Contact Info

contact@activexperts.com +31 74 8507807

Crumbtrail

ActiveXperts.com » Administration » VBScript Collection » Logs » Event Logs

Event Log Scripting

Add WMI Data to an Event Log Entry
Back Up and Clear an Event Log
Back Up and Clear Large Event Logs
Create a Custom Event Log
Copy Event Log Events to a Database
Copy the Previous Day’s Event Log Events to a Database
Create Unique File Names for Event Log Backups
List All Events from an Event Log
List All Stop Events
List Events For a Specific Day From An Event Log
List Events From a Specific Event Log
List Event Log Properties
List Events Using an Asynchronous Query
List Specific Events from an Event Log
List System Event Log Properties
List Security Log Properties
Modify Event Log Properties
Monitor Event Logs in Real Time
Write to a Custom Event Log Using EventCreate
Write Events to the Local Event Log
Write Events to a Remote Event Log

You can use any of the VBScript programs below in ActiveXperts Network Monitor. Click here for an explanation about how to include scripts in ActiveXperts Network Monitor.


Add WMI Data to an Event Log Entry


Writes an event that includes additional information such as user name and the amount of free disk space on the computer. 
Const EVENT_FAILED = 2

Set objShell = Wscript.CreateObject("Wscript.Shell")
Set objNetwork = Wscript.CreateObject("Wscript.Network")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colDiskDrives = objWMIService.ExecQuery _
    ("Select * from win32_perfformatteddata_perfdisk_logicaldisk")

For Each objDisk in colDiskDrives
    strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _
        & VbCrLf
Next

strEventDescription = "Payroll application could not be installed on " _ 
    & objNetwork.UserDomain & "\" & objNetwork.ComputerName _ 
        & " by user " & objNetwork.UserName & _
            ". Free space on each drive is: " & strDriveSpace
objShell.LogEvent EVENT_FAILED, strEventDescription

Back Up and Clear an Event Log


Backs up and clears the Application event log. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Backup)}!\\" & _
        strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Application'")

For Each objLogfile in colLogFiles
    errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
    If errBackupLog <> 0 Then        
        Wscript.Echo "The Application event log could not be backed up."
    Else
        objLogFile.ClearEventLog()
    End If
Next

Back Up and Clear Large Event Logs


Backs up and clears an event log if the log file size is larger than 20 megabytes.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
        & strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile")

For Each objLogfile in colLogFiles
    If objLogFile.FileSize > 100000 Then
       strBackupLog = objLogFile.BackupEventLog _
           ("c:\scripts\" & objLogFile.LogFileName & ".evt")
       objLogFile.ClearEventLog()
    End If
Next

Create a Custom Event Log


Creates a custom event log named Scripts.
Const NO_VALUE = Empty

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite _
    "HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", NO_VALUE

Copy Event Log Events to a Database


Retrieves events from all the event logs and records these in a database with the DSN Name of EventLogs. 
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")

objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colRetrievedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent")

For Each objEvent in colRetrievedEvents
    objRS.AddNew
    objRS("Category") = objEvent.Category
    objRS("ComputerName") = objEvent.ComputerName
    objRS("EventCode") = objEvent.EventCode
    objRS("Message") = objEvent.Message
    objRS("RecordNumber") = objEvent.RecordNumber
    objRS("SourceName") = objEvent.SourceName
    objRS("TimeWritten") = objEvent.TimeWritten
    objRS("Type") = objEvent.Type
    objRS("User") = objEvent.User
    objRS.Update
Next

objRS.Close
objConn.Close

Copy the Previous Day’s Event Log Events to a Database


Retrieves events from all the event logs that were recorded on the previous day, and writes these records to a database with the DSN Name EventLogs.
Set objConn = CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")

objConn.Open "DSN=EventLogs;"
objRS.CursorLocation = 3
objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

DateToCheck = Date - 1
dtmEndDate.SetVarDate Date, True
dtmStartDate.SetVarDate DateToCheck, True

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _ 
        & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") 

For each objEvent in colEvents
    objRS.AddNew
    objRS("Category") = objEvent.Category
    objRS("ComputerName") = objEvent.ComputerName
    objRS("EventCode") = objEvent.EventCode
    objRS("Message") = objEvent.Message
    objRS("RecordNumber") = objEvent.RecordNumber
    objRS("SourceName") = objEvent.SourceName
    objRS("TimeWritten") = objEvent.TimeWritten
    objRS("Type") = objEvent.Type
    objRS("User") = objEvent.User
    objRS.Update
Next

objRS.Close
objConn.Close

Create Unique File Names for Event Log Backups


Backs up and clears the Application event log, generating a unique file name for each backup based on the current date. 
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Backup)}!\\" & _
        strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Application'")

For Each objLogfile in colLogFiles
    objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _
        "_application.evt")
    objLogFile.ClearEventLog()
Next

