitLoop case $msg = $mwbtnWakeupall wol_all() case $msg = $mwbtnGetMac getmacinrange() case $msg = $mwbtnGetMac getmacinrange() case $msg = $mwbtnWakeupSelected wol_selected() case $msg = $mwbtnReadMacListFile readmacfile() case $msg = $mwbtnActivateTimer if $boolTimerActive=1 Then TimerDisable(0) Else TimerDisable(1) endif case $msg = $mwbtnSetTimertoNow setTimertoNow() EndSelect if $boolTimerActive=1 Then CheckWakeup() sleep(100) endif WEnd GUIDelete() exit ; =================================================================== ; Function: setTimertoNow ; sets the thre time controls to the current time ; =================================================================== func setTimertoNow() guictrlsetdata($mvinpWakeupTimeHH,@HOUR) guictrlsetdata($mvinpWakeupTimeMM,@MIN) guictrlsetdata($mvinpWakeupTimeSS,@SEC) EndFunc ; =================================================================== ; Function: TimerDisable ; Toggle for the Timer button ; =================================================================== func TimerDisable($TimerState) $boolTimerActive=$TimerState if $TimerState = "0" Then GUICtrlSetState($mwbtnExit,$GUI_ENABLE) GUICtrlSetState($mwbtnGetMac,$GUI_ENABLE) GUICtrlSetState($mwbtnWakeupall,$GUI_ENABLE) GUICtrlSetState($mwbtnWakeupSelected,$GUI_ENABLE) GUICtrlSetState($mvinpIpStart,$GUI_ENABLE) GUICtrlSetState($mvinpIpStop,$GUI_ENABLE) GUICtrlSetState($mvinpWakeupTimeHH,$GUI_ENABLE) GUICtrlSetState($mvinpWakeupTimeMM,$GUI_ENABLE) GUICtrlSetState($mvinpWakeupTimeSS,$GUI_ENABLE) GUICtrlSetState($mwbtnReadMacListFile,$GUI_ENABLE) GUICtrlSetState($mwbtnSetTimertoNow,$GUI_ENABLE) GUICtrlSetData($mwbtnActivateTimer," Activate Timer") setStatusMsg("Timer deactivated") Else GUICtrlSetState($mwbtnExit,$GUI_DISABLE) GUICtrlSetState($mwbtnGetMac,$GUI_DISABLE) GUICtrlSetState($mwbtnWakeupall,$GUI_DISABLE) GUICtrlSetState($mwbtnWakeupSelected,$GUI_DISABLE) GUICtrlSetState($mvinpIpStart,$GUI_DISABLE) GUICtrlSetState($mvinpIpStop,$GUI_DISABLE) GUICtrlSetState($mvinpWakeupTimeHH,$GUI_DISABLE) GUICtrlSetState($mvinpWakeupTimeMM,$GUI_DISABLE) GUICtrlSetState($mvinpWakeupTimeSS,$GUI_DISABLE) GUICtrlSetState($mwbtnReadMacListFile,$GUI_DISABLE) GUICtrlSetState($mwbtnSetTimertoNow,$GUI_DISABLE) GUICtrlSetData($mwbtnActivateTimer," De-Activate Timer") EndIf EndFunc ; =================================================================== ; Function: CheckWakeup ; critical only equal time will trigger (needs omething better like a small range) ; =================================================================== func CheckWakeup() $strWakeupTime=GUICtrlRead($mvinpWakeupTimeHH)&GUICtrlRead($mvinpWakeupTimeMM)&GUICtrlRead($mvinpWakeupTimess) $strNow=@HOUR&@MIN&@SEC setStatusMsg("Current time:"&@HOUR&":"&@MIN&":"&@SEC) if $strNOW = $strWakeupTime Then SoundPlay(@WindowsDir & "\media\tada.wav",0) wol_all() EndIf EndFunc ; =================================================================== ; Function: FillTimeCombos ; filling the controls with data ; =================================================================== func FillTimeCombos() for $i=1 to 23 GUICtrlSetData($mvinpWakeupTimeHH,$i) Next for $i=1 to 59 GUICtrlSetData($mvinpWakeupTimeMM,$i) GUICtrlSetData($mvinpWakeupTimeSS,$i) Next EndFunc ; =================================================================== ; Function: readmacfile ; reads mac list in ini format ; =================================================================== func readmacfile($filemaclist="MACLIST.DAT") if FileExists($filemaclist) Then $aMaclist=IniReadSection(@scriptdir&"\"&$filemaclist,"MACLISTE") _GUICtrlListView_DeleteAllItems($mwlvMacadresses) for $i = 1 to $aMaclist[0][0] GUICtrlCreateListViewItem(""&$aMaclist[$i][1]&"|"&$aMaclist[$i][0]&"", $mwlvMacadresses) Next EndIf EndFunc ; =================================================================== ; Function: getmacinrange ; simple try to get all mac adresses from a given range (only last segment) ; =================================================================== func getmacinrange() FileDelete(@ScriptDir&"\"&$filemaclist) $aIpStart=StringSplit(GUICtrlRead($mvinpIpStart),".") $aIpStop=StringSplit(GUICtrlRead($mvinpIpStop),".") for $IpSegD = $aIpStart[4] to $aIpStop[4] get_mac($aIpStart[1]&"."&$aIpStart[2]&"."&$aIpStart[3]&"."