Event Log Parsing for the WSH Administrator - Modularizing the script

(Page 2 of 4 )

Let’s being by creating a script that will pull the event logs from machines across your network.  I suggest creating a static list of machines to interrogate.  While you could create a script that will seek other machines, the first is much more reliable and much easier to manage in the event that errors occur.

You can pull machine names from a database or flat file, but for the sake of brevity, I’m just going to create an array to hold them.  Again, this can be changed based on your own needs and ease of use.

To make things easier as we progress, let’s take the time now to separate our script into sections.  This way we can modify it more easily as we go.

strConnection = "Provider=Microsoft.Jet.OLEDB.4.0; " _

   & "Data Source=C:events.mdb"

 

arrComputers = Array("machine1", _

   "machine2", _

   "machine3")

 

Set objFso = CreateObject("Scripting.FileSystemObject")

 

If objFso.FileExists("C:events.mdb") Then

   oConn.Open strConnection

Else

   BuildDatabase

End If

 

Set objWMIService = GetObject("winmgmts:" _

   & "{impersonationLevel=impersonate}!" & strComputer _

   & "rootcimv2")

The opening segment assigns some variables and connects to the WMI Service.  I’ve also included an If statement that checks to see whether the database needs to be created first.

Sub BuildDatabase

   Set objCatalog = CreateObject("ADOX.Catalog")

   objCatalog.Create strConnection

   Set objCatalog = Nothing

   Set oConn = CreateObject("ADODB.Connection")

   oConn.Open strConnection

   oConn.Execute "CREATE TABLE EventTable(" _

      & "Category INT, " _

      & "ComputerName VARCHAR(50), " _

      & "EventCode INT, " _

      & "Message VARCHAR(100), " _

      & "EventType VARCHAR(50), " _

      & "RecordNumber INT, " _

      & "SourceName VARCHAR(50), " _

      & "TypeDesc VARCHAR(15), " _

      & "UserName VARCHAR(50), " _

      & "TimeGenerated VARCHAR(19), " _

      & "TimeWritten VARCHAR(19)" _

      & ")", , 129

End Sub

The next section is used to create a database.  I’ve moved this into an appropriately named subroutine.

Sub GetEvents

   Set colEvents = objWMIService.ExecQuery( _

      "SELECT * FROM Win32_NTLogEvent")

 

   Set objRs = CreateObject("ADODB.Recordset")

   objRs.Open "SELECT * FROM EventTable;", oConn, 0, 3

 

   For Each objEvent In colEvents

       objRs.AddNew

       objRs("Category") = objEvent.Category

       objRs("ComputerName") = objEvent.ComputerName

       objRs("EventCode") = objEvent.EventCode

       strMessage = objEvent.Message

       If Len(strMessage) > 100 Then

          strMessage = Left(strMessage, 100)

       End If

       objRs("Message") = strMessage

       objRs("EventType") = objEvent.EventType

       objRs("RecordNumber") = objEvent.RecordNumber

       objRs("SourceName") = objEvent.SourceName

       objRs("TypeDesc") = objEvent.Type

       strUser = objEvent.User

       If IsNull(strUser) Then strUser = "N/A"

       objRs("UserName") = strUser

       objRs("TimeGenerated") = Date2String(objEvent.TimeGenerated)

       objRs("TimeWritten") = Date2String(objEvent.TimeWritten)

       objRs.Update

       objEvent.ClearEventLog()

   Next

   objRs.Close

End Sub

In this section we query WMI for events and add them to our database.  Again, I’ve moved this into a subroutine.  I’ve also added a line to clear the event log on the machine after archiving it.  This prevents archiving the same event each time the script is run.

Next: Polling machines across a network >>
 

More Windows Scripting Articles
More By Nilpo/Developer Shed Staff Writer

Comments On: Event Log Parsing for the WSH Administrator

· Wrapping up this 3-part series, I wanted to demonstrate ways for network...   >>> Post your comment now!