larksp

Event logs putting the information into 2d array

17 posts in this topic

#1 ·  Posted

getting event logs"6008" bad shutdowns on a computer
 

i have tried 3 different ways to get the information _eventlogs and wmi and dos.... dos gets data faster for me even when only getting 5 logs

i got the data * but i would like it in a 2day array*(after i may then show in very simple gui with option change the amount to get or just out put it to a text file)

also the way iv grabbed the data is that the correct way to get it... Or a loop that grabs all the info i want in a for loop?

array example not sure if i will switch columns around Just an example for now

0             0                          1                    2
1          Date                    Time           Event ID    <------- iv got to add  so i know whats in each
2     21-12-2016            20:32:35         6008
3     21-12-2016            20:32:35         6008
4     21-12-2016            20:32:35         6008

 

#include <AutoItConstants.au3> ;Needed for Dos Readout
#include <Array.au3> ;only needed for _ArrayDisplay
#include <String.au3> ;Needed for _stringbetween


Global $iEvenid ;Event Id 6008
Global $iTime ;The date and time of event id 6008
Global $iDate ;des to get date
#RequireAdmin            ;Needed to get infomation from system eventlogs



$iprot = _getinfo()



; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
; Set Vars and format data
; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;~  $profiles = StringRegExp($dosssid, 'Event ID.+: (.+)', 3)   ; Does not work

Func _getinfo()
    $NoLogsGet = 3 ; Number of Logs to get 10
    $cmd = '"wevtutil qe system /q:*[System[(EventID=6008)]] /rd:true /c:' & $NoLogsGet & ' /f:text' ;  /f:text>C:\wevtutil.txt ;save file to text
    MsgBox(0, 'Info', _DosOutput($cmd)) ; testing info
    Global $dosssid = _DosOutput($cmd)

    $iEventid = _Stringchange("Event ID") ;Get Event ID = 'Number'
    $iTime = _Stringchange("Date") ;Get Time with correct format
    $iDate = _Stringchange("Description") ;Get Date with correct format

    ; ****************Format Time and Date ************************
    For $itf = 0 To UBound($iTime) - 1
;~      2016-12-21T20:20:59.000    ;Itime output
        $iTime[$itf] = StringTrimRight($iTime[$itf], 4)
        $iTime[$itf] = StringTrimLeft($iTime[$itf], 11)
    Next
    $iDate = _StringBetween($dosssid, 'on ?', ' was')
    For $idf = 0 To UBound($iDate) - 1
        $iDate[$idf] = StringReplace($iDate[$idf], '/?', '-')
    Next
    ; *************************************************************
    ; ----------------------------------------
    _ArrayDisplay($iEventid, 'Event ID')
    _ArrayDisplay($iTime, 'Time')
    _ArrayDisplay($iDate, 'Date')
    ;-----------------------------------------
EndFunc   ;==>_getinfo

; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
; Get data from DOS output
; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Func _Stringchange($Isting)
    $aaa = StringRegExp($dosssid, '(?s)(?i)' & $Isting & '\s*:\s(.*?)' & @CR, 3)
    If @error Then Return SetError(1, 0, $Isting & ' - Failed')
    Return $aaa
EndFunc   ;==>_Stringchange


; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
; DOS Command to get the infomation
; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Func _DosOutput($Dcommand)
    Local $iPid, $sOutput = ''

    $iPid = Run(@ComSpec & ' /u /c ' & $Dcommand, '', @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD)
;~  ProcessWaitClose($ipid) ; another way rather tham Loop!
;~  $sOutput = StdoutRead($ipid)
    While 1
        $sOutput &= StdoutRead($iPid, False, False)
        If @error Then
            ExitLoop
        EndIf
        Sleep(10)
    WEnd
    Return $sOutput
EndFunc   ;==>_DosOutput

 

 

 

Share this post


Link to post
Share on other sites



This might help...

#include 'array.au3'
#RequireAdmin
Opt('MustDeclareVars', 1)
;
Local $rtn = _WMIC_GET('Win32_NTLogEvent Where EventCode="6008"', 'ComputerName,EventCode,EventIdentifier,TimeGenerated')
If IsArray($rtn) Then
    _ArrayDisplay($rtn)
Else
    MsgBox(0, '', $rtn)
EndIf
Exit
;
Func _WMIC_GET($sClass, $sProperty)
    Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $sClass & ' GET ' & $sProperty & ' /format:LIST', '', @SW_HIDE, 2)
    If @error Or Not $pid Then Return -1
    Local $s = ''
    ;
    Do
        Sleep(10)
        $s &= StdoutRead($pid)
    Until @error
    ;
    $s = StringReplace($s, @CRLF, '')
    $s = StringStripWS($s, 7)
    If StringLen($s) = 0 Then Return -2; no data
    ;
    Local $a = StringSplit($s, @CR)
    Local $array[101][4] = [['ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']]
    Local $x, $n = 0
    ;
    For $i = 1 To $a[0] Step 4
        $n += 1
        For $j = 0 To 3
            $x = StringSplit($a[$i + $j], '=')
            $array[$n][$j] = $x[2]
            If $j = 3 Then; <- format DateTime
                $array[$n][$j] = StringRegExpReplace($array[$n][$j], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6')
            EndIf
        Next
        If $n = 10 Then; <- number of records to get
            ExitLoop
        EndIf
    Next
    ReDim $array[$n + 1][4]
    Return $array
EndFunc
;

