Advanced Event Log Parsing in WSH - More filtering examples
(Page 3 of 4 )
Let’s take a look at a couple more real-world examples of how you might want to filter results. We’ll begin with the last challenge I gave you in the last article. How can you create a script that only returns events for BSODs?
While the Blue Screen Of Death is dreaded by most users, it can be a very informative tool for system administrators and support specialists. The BSOD is usually a very good indicator of specific problems in Windows.
It also returns a unique event. This makes it possible to filter out only those events that represent BSODs. Now system and network administrators can monitor these events specifically.
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer _
& "rootcimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System'" _
& " and SourceName = 'SaveDump'")
The secret here is the SourceName property. All BSODs have the value “SaveDump.”
You could do the same thing with any of the properties:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!" & strComputer _
& "rootcimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'System' " _
"and EventCode = '6008'")
This query will return code 6008 events. These are “Improper Shutdowns.”
Learn to take advantage of the filtering abilities. Take a look at your event log and note the properties for the event or events that you want to monitor and then construct your queries accordingly.
Next: Making the code reusable >>
More Windows Scripting Articles
More By Nilpo/Developer Shed Staff Writer
