Announcement

Collapse
No announcement yet.

Dos batch file for export of syslog data

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dos batch file for export of syslog data

    I am looking for a way to export Server 2003 Event Log data (by source or event ID)
    to a .txt or .csv



    I prefer batch files(I am decent at DOS- but not at other scripting)- but am open to other script if some one can "assist" a bit .


    Thanks in advance

  • #2
    Re: Dos batch file for export of syslog data

    Hi JMasat,

    To be able to query the eventlog you must use the WMI Win32_NTEventlogFile class.

    So, you'll need to use the 'Windows Management Instrumentation' service.
    But, you do not have to necessarily write a vbscript for this. Windows XP and newer provide you the WMI command-line utility: WMIC.exe

    example how to query the eventlogs using wmic in a batch file:
    Code:
    @echo off
    echo Wait...
    WMIC /node:"%computername%" NTEVENT GET LogFile, CategoryString, SourceName, EventCode, Type, Message, TimeGenerated /FORMAT:htable:"sortby=logfile" >"c:\EventLog.htm"
    cls&echo Done
    pause>nul
    The command above will export all the events from each log to a single htm-page
    Or, You can use the WHERE() clause for a valid WQL query (filter):
    (the clause must be between quotes)
    WHERE "EventType < 3 AND logfile!='application'"
    (Notice the "!" that means "NOT".)

    The alias for "Win32_NTEventlogFile" is: "NTEVENT"
    "Source" is named here: "SourceName"
    "Event ID" is named here: "EventIdentifier" or "EventCode"

    example to find all instances from Source='NETLOGON' in the logfile='System' :
    Code:
    @echo off
    Set "zOutPut=c:\EventLog.htm"
    
    Set "evtLog=System"
    Set "Source=NETLOGON"
    
    >"%zOutput%" (
     echo.^<html^>
     echo.^<body^>
     echo.^<H3^>^<Font Face=Verdana Color=Blue^>^<P align=Center^>%date% - %time%^<BR^>
     echo.Query %evtLog% events^</Font^>^</H3^>^</P^>
     echo.^<HR^>
     echo.^</html^>
     echo.^</body^>
    )
    
    echo Wait...
    
    >>"%zOutPut%" (
     echo.^<Font Color=Green^>^<H3^>^<B^>^<I^>Source = %Source%^</Font^>^</H3^>^</B^>^</I^>
    )
    
    WMIC /node:"%computername%" /append:"%zOutPut%" NTEVENT WHERE "logfile='%evtLog%' AND SourceName='%Source%'" GET LogFile, CategoryString, SourceName, EventCode, Type, Message, TimeGenerated /format:hform.xsl:"sortby=TimeGenerated" >NUL
    
    :Cleanup
    >>"%zOutput%" (
     echo.^<I^>^<Font Size=-1^>^<BR^>%zver%
     date /t
     time /t
     echo.- %username% ^</I^>
    )
    
    cls&echo Done
    (ping 127.0.0.1 -n 1)>nul
    
    start "" "%zOutPut%"
    (in this last example I also changed the layout)

    WMIC is a very powerfull command-line tool it can be used to get all sorts of information from the system - and you can also target remote computers with it.


    But there is also an other tool that comes with Windows Xp and newer. That is specially designed to query the eventlogs!!
    It is written in vbs and must be runned by the cscripthost. The name of that command-line tool is "eventquery.vbs"
    To get the syntax run this batch:
    Code:
    @echo off
    Set "strOutput=%temp%\eventquery.txt"
    start ""/min /W Cscript.exe //NoLogo "%windir%\system32\eventquery.vbs" /? >"%strOutPut%"2>&1
    
    start "" notepad "%strOutPut%"
    (ping 127.0.0.1 -n 1 >nul)
    del "%strOutPut%"


    List of other command-line tools for this:
    - DumpEL (RK)
    - psLogList (Sysinternals)
    - DumpEvt (SomarSoft/SystemTools)
    - LogParser (MS)
    (there are probably more)


    \Rems
    Last edited by Rems; 17th October 2008, 20:27.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Dos batch file for export of syslog data

      Thanks Rems!!

      I was attempting to use Dumpel- for some reason the swithes did not work.

      But I willl gladdly try the other suggestions!!!

      JM

      Comment

      Working...
      X