Announcement

Collapse
No announcement yet.

eventlog fetching

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • eventlog fetching

    Hi Folks,

    I'm trying to create a script to fetch event log files only for a particular month using our scripting guy script.

    I tried to add a conditional in the script, but not working. It would be very much appreciated if somebody can help me in this. I need to filter out the logs say month December.

    Thank You soo much.
    Mohan Mathew[VU3MMU]
    MCITP [AD]

  • #2
    Re: eventlog fetching

    Please post your script so we can see where you may be going wrong.
    Server 2000 MCP
    Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: eventlog fetching

      if you want to change the month change the number in the "" to the month number:

      Code:
      If Mid(strTimeWritten, 7, 2) = "12" Then
      the complete sscript to december :

      Code:
      strComputer = "."
      
      Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
      
      Set colEvents = objWMIService.ExecQuery _
      ( "Select * from Win32_NTLogEvent Where LogFile='Application'" )
      
      Set objFSO = CreateObject("Scripting.FileSystemObject")
      Set objFile = objFSO.CreateTextFile("C:\Events.txt")
      
      For Each objEvent In colEvents
          strTimeWritten = objEvent.TimeWritten
          
          dtmTimeWritten = CDate(Mid(strTimeWritten, 5, 2) & "/" & _
          Mid(strTimeWritten, 7, 2) & "/" & Left(strTimeWritten, 4) _
          & " " & Mid(strTimeWritten, 9, 2) & ":" & _
          Mid(strTimeWritten, 11, 2) & ":" & Mid(strTimeWritten, 13, 2))
          
          dtmDate = FormatDateTime(dtmTimeWritten, vbShortDate)
          dtmTime = FormatDateTime(dtmTimeWritten, vbLongTime)
      
              
          If Mid(strTimeWritten, 7, 2) = "12" Then
          
          strEvent = dtmDate & vbTab
          strEvent = strEvent & dtmTime & vbTab
          strEvent = strEvent & objEvent.SourceName & vbTab
          strEvent = strEvent & objEvent.Type & vbTab
          strEvent = strEvent & objEvent.Category & vbTab
          strEvent = strEvent & objEvent.EventCode & vbTab
          strEvent = strEvent & objEvent.User & vbTab
          strEvent = strEvent & objEvent.ComputerName & vbTab
          
          strDescription = objEvent.Message
          If IsNull(strDescription) Then
              strDescription = "The event description cannot be found."
          End If
          strDescription = Replace(strDescription, vbCrLf, " ")
          strEvent = strEvent & strDescription
          
          objFile.WriteLine strEvent
          End If
      Next
      
      objFile.Close
      Any advice is given in good faith and without warranty.
      Please give reputation points where appropriate.

      Comment


      • #4
        Re: eventlog fetching

        BIG THANK YOU for the tip!

        I have created the customzied version, but again stuck at some where. Your kind help again needed. Please check this part in the script.
        Code:
        monthreq = info_array(2)					   						
        monthreq = month(monthreq)
        I want to get the month number. Is there any other methods? I'm a beginner. Any help would much appreciated.
        Code:
        information = inputbox("Server Name; Log Type; Month                     Example: 192.168.10.120; application; january","server")	
        
        info_array = split(information, ";")
            								
        		
        
        strComputer = info_array(0)
        
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
        
        logs = info_array(1)
        query = "Select * from Win32_NTLogEvent Where LogFile=" & "'" & logs & "'"
        
        
        Set colEvents = objWMIService.ExecQuery _
        ( query )
        
        
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        Set objFile = objFSO.CreateTextFile(".\Events.csv")								
        
        
        monthreq = info_array(2)					   						
        monthreq = month(monthreq)
        