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

Thanks for the reply I will have a look after finished work

Share this post


Link to post
Share on other sites

 

i have tried to add a col to  $array[1][] on the left side.. adding on the right was easy

but i cant work out what bit to change to move the other data over a col

Local $array[101][5] = [['Log No','ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']]
    Local $x, $n = 0


;~     _ArrayDisplay
    For $i = 1 To $a[0] Step 4
        $n += 1
        $icount +=1
        For $j = 0 To 3
            $x = StringSplit($a[$i + $j], '=')
            $array[$n][$j] = $x[2]
            $array[$n][1] = $icount
            If $j = 3 Then; <- format DateTime
                $array[$n][$j] = StringRegExpReplace($array[$n][$j], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6')
            EndIf
        Next
        If $n = 10 Then; <- number of records to get
            ExitLoop
        EndIf
    Next
    ReDim $array[$n + 1][5]

 

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Is "Log No" the actual property "RecordNumber" or just a count of records?

Edit: Nevermind ... I didn't see $icount

be back in a bit.

 

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
#include 'array.au3'
#RequireAdmin
Opt('MustDeclareVars', 1)
;
Local $rtn = _WMIC_GET('Win32_NTLogEvent Where EventCode="6008"', 'ComputerName,EventCode,EventIdentifier,TimeGenerated')
If IsArray($rtn) Then
    _ArrayDisplay($rtn)
Else
    MsgBox(0, '', $rtn)
EndIf
Exit
;
Func _WMIC_GET($sClass, $sProperty)
    Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $sClass & ' GET ' & $sProperty & ' /format:LIST', '', @SW_HIDE, 2)
    If @error Or Not $pid Then Return -1
    Local $s = ''
    ;
    Do
        Sleep(10)
        $s &= StdoutRead($pid)
    Until @error
    ;
    $s = StringReplace($s, @CRLF, '')
    $s = StringStripWS($s, 7)
    If StringLen($s) = 0 Then Return -2; no data
    ;
    Local $a = StringSplit($s, @CR)
    Local $array[101][5] = [['Log No', 'ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']]
    Local $x, $icount = 0, $n = 0
    ;
    For $i = 1 To $a[0] Step 4
        $n += 1
        $icount += 1
        $array[$n][0] = $icount
        For $j = 0 To 3
            $x = StringSplit($a[$i + $j], '=')
            $array[$n][$j + 1] = $x[2]
            If $j = 3 Then; <- format DateTime
                $array[$n][$j + 1] = StringRegExpReplace($array[$n][$j + 1], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6')
            EndIf
        Next
        If $n = 10 Then; <- number of records to get
            ExitLoop
        EndIf
    Next
    ReDim $array[$n + 1][5]
    Return $array
EndFunc
;

 

1 person likes this

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

thanks that is it.. it was just so i can add a total number records got and see it lined to what record

i did try changing the for $j 0 to 3 and others witch jumbled all the text up :( lol

hoping some one will make good videos on stringregexp and replace or anything really.... watched a few :) already

 

 

Share this post


Link to post
Share on other sites
36 minutes ago, larksp said:

thanks that is it.. it was just so i can add a total number records got and see it lined to what record

i did try changing the for $j 0 to 3 and others witch jumbled all the text up :( lol

hoping some one will make good videos on stringregexp and replace or anything really.... watched a few :) already

 

If you need some help with regex, and don't mind some hands-on learning, https://regexone.com/ is a good website that I've personally used. It covers the basics and also allows you to go more in depth if you desire.

1 person likes this

UHJvZmVzc2lvbmFsIENvbXB1dGVyZXI=

Share this post


Link to post
Share on other sites

thanks i have added it to my internet fav.  when im next trying to use it.  when i have learnt a bit more of the basics also might come a bit easier

Share this post


Link to post
Share on other sites

#10 ·  Posted

WMI date codes look like this: '20170101091020.000000-500'

StringRegExpReplace($str, '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6')

What we want is the first 14 numbers.

One dot . represents one character.
Put braces around the dot (.) becomes a capture group.

(....) is capturing 4 characters in the first group.
(..) is capturing 2 characters in the second group.
and so on... until all 14 characters are captured in 6 groups.

group 1: Year
group 2: Month
group 3: Day
group 4: Hour
group 5: Minutes
group 6: Seconds

$1 is the first group (Year)
/ is the date divider
You can figure out the rest.

So basically, THIS regex is grouping 14 numbers and formats them
into something more friendly.

