Sign in to follow this  
Followers 0
vcent

Read new events from event logs

7 posts in this topic

Hi,

I used to have a vbscript to read new event logs and filter off and export data as required.

I wish to do the same with AutoIT. Export current data using the examples is okay. But I wonder what is the technique to wait for new event in event logs?

Thanks a lot!

Share this post


Link to post
Share on other sites



Hey there, I would use a WMI for a continous looping. You should really view http://www.autoitscript.com/forum/index.php?showtopic=10534 and read up on how to get the Win32_NT******* files there. A exampe are these two:

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

$Output=""
$Output &= "Computer: " & $strComputer  & @CRLF
$Output &= "==========================================" & @CRLF
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NTEventlogFile", "WQL", _
                                          $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
   For $objItem In $colItems
      $Output &= "AccessMask: " & $objItem.AccessMask & @CRLF
      $Output &= "Archive: " & $objItem.Archive & @CRLF
      $Output &= "Caption: " & $objItem.Caption & @CRLF
      $Output &= "Compressed: " & $objItem.Compressed & @CRLF
      $Output &= "CompressionMethod: " & $objItem.CompressionMethod & @CRLF
      $Output &= "CreationClassName: " & $objItem.CreationClassName & @CRLF
      $Output &= "CreationDate: " & WMIDateStringToDate($objItem.CreationDate) & @CRLF
      $Output &= "CSCreationClassName: " & $objItem.CSCreationClassName & @CRLF
      $Output &= "CSName: " & $objItem.CSName & @CRLF
      $Output &= "Description: " & $objItem.Description & @CRLF
      $Output &= "Drive: " & $objItem.Drive & @CRLF
      $Output &= "EightDotThreeFileName: " & $objItem.EightDotThreeFileName & @CRLF
      $Output &= "Encrypted: " & $objItem.Encrypted & @CRLF
      $Output &= "EncryptionMethod: " & $objItem.EncryptionMethod & @CRLF
      $Output &= "Extension: " & $objItem.Extension & @CRLF
      $Output &= "FileName: " & $objItem.FileName & @CRLF
      $Output &= "FileSize: " & $objItem.FileSize & @CRLF
      $Output &= "FileType: " & $objItem.FileType & @CRLF
      $Output &= "FSCreationClassName: " & $objItem.FSCreationClassName & @CRLF
      $Output &= "FSName: " & $objItem.FSName & @CRLF
      $Output &= "Hidden: " & $objItem.Hidden & @CRLF
      $Output &= "InstallDate: " & WMIDateStringToDate($objItem.InstallDate) & @CRLF
      $Output &= "InUseCount: " & $objItem.InUseCount & @CRLF
      $Output &= "LastAccessed: " & WMIDateStringToDate($objItem.LastAccessed) & @CRLF
      $Output &= "LastModified: " & WMIDateStringToDate($objItem.LastModified) & @CRLF
      $Output &= "LogfileName: " & $objItem.LogfileName & @CRLF
      $Output &= "Manufacturer: " & $objItem.Manufacturer & @CRLF
      $Output &= "MaxFileSize: " & $objItem.MaxFileSize & @CRLF
      $Output &= "Name: " & $objItem.Name & @CRLF
      $Output &= "NumberOfRecords: " & $objItem.NumberOfRecords & @CRLF
      $Output &= "OverwriteOutDated: " & $objItem.OverwriteOutDated & @CRLF
      $Output &= "OverWritePolicy: " & $objItem.OverWritePolicy & @CRLF
      $Output &= "Path: " & $objItem.Path & @CRLF
      $Output &= "Readable: " & $objItem.Readable & @CRLF
      $strSources = $objItem.Sources(0)
      $Output &= "Sources: " & $strSources & @CRLF
      $Output &= "Status: " & $objItem.Status & @CRLF
      $Output &= "System: " & $objItem.System & @CRLF
      $Output &= "Version: " & $objItem.Version & @CRLF
      $Output &= "Writeable: " & $objItem.Writeable & @CRLF
      if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
      $Output=""
   Next
Else
   Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NTEventlogFile" )
Endif


Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFuncoÝ÷ Ù«­¢+ØÀÌØíݵ±IÑÕɹ%µµ¥Ñ±äôÁàÄÀ(ÀÌØíݵ±½ÉÝÉ=¹±äôÁàÈÀ(ÀÌØí½±%ѵÌôÅÕ½ÐìÅÕ½Ðì(ÀÌØíÍÑÉ
½µÁÕÑÈôÅÕ½Ðí±½±¡½ÍÐÅÕ½Ðì((ÀÌØí=ÕÑÁÕÐôÅÕ½ÐìÅÕ½Ðì(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí
½µÁÕÑÈèÅÕ½ÐìµÀìÀÌØíÍÑÉ
½µÁÕÑȵÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐìôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôôÅÕ½ÐìµÀì
I1(ÀÌØí½©]5%MÉÙ¥ô=©Ð ÅÕ½ÐíÝ¥¹µµÑÌèÀäÈìÀäÈìÅÕ½ÐìµÀìÀÌØíÍÑÉ
½µÁÕÑȵÀìÅÕ½ÐìÀäÈìÅÕ½Ðì¤(ÀÌØí½±%ѵÌôÀÌØí½©]5%MÉÙ¥¹áEÕÉä ÅÕ½ÐíM1
P¨I=4]¥¸ÌÉ}9Q1½Ù¹ÐÅÕ½Ðì°ÅÕ½Ðí]E0ÅÕ½Ðì°|(ÀÌØíݵ±IÑÕɹ%µµ¥Ñ±ä¬ÀÌØíݵ±½ÉÝÉ=¹±ä¤()%%Í=¨ ÀÌØí½±%ѵ̤ѡ¸(½ÈÀÌØí½©%Ñ´%¸ÀÌØí½±%ѵÌ(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí
ѽÉäèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹
ѽÉäµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí
ѽÉåMÑÉ¥¹èÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹
ѽÉåMÑÉ¥¹µÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí
½µÁÕÑÉ9µèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹
½µÁÕÑÉ9µµÀì
I1(ÀÌØíÍÑÉÑôÀÌØí½©%Ñ´¹Ñ À¤(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíÑèÅÕ½ÐìµÀìÀÌØíÍÑÉѵÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíÙ¹Ñ
½èÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹Ù¹Ñ
½µÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíÙ¹Ñ%¹Ñ¥¥ÈèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹Ù¹Ñ%¹Ñ¥¥ÈµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíÙ¹ÑQåÁèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹Ù¹ÑQåÁµÀì
I1(ÀÌØíÍÑÉ%¹ÍÉÑ¥½¹MÑÉ¥¹ÌôÀÌØí½©%Ñ´¹%¹ÍÉÑ¥½¹MÑÉ¥¹Ì À¤(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí%¹ÍÉÑ¥½¹MÑÉ¥¹ÌèÅÕ½ÐìµÀìÀÌØíÍÑÉ%¹ÍÉÑ¥½¹MÑÉ¥¹ÌµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí1½¥±èÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹1½¥±µÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½Ðí5ÍÍèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹5Í͵Àì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíI½É9ÕµÈèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹I½É9յȵÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíM½ÕÉ9µèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹M½ÕÉ9µµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíQ¥µ¹ÉÑèÅÕ½ÐìµÀì]5%ÑMÑÉ¥¹Q½Ñ ÀÌØí½©%Ñ´¹Q¥µ¹ÉѤµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíQ¥µ]É¥ÑѸèÅÕ½ÐìµÀì]5%ÑMÑÉ¥¹Q½Ñ ÀÌØí½©%Ñ´¹Q¥µ]É¥ÑѸ¤µÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíQåÁèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹QåÁµÀì
I1(ÀÌØí=ÕÑÁÕеÀìôÅÕ½ÐíUÍÈèÅÕ½ÐìµÀìÀÌØí½©%Ñ´¹UÍȵÀì
I1(¥5ͽà Ä°ÅÕ½Ðí]5$=ÕÑÁÕÐÅÕ½Ðì°ÀÌØí=ÕÑÁÕФôÈÑ¡¸á¥Ñ1½½À(ÀÌØí=ÕÑÁÕÐôÅÕ½ÐìÅÕ½Ðì(9áÐ)±Í(5ͽà À°ÅÕ½Ðí]5$=ÕÑÁÕÐÅÕ½Ðì°ÅÕ½Ðí9¼]5$=©Ñ̽չ½È±ÍÌèÅÕ½ÐìµÀìÅÕ½Ðí]¥¸ÌÉ}9Q1½Ù¹ÐÅÕ½Ðì¤)¹¥(()Õ¹]5%ÑMÑÉ¥¹Q½Ñ ÀÌØíѵѤ((%IÑÕɸ¡MÑÉ¥¹5¥ ÀÌØíѵѰ԰ȤµÀìÅÕ½Ðì¼ÅÕ½ÐìµÀì|(%MÑÉ¥¹5¥ ÀÌØíѵѰܰȤµÀìÅÕ½Ðì¼ÅÕ½ÐìµÀìMÑÉ¥¹1Ð ÀÌØíѵѰФ|($µÀìÅÕ½ÐìÅÕ½ÐìµÀìMÑÉ¥¹5¥ ÀÌØíѵѰä°È¤µÀìÅÕ½ÐìèÅÕ½ÐìµÀìMÑÉ¥¹5¥ ÀÌØíѵѰÄİȤµÀìÅÕ½ÐìèÅÕ½ÐìµÀìMÑÉ¥¹5¥ ÀÌØíѵѰÄ̰Ȥ¤)¹Õ¹

There are many ways to wait for your programs, but simply Wait([mmseconds]) works.


