Event Log Parsing for the WSH Administrator - Monitoring event logs

(Page 4 of 4 )

Let’s take a look at how to create a logon script that monitors the event logs.  We’re going to add an extra feature to have the script send an email notification if it detects a warning or error event.

strComputer = "."

 

Set objWMIService = GetObject("winmgmts:{(Security)}" & strComputer _

   & "rootcimv2")

Set colEvents = objWMIService.ExecNotificationQuery _

   ("SELECT * FROM __InstanceCreationEvent WHERE " _

       & "TargetInstance ISA 'Win32_NTLogEvent' " _

       & "AND TargetInstance.Type = 'Warning' " _

       & "OR TargetInstance.Type = 'Error'")

Do While True

   Set objEvent = colEvents.NextEvent()

   strUser = objEvent.User

   If IsNull(strUser) Then strUser = "N/A"

   strMessage = objEvent.Message

   If Len(strMessage) > 100 Then

       strMessage = Left(strMessage, 100)

   End If

 

   return = EmailNotify(objEvent.Category, _

       objEvent.ComputerName, _

       objEvent.EventCode, _

       strMessage, _

       objEvent.EventType, _

       objEvent.RecordNumber, _

       objEvent.SourceName, _

       objEvent.Type, _

       strUser, _

       DateTime2String(objEvent.TimeGenerated), _

       DateTime2String(objEvent.TimeWritten))

Loop

The base script looks like this.  It connects to the WMI Service and issues an Event Notification Query.  This script utilizes event scripting.  That means our script will only be executed when a new event occurs that matches our parameters.  This script will run indefinitely any time the computer is turned on.

If the event is a Warning or Error type event, the event’s details are passed to the EmailNotify function.

Function EmailNotify(intCategory, strComputerName, intEventCode, strMessage, strEventType, intRecordNumber, strSourceName, strTypeDesc, strUserName, strTimeGenerated, strTimeWritten)

   strBody = "Category: " & CStr(intCategory) & VbCrLf

   strBody = strBody & "ComputerName: " & strComputerName & VbCrLf

   strBody = strBody & "EventCode: " & CStr(intEventCode) & VbCrLf

   strBody = strBody & "Message: " & strMessage & VbCrLf

   strBody = strBody & "EventType: " & strEventType & VbCrLf

   strBody = strBody & "RecordNumber: " & CStr(intRecordNumber) & VbCrLf

   strBody = strBody & "SourceName: " & strSourceName & VbCrLf

   strBody = strBody & "TypeDesc: " & strTypeDesc & VbCrLf

   strBody = strBody & "User: " & strUserName & VbCrLf

   strBody = strBody & "TimeGenerated: " & strTimeGenerated & VbCrLf

   strBody = strBody & "TimeWritten: " & strTimeWritten & VbCrLf

 

   Set objEmail = CreateObject("CDO.Message")

   objEmail.From = "Notify Script"

   objEmail.To = "admin@mymail.com"

   objEmail.Subject = "New Event Notification"

   objEmail.Textbody = strBody

   objEmail.Configuration.Fields.Item _

   ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

   objEmail.Configuration.Fields.Item _

   ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _

       "smtp.mymail.com"

   objEmail.Configuration.Fields.Item _

   ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

   objEmail.Configuration.Fields.Update

   objEmail.Send

   Set objEmail = Nothing

   EmailNotify = 1

End Function

This function assembles the event details into an email message that is sent to an administrator using CDO.  Be sure to change both the destination address and the SMTP server to match your configuration.

Function Date2String(objTime)

    yyyy = Left(objTime, 4)

    mm = Mid(objTime, 5, 2)

    dd = Mid(objTime, 7, 2)

    hh = Mid(objTime, 9, 2)

    min = Mid(objTime, 11, 2)

    sec = Mid(objTime, 13, 2)

    Date2String = mm & "/" & dd & "/" & yyyy & " " & hh & ":" & min & ":" & sec

End Function

You’ll also need the Date2String function to create friendly date and time stamps.

There you have it.  Two scripts that a network administrator can use to monitor or track the event logs for machines within their network.  Making use of scripts like this will improve your efficiency and keep you in closer contact with the machines you service.

Good luck maintaining your machines.  Until next time…keep coding!

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Event Log Parsing for the WSH Administrator

· Wrapping up this 3-part series, I wanted to demonstrate ways for network...   >>> Post your comment now!