Advanced Event Log Parsing in WSH

(Page 1 of 4 )

In the first part of this series, we took a look at how to parse event logs and write that information to a database. We’re going to build on that script today and show you some more advanced techniques as well as some specific applications for this type of script.

Before we get too involved, let’s revisit the script from the last article:

strComputer = "."

strConnection = "Provider=Microsoft.Jet.OLEDB.4.0; " _

   & "Data Source=C:events.mdb"

 

Set objWMIService = GetObject("winmgmts: " _

   "{impersonationLevel=impersonate}!" & strComputer _

   & "rootcimv2")

Set colEvents = objWMIService.ExecQuery( _

   "SELECT * FROM Win32_NTLogEvent")

In the first section, we set some variables we’ll need later and query the WMI service for all of the events in the events logs.

Set objCatalog = CreateObject("ADOX.Catalog")

objCatalog.Create strConnection

Set objCatalog = Nothing

Set oConn = CreateObject("ADODB.Connection")

oConn.Open strConnection

oConn.Execute "CREATE TABLE EventTable(" _

   & "Category INT, " _

   & "ComputerName VARCHAR(50), " _

   & "EventCode INT, " _

   & "Message VARCHAR(100), " _

   & "EventType VARCHAR(50), " _

   & "RecordNumber INT, " _

   & "SourceName VARCHAR(50), " _

   & "TypeDesc VARCHAR(15), " _

   & "UserName VARCHAR(50), " _

   & "TimeGenerated VARCHAR(19), " _

   & "TimeWritten VARCHAR(19)" _

   & ")", , 129

Next, we create a database and add a table to store our data.  Once we’ve added some fields we’re ready to go.

Set objRs = CreateObject("ADODB.Recordset")

objRs.Open "SELECT * FROM EventTable;", oConn, 0, 3

We now create a record set for our database table.

For Each objEvent In colEvents

   Set objEvent = colEvents.NextEvent()

   objRs.AddNew

   objRs("Category") = objEvent.Category

   objRs("ComputerName") = objEvent.ComputerName

   objRs("EventCode") = objEvent.EventCode

   strMessage = objEvent.Message

   If Len(strMessage) > 100 Then strMessage = Left(strMessage, 100)

   objRs("Message") = strMessage

   objRs("EventType") = objEvent.EventType

   objRs("RecordNumber") = objEvent.RecordNumber

   objRs("SourceName") = objEvent.SourceName

   objRs("TypeDesc") = objEvent.Type

   strUser = objEvent.User

   If IsNull(strUser) Then strUser = "N/A"

   objRs("UserName") = strUser

   objRs("TimeGenerated") = Date2String(objEvent.TimeGenerated)

   objRs("TimeWritten") = Date2String(objEvent.TimeWritten)

   objRs.Update

Next

A For Each…Next loop moves through each of the events in the collection returned by our WMI query and adds them to our record set.

objRs.Close

oConn.Close

Finally, both the record set and ADODB connection are closed.

Next: Filtering results >>
 

More Windows Scripting Articles
More By Nilpo/Developer Shed Staff Writer

Comments On: Advanced Event Log Parsing in WSH

· In this article, you'll learn specific ways to customize your event log script for...   >>> Post your comment now!