0x576520616C6C206469652C206C697665206C69666520617320696620796F75207765726520696E20746865206C617374207365636F6E642E

Share this post


Link to post
Share on other sites

Hi,

I used to have a vbscript to read new event logs and filter off and export data as required.

I wish to do the same with AutoIT. Export current data using the examples is okay. But I wonder what is the technique to wait for new event in event logs?

Thanks a lot!

There is a an EventLog.au3 UDF included with the current version of AutoIt. I posted a demo with it not too long ago that reads the 10 oldest and 10 newest entries from the event log. Should be easy to find with a quick search.

:P


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Thanks all....they looked very similar to the vbscript I have.

I have this vbscript

strComputer = "."
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    Set WshShell = wscript.CreateObject("wscript.Shell")
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
    Set colMonitoredEvents = objWMIService.ExecNotificationQuery _ 
        ("Select * from __InstanceCreationEvent where " _
            & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & "AND (TargetInstance.Type = 'Error' ")
    Do 
        Set objEvent = colMonitoredEvents.NextEvent()
        objEvent.TargetInstance.Message
    Loop

What I'm most interested is get new events that falls under my WQL. How do you loop like the vbscript. Tried a few loops w/o success.

Share this post


Link to post
Share on other sites

Terarink's second example loops through each event, and formats it...

For $objItem In $colItems

All you should have to do is add your filter inside the loop, say using an if statement. If $objItem.EventCode (in the following example) matches your criteria, do something with it, otherwise do nothing.

Here's that block minus a few lines...

If IsObj($colItems) then
   For $objItem In $colItems
       If $objItem.EventCode = 105 Then                        ;<----Added
      $Output &= "ComputerName: " & $objItem.ComputerName & @CRLF
      $Output &= "EventCode: " & $objItem.EventCode & @CRLF
      $Output &= "EventIdentifier: " & $objItem.EventIdentifier & @CRLF
      $Output &= "EventType: " & $objItem.EventType & @CRLF
      $Output &= "Message: " & $objItem.Message & @CRLF
      $Output &= "RecordNumber: " & $objItem.RecordNumber & @CRLF
      $Output &= "SourceName: " & $objItem.SourceName & @CRLF
      $Output &= "TimeGenerated: " & WMIDateStringToDate($objItem.TimeGenerated) & @CRLF
      $Output &= "TimeWritten: " & WMIDateStringToDate($objItem.TimeWritten) & @CRLF
      $Output &= "User: " & $objItem.User & @CRLF
      if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
      $Output=""
  EndIf                                                                            ;<----Added
  Next

In terms of efficiency this might not be the way to go. But, is that what you're looking to do?

Share this post


Link to post
Share on other sites

I looked at one example.This is my current code but there is an error

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

 $colMonitoredEvents = $objWMIService.ExecNotificationQuery _
        ("Select * from __InstanceCreationEvent WITHIN 5 where " _
            & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & " AND TargetInstance.EventCode = '7036' ")

While 1
    $objEventObject = $colMonitoredEvents.NextEvent()
    MsgBox(0, "Test", $objEventObject.TargetInstance.Message)
WEnd

Line from here __InstanceCreationEvent - Error

Not sure what is the cause

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

I looked at one example.This is my current code but there is an error

$strComputer = "."
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\cimv2")

 $colMonitoredEvents = $objWMIService.ExecNotificationQuery _
        ("Select * from __InstanceCreationEvent WITHIN 5 where " _
            & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & " AND TargetInstance.EventCode = '7036' ")

While 1
    $objEventObject = $colMonitoredEvents.NextEvent()
    MsgBox(0, "Test", $objEventObject.TargetInstance.Message)
WEnd

Line from here __InstanceCreationEvent - Error

Not sure what is the cause

Your string appending across multiple lines is not formatted right:
$colMonitoredEvents = $objWMIService.ExecNotificationQuery( _
        "Select * from __InstanceCreationEvent WITHIN 5 where " & _
        "TargetInstance ISA 'Win32_NTLogEvent' " & _
        " AND TargetInstance.EventCode = '7036' ")

Edit: Oops, should have tested first. Your formatting works too:

$sString = 'Test'
$sString = StringUpper _
    ($sString _
    & "One")
ConsoleWrite("$sString = " & $sString & @LF)

Just ignore me... :D

Edited by PsaltyDS

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0