List All Events from an Event Log


Retrieves all the events from the Application event log on a computer.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'Application'")

For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

List All Stop Events


Queries the System event log for any events written due to a stop event (blue screen).
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'System'" _
        & " and SourceName = 'SaveDump'")

For Each objEvent in colLoggedEvents
    Wscript.Echo "Event date: " & objEvent.TimeGenerated
    Wscript.Echo "Description: " & objEvent.Message
Next

List Events For a Specific Day From An Event Log


Retrieves all the events recorded on a specific date from all the event logs. 
Const CONVERT_TO_LOCAL_TIME = True

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("2/18/2002")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _ 
        & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") 

For Each objEvent in colEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
    Wscript.Echo objEvent.LogFile
Next

List Events From a Specific Event Log


Retrieves all the events from the Application event log.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'Application'")

For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
Next

List Event Log Properties


Retrieves a list of properties for all the event logs on a computer, except the Security event log. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objInstalledLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile")

For each objLogfile in objInstalledLogFiles
    Wscript.Echo "Name: " &  objLogfile.LogFileName 
    Wscript.Echo "Maximum Size: " &  objLogfile.MaxFileSize 
    If objLogfile.OverWriteOutdated > 365 Then
        Wscript.Echo "Overwrite Outdated Records: Never." 
    ElseIf objLogfile.OverWriteOutdated = 0 Then
        Wscript.Echo "Overwrite Outdated Records: As needed." 
    Else
        Wscript.Echo "Overwrite Outdated Records After: " &  _
            objLogfile.OverWriteOutdated & " days" & 
    End If
Next

List Events Using an Asynchronous Query


Uses an asynchronous query to retrieve all the events recorded in the event logs.
Const POPUP_DURATION = 10
Const OK_BUTTON = 0

Set objWSHShell = Wscript.CreateObject("Wscript.Shell")

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent"
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _
    "Event Retrieval", OK_BUTTON)

Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)
    WScript.Echo "Asynchronous operation is done."
End Sub

Sub SINK_OnObjectReady(objEvent, objAsyncContext)
    Wscript.Echo "Category: " & objEvent.Category
    Wscript.Echo "Computer Name: " & objEvent.ComputerName
    Wscript.Echo "Event Code: " & objEvent.EventCode
    Wscript.Echo "Message: " & objEvent.Message
    Wscript.Echo "Record Number: " & objEvent.RecordNumber
    Wscript.Echo "Source Name: " & objEvent.SourceName
    Wscript.Echo "Time Written: " & objEvent.TimeWritten
    Wscript.Echo "Event Type: " & objEvent.Type
    Wscript.Echo "User: " & objEvent.User
End Sub

List Specific Events from an Event Log


Retrieves all events with an event code of 6008 from the System event log. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
        ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
            & "EventCode = '6008'")

Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count

List System Event Log Properties


Reports the number of events currently recorded in the System event log. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='System'")

For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
Next

List Security Log Properties


Retrieves properties for the Security event log. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" & _
        strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Security'")

For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
    Wscript.Echo "Maximum Size: " &  objLogfile.MaxFileSize 
Next

Modify Event Log Properties


Sets the maximum size of all event logs to 250 megabytes, and enables the log to overwrite any events older than 14 days. 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" & _
        strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile")

For each objLogfile in colLogFiles
    strLogFileName = objLogfile.Name
    Set wmiSWbemObject = GetObject _
        ("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _
            & "Win32_NTEventlogFile.Name='" & strLogFileName & "'")
    wmiSWbemObject.MaxFileSize = 2500000000
    wmiSWbemObject.OverwriteOutdated = 14
    wmiSWbemObject.Put_ 
Next

Monitor Event Logs in Real Time


Creates a temporary event consumer that monitors event logs for events with an event ID of 533.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Security)}!\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __instancecreationevent where " _
        & "TargetInstance isa 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '533' ")

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
     strAlertToSend = objLatestEvent.TargetInstance.User _ 
         & " attempted to access DatabaseServer."
     Wscript.Echo strAlertToSend
Loop

Write to a Custom Event Log Using EventCreate


Uses the EventCreate.exe utility to write an event to a custom event log named Scripts. 
Set WshShell = WScript.CreateObject("WScript.Shell")

strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
    Chr(34) & "Test event." & Chr(34)
WshShell.Run strcommand

Write Events to the Local Event Log


Writes an event to the Application event log on the local computer.
Const EVENT_SUCCESS = 0

Set objShell = Wscript.CreateObject("Wscript.Shell")

objShell.LogEvent EVENT_SUCCESS, _
    "Payroll application successfully installed."

Write Events to a Remote Event Log


Writes an event to the Application event log on a remote computer named PrimaryServer. 
Const EVENT_SUCCESS = 0

Set objShell = Wscript.CreateObject("Wscript.Shell")

objShell.LogEvent EVENT_SUCCESS, _
    "Payroll application successfully installed." , "\\PrimaryServer"