You are here:
ActiveXperts.com > ActiveXperts Network Monitor > WindowsManagement > Scripts > Logs > Event Logs
Quicklinks
- Download ActiveXperts Network Monitor 7.2 (11845 kB)
- Download Manual (925 kB)
Event Log Scripting
Add WMI Data to an Event Log EntryBack Up and Clear an Event Log
Back Up and Clear Large Event Logs
Create a Custom Event Log
Copy Event Log Events to a Database
Copy the Previous Day’s Event Log Events to a Database
Create Unique File Names for Event Log Backups
List All Events from an Event Log
List All Stop Events
List Events For a Specific Day From An Event Log
List Events From a Specific Event Log
List Event Log Properties
List Events Using an Asynchronous Query
List Specific Events from an Event Log
List System Event Log Properties
List Security Log Properties
Modify Event Log Properties
Monitor Event Logs in Real Time
Write to a Custom Event Log Using EventCreate
Write Events to the Local Event Log
Write Events to a Remote Event Log
You can use any of the VBScript programs below in ActiveXperts Network Monitor. Click here for an explanation about how to include scripts in ActiveXperts Network Monitor.
Add WMI Data to an Event Log Entry
Writes an event that includes additional information such as user name and the amount of free disk space on the computer.
Const EVENT_FAILED = 2
Set objShell = Wscript.CreateObject("Wscript.Shell")
Set objNetwork = Wscript.CreateObject("Wscript.Network")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colDiskDrives = objWMIService.ExecQuery _
("Select * from win32_perfformatteddata_perfdisk_logicaldisk")
For Each objDisk in colDiskDrives
strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _
& VbCrLf
Next
strEventDescription = "Payroll application could not be installed on " _
& objNetwork.UserDomain & "\" & objNetwork.ComputerName _
& " by user " & objNetwork.UserName & _
". Free space on each drive is: " & strDriveSpace
objShell.LogEvent EVENT_FAILED, strEventDescription
Back Up and Clear an Event Log
Backs up and clears the Application event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The Application event log could not be backed up."
Else
objLogFile.ClearEventLog()
End If
Next
Back Up and Clear Large Event Logs
Backs up and clears an event log if the log file size is larger than 20 megabytes.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For Each objLogfile in colLogFiles
If objLogFile.FileSize > 100000 Then
strBackupLog = objLogFile.BackupEventLog _
("c:\scripts\" & objLogFile.LogFileName & ".evt")
objLogFile.ClearEventLog()
End If
Next
Create a Custom Event Log
Creates a custom event log named Scripts.
Const NO_VALUE = Empty
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite _
"HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", NO_VALUE
Copy Event Log Events to a Database
Retrieves events from all the event logs and records these in a database with the DSN Name of EventLogs.
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colRetrievedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent")
For Each objEvent in colRetrievedEvents
objRS.AddNew
objRS("Category") = objEvent.Category
objRS("ComputerName") = objEvent.ComputerName
objRS("EventCode") = objEvent.EventCode
objRS("Message") = objEvent.Message
objRS("RecordNumber") = objEvent.RecordNumber
objRS("SourceName") = objEvent.SourceName
objRS("TimeWritten") = objEvent.TimeWritten
objRS("Type") = objEvent.Type
objRS("User") = objEvent.User
objRS.Update
Next
objRS.Close
objConn.Close
Copy the Previous Day’s Event Log Events to a Database
Retrieves events from all the event logs that were recorded on the previous day, and writes these records to a database with the DSN Name EventLogs.
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
objRS.AddNew
objRS("Category") = objEvent.Category
objRS("ComputerName") = objEvent.ComputerName
objRS("EventCode") = objEvent.EventCode
objRS("Message") = objEvent.Message
objRS("RecordNumber") = objEvent.RecordNumber
objRS("SourceName") = objEvent.SourceName
objRS("TimeWritten") = objEvent.TimeWritten
objRS("Type") = objEvent.Type
objRS("User") = objEvent.User
objRS.Update
Next
objRS.Close
objConn.Close
Create Unique File Names for Event Log Backups
Backs up and clears the Application event log, generating a unique file name for each backup based on the current date.
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Backup)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _
"_application.evt")
objLogFile.ClearEventLog()
Next
List All Events from an Event Log
Retrieves all the events from the Application event log on a computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Next
List All Stop Events
Queries the System event log for any events written due to a stop event (blue screen).
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System'" _
& " and SourceName = 'SaveDump'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Event date: " & objEvent.TimeGenerated
Wscript.Echo "Description: " & objEvent.Message
Next
List Events For a Specific Day From An Event Log
Retrieves all the events recorded on a specific date from all the event logs.
Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("2/18/2002")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For Each objEvent in colEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo objEvent.LogFile
Next
List Events From a Specific Event Log
Retrieves all the events from the Application event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Application'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Next
List Event Log Properties
Retrieves a list of properties for all the event logs on a computer, except the Security event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objInstalledLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For each objLogfile in objInstalledLogFiles
Wscript.Echo "Name: " & objLogfile.LogFileName
Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
If objLogfile.OverWriteOutdated > 365 Then
Wscript.Echo "Overwrite Outdated Records: Never."
ElseIf objLogfile.OverWriteOutdated = 0 Then
Wscript.Echo "Overwrite Outdated Records: As needed."
Else
Wscript.Echo "Overwrite Outdated Records After: " & _
objLogfile.OverWriteOutdated & " days" &
End If
Next
List Events Using an Asynchronous Query
Uses an asynchronous query to retrieve all the events recorded in the event logs.
Const POPUP_DURATION = 10
Const OK_BUTTON = 0
Set objWSHShell = Wscript.CreateObject("Wscript.Shell")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent"
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _
"Event Retrieval", OK_BUTTON)
Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)
WScript.Echo "Asynchronous operation is done."
End Sub
Sub SINK_OnObjectReady(objEvent, objAsyncContext)
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
End Sub
List Specific Events from an Event Log
Retrieves all events with an event code of 6008 from the System event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
& "EventCode = '6008'")
Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count
List System Event Log Properties
Reports the number of events currently recorded in the System event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
List Security Log Properties
Retrieves properties for the Security event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
Next
Modify Event Log Properties
Sets the maximum size of all event logs to 250 megabytes, and enables the log to overwrite any events older than 14 days.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile")
For each objLogfile in colLogFiles
strLogFileName = objLogfile.Name
Set wmiSWbemObject = GetObject _
("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _
& "Win32_NTEventlogFile.Name='" & strLogFileName & "'")
wmiSWbemObject.MaxFileSize = 2500000000
wmiSWbemObject.OverwriteOutdated = 14
wmiSWbemObject.Put_
Next
Monitor Event Logs in Real Time
Creates a temporary event consumer that monitors event logs for events with an event ID of 533.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate, (Security)}!\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __instancecreationevent where " _
& "TargetInstance isa 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '533' ")
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
strAlertToSend = objLatestEvent.TargetInstance.User _
& " attempted to access DatabaseServer."
Wscript.Echo strAlertToSend
Loop
Write to a Custom Event Log Using EventCreate
Uses the EventCreate.exe utility to write an event to a custom event log named Scripts.
Set WshShell = WScript.CreateObject("WScript.Shell")
strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
Chr(34) & "Test event." & Chr(34)
WshShell.Run strcommand
Write Events to the Local Event Log
Writes an event to the Application event log on the local computer.
Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
"Payroll application successfully installed."
Write Events to a Remote Event Log
Writes an event to the Application event log on a remote computer named PrimaryServer.
Const EVENT_SUCCESS = 0
Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, _
"Payroll application successfully installed." , "\\PrimaryServer"