        For Each objEvent In colEvents
            strTimeWritten = objEvent.TimeWritten
            
        
            dtmTimeWritten = CDate(Mid(strTimeWritten, 5, 2) & "/" & _
            Mid(strTimeWritten, 7, 2) & "/" & Left(strTimeWritten, 4) _
            & " " & Mid(strTimeWritten, 9, 2) & ":" & _
            Mid(strTimeWritten, 11, 2) & ":" & Mid(strTimeWritten, 13, 2))						
            
            dtmDate = FormatDateTime(dtmTimeWritten, vbShortDate)
            dtmTime = FormatDateTime(dtmTimeWritten, vbLongTime)
        
        Month1 = Mid(strTimeWritten, 5, 2)
            
        
            If  Month1 = monthreq Then
        
            
            strEvent = dtmDate & ","
            strEvent = strEvent & dtmTime & ","
            strEvent = strEvent & objEvent.SourceName & ","
            strEvent = strEvent & objEvent.Type & ","
            strEvent = strEvent & objEvent.Category & ","
            strEvent = strEvent & objEvent.EventCode & ","
            strEvent = strEvent & objEvent.User & ","
            strEvent = strEvent & objEvent.ComputerName & ","
            
            If IsNull(strDescription) Then
                strDescription = "The event description cannot be found."
            End If
            strDescription = Replace(strDescription, vbCrLf, " ")
            strEvent = strEvent & strDescription
            
            objFile.WriteLine strEvent
            End If
        
        
        
        Next
        
        
        
        objFile.Close
        
        MsgBox "Event logs are fetched.", 64, "Information!"
        Last edited by mohanmathew; 9th January 2009, 21:18.
        Mohan Mathew[VU3MMU]
        MCITP [AD]

        Comment


        • #5
          Re: eventlog fetching

          Man I feel lazy for not bothering to look at the example
          Server 2000 MCP
          Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: eventlog fetching

            look into my code and see the function i used to convert to the right type

            here an example to some of them

            http://www.microsoft.com/technet/scr....mspx?mfr=true

            good luck:

            Code:
            information = InputBox("Server Name; Log Type; Month                     Example: 192.168.10.120; application; january", "server")    
            
            info_array = Split(information, ";")
            
            strComputer = info_array(0)
            logs = info_array(1)
            
            Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
            
            Set colEvents = objWMIService.ExecQuery _
            ("Select * from Win32_NTLogEvent Where LogFile = " & "'" & logs & "'")
            
            
            Set objFSO = CreateObject("Scripting.FileSystemObject")
            Set objFile = objFSO.CreateTextFile(".\Events.csv")                                
            
            
            monthreq = IsDate(info_array(2))                                               
            monthreq = Month(monthreq)
            
            For Each objEvent In colEvents
                strTimeWritten = objEvent.TimeWritten
                        
                dtmTimeWritten = CDate(Mid(strTimeWritten, 5, 2) & "/" & _
                Mid(strTimeWritten, 7, 2) & "/" & Left(strTimeWritten, 4) _
                & " " & Mid(strTimeWritten, 9, 2) & ":" & _
                Mid(strTimeWritten, 11, 2) & ":" & Mid(strTimeWritten, 13, 2))
                        
                dtmDate = FormatDateTime(dtmTimeWritten, vbShortDate)
                dtmTime = FormatDateTime(dtmTimeWritten, vbLongTime)
                month1 = Mid(strTimeWritten, 7, 2)
                monthreq = CStr(monthreq)
                   If month1 = monthreq Then
                    strEvent = dtmDate & vbTab
                    strEvent = strEvent & dtmTime & vbTab
                    strEvent = strEvent & objEvent.SourceName & vbTab
                    strEvent = strEvent & objEvent.Type & vbTab
                    strEvent = strEvent & objEvent.Category & vbTab
                    strEvent = strEvent & objEvent.EventCode & vbTab
                    strEvent = strEvent & objEvent.User & vbTab
                    strEvent = strEvent & objEvent.ComputerName & vbTab
                                
                    strDescription = objEvent.Message
                    If IsNull(strDescription) Then
                        strDescription = "The event description cannot be found."
                    End If
                    strDescription = Replace(strDescription, vbCrLf, " ")
                    strEvent = strEvent & strDescription
                                
                    objFile.WriteLine strEvent
            End If
            Next
            
            objFile.Close
            Any advice is given in good faith and without warranty.
            Please give reputation points where appropriate.