If you wish, you can change the order of the format by rearranging
$1, $2 and $3 to like an American standard date: $2/$3/$1

It's better to use the original date format, when sorting dates.

 

1 person likes this

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

#11 ·  Posted

thanks. i understood your use of it..... up to the point of the    -->   .*    <---   the date format is perfect the way you did, im English so :)
as i played with the example in the help. it is close to what you did but it just does date not time as well

However it is nice to get The how it works as less questions i have to ask later lol

 

Share this post


Link to post
Share on other sites

#12 ·  Posted

.* finishes out the rest of the string with no capturing.

And, you're welcome. It's always nice to learn something worthwhile.

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

_FileWriteFromArray() into a txt but the table does not align up eg

Example only
adasdasdasd|asda|asas|asa
1|22|33|44
1|22|33|44

then ill move onto adding into something like gui list view

nice to know both options

Edited by larksp
add infomation

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

; AutoIt v3.3.14
#include 'array.au3'
#include 'file.au3'
#RequireAdmin
Opt('MustDeclareVars', 1)
;
Local $rtn = _WMIC_Win32_NTLogEvent('6008')
If IsArray($rtn) Then
    _ArrayDisplay($rtn)
    _FileWriteFromArray(@ScriptDir & '\Win32_NTLogEvent6008.txt', $rtn)
Else
    MsgBox(0, '', $rtn)
EndIf
Exit
;
Func _WMIC_Win32_NTLogEvent($nEventCode)
    Local $strClass = 'Win32_NTLogEvent Where EventCode="' & $nEventCode & '"'
    Local $sProperties = 'ComputerName,EventCode,EventIdentifier,RecordNumber,TimeGenerated'
    Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $strClass & ' GET ' & $sProperties & ' /format:LIST', '', @SW_HIDE, 2)
    If @error Or Not $pid Then Return -1
    Local $s = ''
    ;
    Do
        Sleep(10)
        $s &= StdoutRead($pid)
    Until @error
    ;
    $s = StringRegExpReplace($s, '(?s)(\v)', @CR)
    $s = StringStripWS($s, 7)
    If StringLen($s) = 0 Then Return -2; no data
    ;
    Local $a = StringSplit($s, @CR)
    Local $array[101][6] = [['Log No', 'ComputerName','EventCode','EventIdentifier','RecordNumber','TimeGenerated (UTC)']]
    Local $x, $n = 0
    ;
    For $i = 1 To $a[0] Step 5
        $n += 1
        $array[$n][0] = $n
        For $j = 0 To 4
            $x = StringSplit($a[$i + $j], '=')
            $array[$n][$j + 1] = $x[2]
            If $j = 4 Then; <- format DateTime
                $array[$n][$j + 1] = StringRegExpReplace($array[$n][$j + 1], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6')
            EndIf
        Next
        If $n = 10 Then; <- number of records to get
            ExitLoop
        EndIf
    Next
    ReDim $array[$n + 1][6]
    Return $array
EndFunc
;

I'm not having any problems with AutoIt v3.3.14

It's better to show runnable code (even if it's not working), than a text example. Those are hard to decipher sometimes. Also, it's always good to start another topic, if you change the topic matter.

Edit: Oh, I changed the function up a little.

 

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

#15 ·  Posted

Ok next time i will.
i thought as the code was here it would be ok.   I did ok adding it to gui  list view... and then cheated by adding Guinness list view to html Code.
 

I'll run it tomoz on the mobile in bed watching a film :) .. and nearly ready to move onto the next..... i have learnt a lot more about arrays doing this...

Thanks for all the help.

 

Share this post


Link to post
Share on other sites

#16 ·  Posted

Ohhhh, you mean the TEXT doesn't line up, something like this?

Log No|ComputerName|EventCode|EventIdentifier|RecordNumber|TimeGenerated (UTC)
1     |UNKNOWN     |6005     |-2147477643    |399         |2017/01/12 - 09:45:17
2     |UNKNOWN     |6005     |-2147477643    |383         |2017/01/11 - 09:19:31
3     |UNKNOWN     |6005     |-2147477643    |366         |2017/01/10 - 09:14:12

Haha, I can't get it to line up between my computer and the forum.

Okay there, I had to change the font to "Courier New".

Well, I can certainly understand if you were to print a text file.

Other than that, it's best to leave the formatting alone.

Scriptwise, character positioning seems the way to go.

But then, there's the font issue ... depending what you are viewing it on.

Now, we are definitely off-topic.

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites

#17 ·  Posted

Yer I ment when you open the saved information up in the text file.. the row I added  Log No', 'ComputerName','EventCode','EventIdentifier','RecordNumber','TimeGenerated (UTC) was out of alignment with the rest of the info as they have more characters...   I did try

_FileWriteFromArray ( $sFilePath, Const ByRef $aArray [, $iBase = Default [, $iUBound = Default [, $sDelimiter = "|"]]] )

For the $sDelimiter adding @tab & '|'

But I was going no where lol..
It's OK tho as I don't need it. Only if it was simple it may have been useful down the line

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now