Sign in to follow this  
Followers 0
Xulong

How can I read Windows event viewer remotely

7 posts in this topic

I am trying to create a script to allow our continues integration tool to pickup the output (1 or 0 for example) after read the event log for a specific application and looking for critical, error and warning, the application is running on a different server from which the script will be running. How can I achieve that? Thank you in advance. 

Share this post


Link to post
Share on other sites



Thanks for your reply JohnOne. I think short answer is No. The reason is the CI tool has to be able to execute the script locally not remotely. And the application event log I want to check is sit on another server. Is there a way I can achieve that?

I know I can probably backup the event log file with that specific source and error/critical/warning filter, but how can I copy that across to the destination (CI server) and to validate the file there?

Thanks.

Share this post


Link to post
Share on other sites

Can you use WMI ?

A long time ago I wrote a remote event viewer in AutoIt.  The meat of which was:

Func FireToServer()
$Instancesvar = IniReadSection(@scriptdir &"\evv.ini", "Instances")
    For $i = 1 To $Instancesvar[0][0]
            $ServerVar=IniReadSection (@scriptdir &"\evv.ini", $Instancesvar[$i][1])
            For $j = 1 To $servervar[0][0]
            ;Call("Test",$Instancesvar[$i][1],$servervar[$j][1])
            Call("EventViewRead",$Instancesvar[$i][1],$servervar[$j][1])
            Call("ProgressBar",$Instancesvar[$i][1],$servervar[$j][1])
            
            Next
        Next
    EndFunc

;;Debug
Func Test($InstanceVar,$ServerVar)
    msgbox(0,"","Sent: " &$InstanceVar & "-" & $ServerVar)
EndFunc
;;Debug

Func eventviewread($Instancevar,$ServerVar)
$TimesCalled=$TimesCalled+1 
$Query_Clause = "Select * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND SourceName = 'MyServiceName' AND EventType=1 AND timewritten >='" & $EVDate & "'"
$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & $Servervar & "\root\cimv2") 
If IsObj($objWMIService) Then
    $colItems = $objWMIService.ExecQuery ($Query_Clause)
    If IsObj($colItems) Then
        For $objEvent In $colItems
            $Output=$Output & $InstanceVar & "," & $ServerVar & ","
            $Output=$Output & StringRight(Stringleft($objEvent.TimeWritten,8),2) & "/" & Stringmid(StringLeft($objEvent.TimeWritten,8),5,2) & "/" & Stringleft(Stringleft($objEvent.TimeWritten,8),4) & ","
            $Output=$Output & StringRight(StringLeft($ObjEvent.TimeWritten,10),2) & ":" & StringRight(StringLeft($ObjEvent.TimeWritten,12),2) & ":" & StringRight(StringLeft($objEvent.TimeWritten,14),2) & "," & $objEvent.Message
            #cs
            $Output &= "Category: " & $objEvent.Category & @CRLF
            $Output &= "Computer Name: " & $objEvent.ComputerName & @CRLF
            $Output &= "Event Code: " & $objEvent.EventCode & @CRLF
            $Output &= "Message: " & $objEvent.Message & @CRLF
            $Output &= "Record Number: " & $objEvent.RecordNumber & @CRLF
            $Output &= "Source Name: " & $objEvent.SourceName & @CRLF
            $Output &= "Time Written: " & $objEvent.TimeWritten & @CRLF
            $Output &= "Event Type: " & $objEvent.Type & @CRLF
            $Output &= "User: " & $objEvent.User & @CRLF
            If MsgBox(64 + 4, "Entry Found:", $Output & @CRLF & @CRLF & "Continue?") = 7 Then Exit
            #ce
        Next
    Else
        $Output="$colItems is not an object."
    EndIf
Else
     $Output="$objWMIService is not an object."
 EndIf
 ;call("WriteCSV",$Output)
 if $TimesCalled=$TotalCalls Then
 call("WriteCSV",$Output)
EndIf
 EndFunc

and the ACTUAL meat being

$Query_Clause = "Select * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND SourceName = 'MyServiceName' AND EventType=1 AND timewritten >='" & $EVDate & "'"
$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & $Servervar & "\root\cimv2")
If IsObj($objWMIService) Then
    $colItems = $objWMIService.ExecQuery ($Query_Clause)

Take a look here:

https://msdn.microsoft.com/en-us/library/aa389290(v=vs.85).aspx

 

1 person likes this

Share this post


Link to post
Share on other sites

 Thank you Jimwright, The ACTUAL meat is probably what I am looking for.

Share this post


Link to post
Share on other sites

@OP : Microsoft has created sometime ago a tool for this kind of job called "wevtutil".

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0