            Comment


            • #7
              Re: eventlog fetching

              No, IsDate function will not serve my need. I solved my problem by reversing the monthname function. I will post my completed version tomorrow. But the script is now bit longer than as expected!
              Last edited by mohanmathew; 14th January 2009, 08:14. Reason: typo
              Mohan Mathew[VU3MMU]
              MCITP [AD]

              Comment


              • #8
                Re: eventlog fetching

                The script is almost complete. Again, I'm not able to pull the data for the last 3 months. This is because of the month digits consists of 2 digits, 10, 11, & 12. Please have a look into this and help me.

                Code:
                information = inputbox("Server Name; Log Type; Month                     Example: 192.168.1.2;application;January","Server Details")	
                
                info_array = split(information, ";")
                logs = info_array(1)
                
                i = 1
                flag_changed = 0
                dim monthname1
                strComputer = info_array(0)
                info_array(2) = UCase(info_array(2))
                
                
                Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
                
                Set colEvents = objWMIService.ExecQuery _
                    ("Select * from Win32_NTLogEvent Where LogFile = " & "'" & logs & "'")
                
                Set objFSO = CreateObject("Scripting.FileSystemObject")
                Set objFile = objFSO.CreateTextFile(".\" & info_array(1) & ".csv")
                
                For Each objEvent in colEvents
                    strTimeWritten = objEvent.TimeWritten
                
                    dtmTimeWritten = CDate(Mid(strTimeWritten, 5, 2) & "/" & _
                        Mid(strTimeWritten, 7, 2) & "/" & Left(strTimeWritten, 4) _
                            & " " & Mid (strTimeWritten, 9, 2) & ":" & _
                                Mid(strTimeWritten, 11, 2) & ":" & Mid(strTimeWritten, 13, 2))
                
                    dtmDate = FormatDateTime(dtmTimeWritten, vbShortDate)
                    dtmTime = FormatDateTime(dtmTimeWritten, vbLongTime)
                
                do until i = 12
                
                monthname1 = UCase(monthname(i))
                if info_array(2) = monthname1 then
                flag = i
                end if
                i = i + 1
                loop
                
                if flag < 10 AND flag_changed < 1 then
                flag = "0" & flag
                flag_changed = 1
                end if
                
                
                
                if Mid(strTimeWritten, 5, 2) = flag Then
                    strEvent = dtmDate & ","
                    strEvent = strEvent & dtmTime & ","
                    strEvent = strEvent & objEvent.SourceName & ","
                    strEvent = strEvent & objEvent.Type & ","
                    strEvent = strEvent & objEvent.Category & ","
                    strEvent = strEvent & objEvent.EventCode & ","
                    strEvent = strEvent & objEvent.User & ","
                    strEvent = strEvent & objEvent.ComputerName & ","
                'strEvent = strEvent & strTimeWritten & ","
                
                    'strDescription = objEvent.Message
                    If IsNull(strDescription) Then
                        strDescription = "The event description cannot be found."
                    End If
                    strDescription = Replace(strDescription, vbCrLf, " ")
                    strEvent = strEvent & strDescription
                
                    objFile.WriteLine strEvent
                
                end if
                Next
                
                objFile.Close
                
                MsgBox "The script has finished running.", 64, "Thank you."
                Last edited by mohanmathew; 14th January 2009, 08:23. Reason: typo
                Mohan Mathew[VU3MMU]
                MCITP [AD]

                Comment


                • #9
                  Re: eventlog fetching

                  Originally posted by mohanmathew View Post
                  I want to get the month number. Is there any other methods? I'm a beginner. Any help would much appreciated.
                  Code:
                  information = inputbox("Server Name; Log Type; Month                     Example: 192.168.10.120; application; january","server")
                  Here is a good reference about the Date/Time functions that are by default available for VBS.
                  http://www.w3schools.com/vbScript/vb...tions.asp#date
                  - You can get the number of the month from a valid date string by using the Month() function.
                  - You can get the name of the month by using the MonthName() function.

