Managing 'EventLog' using Visual Basic.NET and VBScript
This article explains how to manage “EventLog” information dynamically using Visual Basic.NET and VBScript. You will learn how to list all events, how to make a backup of the "Eventlog" dynamically, and how to perform many other tasks as well.
A downloadable file for this article is available here.
The sample downloadable solution (zip) was entirely developed using Visual Studio.NET 2003 Enterprise Architect on Windows Server 2003 Standard Edition. But, I am confident that it would work with other versions of Windows (which support .NET 1.1) as well.
I contributed several articles on WMI with VB.NET and VBScript (including the articles on introductory or basic topics of WMI). I even contributed a series (of about six articles) on “WMI Programming on VB.NET” covering several aspects of WMI. I strongly suggest you go through the series, before going through this article.
How to list all events from “EventLog” using Visual Basic.NET
Before getting the information out of “EventLog”, we need to create a wrapper to store the EvenLog information. Let us proceed to create a wrapper:
Public Function getEventLogStructure() As DataTable
Dim dt As New DataTable
dt.Columns.Add(New DataColumn("Category"))
dt.Columns.Add(New DataColumn("ComputerName"))
dt.Columns.Add(New DataColumn("EventCode"))
dt.Columns.Add(New DataColumn("Message"))
dt.Columns.Add(New DataColumn("TimeWritten"))
dt.Columns.Add(New DataColumn("Type"))
Return dt
End Function
The following method “addEventLog” adds a single row based on the structure you create for the data table using the above method.
Public Sub addEventLog(ByRef dt As DataTable, ByVal Category As String, ByVal ComputerName As String, ByVal EventCode As String, ByVal Message As String, ByVal TimeWritten As String, ByVal Type As String)
Dim dr As DataRow
dr = dt.NewRow
dr("Category") = Category
dr("ComputerName") = ComputerName
dr("EventCode") = EventCode
dr("Message") = Message
dr("TimeWritten") = TimeWritten
dr("Type") = Type
dt.Rows.Add(dr)
End Sub
Once you complete the creation of the wrapper, the following VB.NET code should support some minimum information about “SoundDevice” available on your system.
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Try
Dim searcher As New ManagementObjectSearcher( _
"root\CIMV2", _
"SELECT * FROM Win32_NTLogEvent")
Dim dt As DataTable = globals.getEventLogStructure
For Each queryObj As ManagementObject In searcher.Get ()
Those who are working with Windows would definitely experience “Blue Screen” errors in some situations (especially when hardware malfunctions occur). We can still get those events using Visual Basic.NET.
To get the event information, I am using the same wrapper I used in the previous section. So, I don’t want to repeat it. The following modification to the above program (in vb.net) would give the required result.
Dim searcher As New ManagementObjectSearcher( _
"root\CIMV2", _
"Select * from Win32_NTLogEvent Where Logfile = 'System'" _
& " and SourceName = 'SaveDump'")
The only difference is that I am trying to filter out the events, which are only “System” events, and the source related to “SaveDump.” When “Blue Screen” errors occur, they dump all the information available at that instance onto the hard disk for future analysis.
The modification to the VBScript would be the following:
Set colItems = objWMIService.ExecQuery( _
" Select * from Win32_NTLogEvent Where Logfile = 'System'
and SourceName = 'SaveDump'",,48)
How to make a backup of “EventLog” dynamically using Visual Basic.NET
Making a backup of an “EventLog” is also a part of managing “EventLog” information. Actually we can do this manually using the MMC snap-in. But, our intention is to work through the classic Visual Basic.NET (or VBScript). As we are doing manipulation instead of retrieving information, this section does not need any wrapper to work with.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim outParams As ManagementBaseObject = classInstance.InvokeMethod("BackupEventlog", inParams, Nothing)
MessageBox.Show("Return Value " & outParams ("ReturnValue"))
Catch err As ManagementException
MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message)
End Try
End Sub
And here, the script is quite different from some of my scripts available in my previous articles. In the above script, I started working with “InvokeMethod”, which is used to execute a WMI method dynamically! So the following is the most important statement within the above code:
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “BackupEventLog” method (WMI method) dynamically. Similarly, “outParams” generally contains the result of method execution.
Here is the e VBScript version, which would be very similar to the Visual Basic.NET version:
strComputer= "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set objShare = objWMIService.Get ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'")
Set objInParam = objShare.Methods_("BackupEventlog"). _
inParameters.SpawnInstance_()
Set objOutParams = objWMIService.ExecMethod ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", "BackupEventlog", objInParam)
We have already seen how to take a backup of “EventLog” in the previous section. Now let us look into “clearing an EventLog”. Since we are doing manipulation instead of retrieving information, this section does not need any wrapper to work with.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
MessageBox.Show("Return Value " & outParams ("ReturnValue"))
Catch err As ManagementException
MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message)
End Try
End Sub
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “ClearEventLog” method (WMI method) dynamically. Similarly, “outParams” generally contains the result of method execution.
Again, here is the VBScript version, which would be very similar to the Visual Basic.NET version:
strComputer= "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set objShare = objWMIService.Get ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'") Set objInParam = objShare.Methods_("ClearEventlog"). _ inParameters.SpawnInstance_() Set objOutParams = objWMIService.ExecMethod ("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'", "ClearEventlog", objInParam) Wscript.echo "ReturnValue: " & objOutParams.ReturnValue
We have already seen how to take a backup of “EventLog” in the previous sections. Now let us look into “copying an EventLog into a text file.” Even this section does not need any wrapper, as we are not retrieving any information.
Let us proceed with the Visual Basic.NET version first:
Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click
MessageBox.Show("An error occurred while trying to execute the WMI method: " & err.Message)
End Try
End Sub
“inParams” (which is of type System.Managment.ManagmentBaseObject) is mainly used to pass parameters (input parameters) to the “Copy” method (WMI method) dynamically. Now we are trying to pass a file name as part of the input parameter (which is a bit different from previous sections). The input parameter is assigned as follows:
inParams("FileName") = "c:\sample.txt"
Similarly, “outParams” generally contains the result of method execution.
Here is the VBScript version, which is very similar to the Visual Basic.NET version):
strComputer= "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set objShare = objWMIService.Get("Win32_NTEventlogFile.Name='C:\WINDOWS\system32 \config\AppEvent.Evt'")
How about deleting, compressing, and similar types of operations on “EventLog” using Visual Basic.NET?
As the coding is quite similar to the above for the features like deleting, compressing, and so on, I just wanted to provide some of the most useful methods available within the “Win32_NTEventLogFile” class. By using these methods, you can still write your own routines, which could be the extensions of the above routines.
Following is the list of methods in the class “Win32_NTEventLogFile”, which you might find useful:
Compress
CompressEx
Copy
CopyEx
Delete
DeleteEx
Rename
UnCompress
UnCompressEx
You need to check through the MSDN library for the parameters of the methods along with descriptions and usage. But the program skeleton to work with the above methods will be very similar to the ones I provided above.
Currently, I used VB.NET (especially for programmers) and VBScript (for system administrators) to manage the EventLog. But if you would like to manage EventLog remotely using the web, I suggest you use ASP.NET. The coding will be very similar to that of VB.NET. But be sure to make some modifications towards ASP.NET security to work with EventLog. Further, you can extend the same to the PocketPC level, just to manage EventLog, by developing a Smart Device application.
Any comments, suggestions, bugs, errors, feedback etc. are highly appreciated at jag_chat@yahoo.com.
Visual Basic.NET 
Working with Drives/Files/Folders using WMI and Visual Basic.NET