&$IpSegD) Next readmacfile() EndFunc ; =================================================================== ; Function: wol_selected ; sents magic paket to the macadress selected in listviw ; =================================================================== func wol_selected() $aSelectedItems=_GUICtrlListView_GetSelectedIndices($mwlvMacadresses,true) if $aSelectedItems[0] > 0 Then $macadress=_GUICtrlListView_GetItemText($mwlvMacadresses,$aSelectedItems[1]) for $adapter in $aBrowdcast wol_adapter($adapter,$macadress) Next setStatusMsg("is "&$adapter&" awake?") EndIf endfunc ; =================================================================== ; Function: wol_all ; ; =================================================================== func wol_all() for $adapter in $aBrowdcast wol_adapter_all($adapter) Next setStatusMsg("All awake?") endfunc ; =================================================================== ; Function: setStatusMsg($msgtext) ; $msg --- Message for status text ; =================================================================== func setStatusMsg($msgtext) GUICtrlSetData($mwlblStatus,"Status:"&$msgtext) endfunc ; =================================================================== ; Function: wol_adapter($adapter,$$macadress) ; $adapter --- is the ipadress of the adapter ; $macadress --- is the macadress ; =================================================================== func wol_adapter($adapter,$macadress) if $adapter <> "0.0.0.0" Then $IPADRESS = StringSplit($adapter,".") $Broadcast = $IPADRESS[1] & "." & $IPADRESS[2] & "." & $IPADRESS[3] & "." & "255" $String="" setStatusMsg("Sent WOL via "&$Broadcast&" for:"&$macadress) WOL($Broadcast,$macadress) EndIf EndFunc ; =================================================================== ; Function: wol_adapter($adapter) ; $adapter --- is the ipadress of the adapter ; =================================================================== func wol_adapter_all($adapter) if $adapter <> "0.0.0.0" Then $IPADRESS = StringSplit($adapter,".") $Broadcast = $IPADRESS[1] & "." & $IPADRESS[2] & "." & $IPADRESS[3] & "." & "255" $String="" FOR $macadress IN $MACAddressList setStatusMsg("Sent WOL via "&$Broadcast&" for:"&$macadress) WOL($Broadcast,$macadress) Sleep(1000) Next EndIf EndFunc ; =================================================================== ; Function: WOL($Broadcast,$element) ; $Broadcast --- is ipadress of adapter with 255 at the End ; $MACAddress --- is the macadress ; =================================================================== ; Wake up on Lan Function (Open connection and broadcast to Lan) Func WOL($Broadcast,$MACAddress) UDPStartUp() $connexion = UDPOpen($Broadcast,7) UDPSend($connexion, GenerateMagicPacket($MACAddress)) UDPCloseSocket($connexion) UDPShutdown() EndFunc ; This function convert a MAC Address Byte (e.g. "1f") to a char Func HexToChar($strHex) Return Chr(Dec($strHex)) EndFunc ; This function generate the "Magic Packet" Func GenerateMagicPacket($strMACAddress) $MagicPacket = "" $MACData = "" For $p = 1 To 11 Step 2 $MACData = $MACData & HexToChar(StringMid($strMACAddress, $p, 2)) Next For $p = 1 To 6 $MagicPacket = HexToChar("ff") & $MagicPacket Next For $p = 1 To 16 $MagicPacket = $MagicPacket & $MACData Next Return $MagicPacket EndFunc ; =================================================================== ; Function: get_mac($remote_ip,$filemaclist) ; $remote_ip --- remote ip ; $filemaclist --- file in ini format ; enhanced by TheSovereign - skip local mac adress ; =================================================================== func get_mac($remote_ip,$filemaclist="MACLIST.DAT") Ping($remote_ip,200) if @error =0 Then $arpinfo = Run(@ComSpec & " /c ARP -a "&$remote_ip, @SystemDir, @SW_HIDE, 2) sleep(200) $output = StdoutRead($arpinfo, -1) $aOutputLine=StringSplit($output,@CRLF) If UBound($aOutputLine) > 5 Then ; <=== added so script doesn't choke when processing the IP for the computer it's running on $macadress=Stringmid($aOutputLine[7],25,17) $macadress=StringReplace($macadress,"-","") IniWrite(@ScriptDir&"\"&$filemaclist,"MACLISTE",$remote_ip,$macadress) setStatusMsg("Found maclist "&$macadress) EndIf ; <=== and this one... Else setStatusMsg("Host "&$remote_ip&" not reachable") Return endif EndFunc Source: https://www.autoitscript.com/forum/topic/29772-copyright-free-wake-on-lan-script/
       
    • iamtheky
      By iamtheky
      Message is broken out further and requires extra massaging, that and I am formatting it for eventual Neo4j graph sexiness.
      #include <AutoItConstants.au3> #include<array.au3> #RequireAdmin $outfile = "test_PS_csv_failures.csv" If fileexists($outfile) then FileDelete($outfile) $iPID = run("powershell get-eventlog -logname security -Message '*An account failed to log on*' | select Index,TimeGenerated,Message | format-list" , "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop EndIf WEnd $aStr = stringsplit($sOutput , @CRLF , 3) For $i = ubound($aStr) - 1 to 0 step - 1 If NOT stringinstr($aStr[$i] , ":") Then _ArrayDelete($aStr , $i) Next ;~ _ArrayDisplay($aStr) $sFinal = "" $sLine = "" $k = 0 for $i = 0 to 29 $sLine &= stringregexpreplace(stringstripws($aStr[$i] , 8) , "(\:.*)" , "") & "," next $sFinal &= StringTrimRight($sLine , 1) & @LF $sLine = "" for $i = 30 to ubound($aStr) - 1 $aStr[$i] = stringreplace($aStr[$i] , "," , "_") $sLine &= stringregexpreplace($aStr[$i] , "(\A.*\D:)" , "") & "," $k += 1 If $k = 30 Then If NOT StringInStr($sLine , @UserName) Then $sFinal &= StringTrimRight($sLine , 1) & @LF $sLine = "" $k = 0 EndIf next ;~ msgbox(0, '' , $sFinal) filewrite($outfile , $sFinal) shellexecute($outfile)  
×