                  In the code below I use some of the Date/Time functions.
                  Additionally, in the sample I also put the statements concerning the Inputbox() section in a Do_Loop. This make it possible to check the syntax of the input before proceding.

                  Code:
                  Dim infoString
                  Do While X = 0 ' check input for three values
                  infoString = inputbox(vbNewLine _
                         & "Enter: Server Name; Log Type; Month" _
                         & vbNewLine & vbNewLine & vbNewLine & vbNewLine _
                         & "Example: 192.168.1.2;application;January", _
                           "Server Details", infoString)
                  
                  If infoString = Cancel Then WScript.Quit
                  
                  info_array = split(infoString, ";")
                  If UBound(info_array) = 2 Then
                    strComputer = Trim(info_array(0))
                    strLogfile = Trim(info_array(1))
                    strMonth = Trim(info_array(2))
                    If Len(strComputer)>0 And _
                       Len(strLogfile)>0  And _
                       Len(strMonth)>0    Then
                      exit Do
                    Else msgBox "Input was Invalid"
                    End If
                  Else msgBox "Input was Invalid"
                  End If
                  Loop
                  
                  outFile = strLogfile & "-" & strMonth & "-" & strComputer & ".csv"
                  Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
                  Set objFile = FileSystem.CreateTextFile(".\" & outFile, True)
                  
                  objFile.WriteLine _
                     "event Date,Time,Source,Type,Category,Code,User,Computer,Description"
                  
                  Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
                          strComputer & "\root\cimv2")
                  
                  Set colEvents = objWMIService.ExecQuery _
                      ("Select * from Win32_NTLogEvent " _
                      & "Where LogFile = '" & strLogfile & "'",,48)
                  
                  ' http://msdn.microsoft.com/en-us/library/aa393687(VS.85).aspx
                  Set dtmDateTime = CreateObject("WbemScripting.SWbemDateTime")
                  
                  For Each objEvent in colEvents
                     dtmDateTime.Value = objEvent.TimeWritten
                     dt = dtmDateTime.GetVarDate
                     evtMonth = MonthName(Month(dt))
                     If LCase(strMonth) = LCase(evtMonth) Then
                  
                      strEvent = DateValue(dt)          & "," _
                               & TimeValue(dt)          & "," _
                               & objEvent.SourceName    & "," _
                               & objEvent.Type          & "," _
                               & objEvent.Category      & "," _
                               & objEvent.EventCode     & "," _
                               & objEvent.User          & "," _
                               & objEvent.ComputerName
                       If Not IsNull(objEvent.Message) Then
                          strDescription = Replace(objEvent.Message, vbLf, " ")
                          strEvent = strEvent & "," _
                               & """" & Trim(_
                                 Replace(strDescription, vbCr, "")) & """"
                       Else
                          strEvent = strEvent & "," _
                               & """The event description not available."""
                       End If
                  
                      objFile.WriteLine strEvent
                  
                     End If
                  Next
                  
                  objFile.Close
                  
                  MsgBox "The script has finished running.", 64, "Thank you."
                  Note,
                  The "objEvent.Message" string must be written between quotes in the csv-file. And vbCr + vbLf removed/replaced seperately.


                  \Rems
                  Last edited by Rems; 15th January 2009, 18:20.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: eventlog fetching

                    Thank You Rems

                    Now the script is excellent. Thank you once again for modifying the script.

                    Also, can you please let me know why the code
                    Code:
                    if Mid(strTimeWritten, 5, 2) = flag Then
                    was not working for the last 3 three months? Since I'm very new to scripting and learning more and more day by day, just for clarification. So that I can avoid such errors in future.

                    Thank You soo much
                    Mohan Mathew[VU3MMU]
                    MCITP [AD]

                    Comment


                    • #11
                      Re: eventlog fetching

                      Originally posted by mohanmathew View Post
                      , can you please let me know why the code; if Mid(strTimeWritten, 5, 2) = flag Then
                      was not working for the last 3 three months?
                      Comparessing expressions, in this scenario it is based on the number of the month, you cannot compare a string value with a numeric value. Which can never be equal, unless you change one of the two to the format of the other. And that is infact what you did where the script added a zero to the numbers of the 1st nine month to get the same amount of digits, both numbers then where in a string format. While the 10th, 11th and 12th months kept its value in numeric-format.

                      Besides that, there were also two other issues,
                      Code:
                      ' Basicly this is what your script do...
                      
                      strInputMonth = "April"  ' (This value would normaly be the name of the Month you entered in the Inputbox() )
                      
                      i = 1
                      flag_changed = 0
                      
                      ' The Do_Until loop to determine the number of the Month from
                      ' "strInputMonth" should not be in the For_Each_event loop - otherwise
                      ' it will be processed over and over for every event in the log.
                      ' (btw, If you do it like you did, then you should have put the
                      '   resetting of the variables i = 1 and flag_changed = 0 in the
                      '   For_Each_event loop too!!!)
                      
                      Do until i = 13  ' not 12! because i = i + 1 is added in the loop after comparing the month and that was because the starting value was set to 1 instead of 0.
                        If UCase(strInputMonth) = UCase(MonthName(i)) then
                          flag = i
                          exit Do
                        End If
                        i = i + 1
                      Loop
                      
                      'FOR EACH objEvent IN colEvents ########################################
                      
                          strTimeWritten = "20080430193250.000000+060"  '= one sample from objEvent.TimeWritten
                      
                          nYear   = Mid(strTimeWritten, 1, 4)   'or Left(strTimeWritten, 4)
                          nMonth  = Mid(strTimeWritten, 5, 2)
                          nDay    = Mid(strTimeWritten, 7, 2)
                          nHour   = Mid(strTimeWritten, 9, 2)
                          nMinute = Mid(strTimeWritten, 11, 2)
                          nSecond = Mid(strTimeWritten, 13, 2)
                      
                          dtmTimeWritten = nMonth & "/" & nDay _
                                         & "/" & nYear & " " & nHour _
                                         & ":" & nMinute & ":" & nSecond
                      
                      wsh.echo     "The numeric value of 'flag' will not show zeros on the left of the number :", flag, "(nummeric format)", _
                       vbNewLine & "while ''nMonth = Mid(strTimeWritten, 5, 2)'' is presented as a string value and always show two digets :", nMonth, _
                       vbNewLine & vbNewLine _
                                 & "The comparassing (e.g.",  strInputMonth & ")   ", flag & "-nummeric and", nMonth & "-string   =Not eql", _
                       vbNewLine & vbNewLine _
                                 & "The solution is to reformat 'nMonth' to a numeric value :", FormatNumber(nMonth, 0), _
                       vbNewLine & "instead of reformatting the 'flag' value to a string"
                      
                      'NEXT ##################################################################
                      
                      
                      
                      wsh.echo "Another solution would have been to", _
                        vbNewLine & "not translating 'strInputMonth' to a number", _
                        vbNewLine & "but to get the name of the month from 'strTimeWritten'", _
                        vbNewLine & "from every event :", MonthName(Month(CDate(dtmTimeWritten)))
                      \Rems
                      Last edited by Rems; 16th January 2009, 18:54.

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: eventlog fetching

                        Thank you soo much dear Rems I have more doubts


                        Code:
                        do until i = 12
                        
                        monthname1 = UCase(monthname(i))
                        if info_array(2) = monthname1 then
                        flag = i
                        end if
                        i = i + 1
                        loop
                        But you might have noticed, I have created a loop to iterate from 1 to 12 checking whether the
                        Code:
                        monthname1 = UCase(monthname(i))
                        and at any position if info_array(2) become equal to monthname1 then a flag will be set instead of comparing the string and numerical value.

                        Your help is very much appreciated.
                        Last edited by mohanmathew; 17th January 2009, 04:18. Reason: typo
                        Mohan Mathew[VU3MMU]
                        MCITP [AD]

                        Comment


                        • #13
                          Re: eventlog fetching

                          In short,

                          * The month entered (read from the string returned from the inputbox function) is the name of the month.

                          * The month from the event (read from 'objEvent.TimeWritten' string) is the number of the month and is a two digits numeric string value (the presented number is not in a numeric-format!!!).


                          There basically are two solutions how you can compare the month entered with the month from each event.
                          1. Use default vbs functions to retrieve the Name of Month from 'objEvent.TimeWritten' and compare for a match with the name entered in the inputbox - mind the case of the characters. (Is what I used in my first sample)

                          2. Use some kind of discovery (ie loop) to determine the Number of the Month from the name that was entered in the inputbox.
                            Then change the format of one of the two values that you want to compare with each other - to ensure that both numeric expressions will not only have the same pattern but also in the same format. (Solution-2 is what you used in your sample, except that you changed the format of the 'flag' value to a string-format only when the value was 9 or less (at your lines 41 to 44) that's where you changed the pattern to two digits).
                            You should choose one of the following options to be able to compare the two values;
                            a. Change 'flag' for_all_numbers (also above 9) from a numeric-format to a numeric string-formatted value containing two digits.
                            OR
                            b. Change the Month-number from all the events from a numeric string-format to a numeric-format,
                            (note, in numeric-format leftsite-zeros are automatically skipped)


                          note
                          In the DO_LOOP from your example, the value of 'i' in the line:
                          'monthname1 = UCase(monthname(i))' - can never reach the value 12 ! - because the DO_LOOP loops until i = 12.
                          If you want to use 'Do until i = 12', then 'i = i + 1' should happen before checking for conditions - subsequentially, the init size of 'i' must now be 0. ~see sample below


                          ( option 2a ).
                          Code:
                          i = 0
                          Do until i = 12
                          
                            i = i + 1
                            monthname1 = UCase(monthname(i))
                          
                            If info_array(2) = monthname1 then
                            '# change format of 'i' to a two digit "string format", ..
                              flag = Right("0"& CStr(i), 2)
                              exit Do
                            End If
                          
                          Loop
                          Then, in the For_Each objEvent - loop;
                          Code:
                          If Mid(strTimeWritten, 5, 2) = flag Then
                          (In the above DO_LOOP example the 'exit Do' is just used to end the loop earlier when 'flag' is already defined.)

                          Also in the above sample, the value of 'i' is used for defining the flag variable where the numeric-format of 'i' is changed into a two digits nummer in string-format.


                          Or else, If 'flag' would have left in a numeric-format, then you should change the numeric value of the string 'Mid(strTimeWritten, 5, 2)' to a nummeric-format.

                          ( alternative 2b ).
                          Code:
                          '# When the value of 'flag' would not have been changed to a
                          '# suitable string value and still is in numeric-format - then alternatively
                          '# the month_number from the event should be changed instead
                          '# to match formats, ..
                          If FormatNumber(Mid(strTimeWritten, 5, 2), 0) = flag Then

                          \Rems
                          Last edited by Rems; 18th January 2009, 12:51.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: eventlog fetching

                            Yes, now I got it. Thank you sooo much dear Rems. I'm learning tip & tricks in WMI scripting.

                            Once again thank you for your time. Have a wonderful day!
                            Mohan Mathew[VU3MMU]
                            MCITP [AD]

                            Comment


                            • #15
                              Re: eventlog fetching

                              Originally posted by mohanmathew View Post
                              Once again thank you for your time. Have a wonderful day!
                              Glad to be of help.
                              Mohan you too, have a good day.

                              \Rems

                              This posting is provided "AS IS" with no warranties, and confers no rights.

                              __________________

                              ** Remember to give credit where credit's due **
                              and leave Reputation Points for meaningful posts

                              Comment

                              Working...
                              X