Event Log Script

[krammer]

I'm working on an event log script, that will read from a text file a list of computers, and export the event log for the "System" log of that computer. It was working well before I added reading from a list of computers...can anyone help? Also...I am looking to maybe add for the future, an option to select only certain event ID's, more than 1.

'name of this script: logarchive.vbs
'- [URL unfurl="true"]http://www.ftponline.com/wss/2004_12/magazine/features/kgardinier/page2.aspx[/URL]
'- [URL unfurl="true"]http://www.go-itservices.com/Windows_Server_2003_Maintenance_Strategy.pdf[/URL]
'- [URL unfurl="true"]http://safari.samspublishing.com/0672326671/index?indexview=L[/URL] (search: Logs)

'----------------------------------------------------------------------

Dim sFile, sFolder
sFile = "C:\Event Logs\serverlist.txt"
sFolder = "C:\Event Logs"


Dim oFSO, oTS
Set oFSO = CreateObject("Scripting.FileSystemObject")
If Not oFSO.FolderExists(sFolder) Then
	WScript.Echo "Destination folder does not exist"
	WScript.Quit
End If
If Not oFSO.FileExists(sFile) Then
	WScript.Echo "Input file does not exist"
	WScript.Quit
End If

Dim sClient, oWMIService, cLogFiles, oLogfile
Dim errBackupLog, sOutfile
Set oTS = oFSO.OpenTextFile(sFile)
Do Until oTS.AtEndOfStream
	sClient = oTS.ReadLine

'-------------------------------------------------------------------

strArchiveFolder = "C:\EventLogs"
Set WS = CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")

DateString = CurrentDate()

Purge = False   'True = clears currrent logs

'on error resume next
StartTime = Now
Output "---------------------------------"
OutPut "Started at: " & CStr(Now)
Output ""
Set oWMIService = GetObject("winmgmts:" _
	 & "{impersonationLevel=impersonate,(Backup)}!\\" & _
	 sClient & "\root\cimv2")
If Err.Number = 0 Then
  Set colLogs = oWMIService.ExecQuery("select * from Win32_NTEventLogFile",,48)

  For Each refLog In colLogs
       LogName = sClient& "_" & LogFileName(refLog.LogFileName) & _
       "_" & DateString

  If FSO.FileExists(strArchiveFolder & "\" & LogName & ".evt") Then _
     FSO.DeleteFile(strArchiveFolder & "\" & LogName & ".evt")
  If Purge Then
      RetVal = reflog.ClearEventlog(strArchiveFolder & "\" & LogName & ".evt")
  Else
       RetVal = reflog.BackupEventlog(strArchiveFolder & "\" & LogName & ".evt")
  End If
     If RetVal = 0 Then
        Output vbTab & "Log was archived in .evt format: " & LogName & ".evt"
         If Purge Then Output vbTab & "All events were cleared from the log"
     Else
        Output vbTab & "Error while archiving in .evt format."
     End If
  Next
Else
  Output vbTab & "Failed connect to the server"
End If
Set colLogs = Nothing
Set refLogs = Nothing
Set oWMIService = Nothing

Output "----------------------------------------"
OutPut "Finished at: " & CStr(Now)
Output ""
Output ""

Loop
oTS.Close

Set WS = Nothing
Set FullLog = Nothing
Set FSO = Nothing

msgbox "Script Complete!"

WScript.Quit(0)


Function CurrentDate
  Today = Date
  If Month(Today) < 10 Then
    CurrentDate = "0" & CStr(Month(Today))
  Else
    CurrentDate = CStr(Month(Today))
  End If
  If Day(Today) < 10 Then
    CurrentDate = CurrentDate & "0" & CStr(Day(Today))
  Else
    CurrentDate = CurrentDate & CStr(Day(Today))
  End If
  CurrentDate = CurrentDate & CStr(Year(Today))
  If Hour(Time) < 10 Then
    CurrentDate = CurrentDate & "0" & CStr(Hour(Time))
  Else
    CurrentDate = CurrentDate & CStr(Hour(Time))
  End If
End Function

Function LogFileName(LogName)
  Select Case LogName
    'Case "Application"
           'LogFileName = "app"
    'Case "Directory Service"
           'LogFileName = "dir"
    'Case "DNS Server"
           'LogFileName = "dns"
    'Case "File Replication Service"
           'LogFileName = "rep"
    'Case "Security"
           'LogFileName = "sec"
    Case "System"
           LogFileName = "sys"
  End Select
End Function

Sub Output(Text)
End Sub

 

[Brycspain]

Can you attach the working script before you added the text file code?

 

[krammer]

Sure, here it is:

strArchiveFolder = "C:\EventLogs"
ServerName = "servername"

Set WS = CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")

DateString = CurrentDate()

Purge = False   'True = clears currrent logs

on error resume next
StartTime = Now
Output "---------------------------------"
OutPut "Started at: " & CStr(Now)
Output ""
Set System = GetObject("winmgmts:{(Backup,Security)}\\" & ServerName & _
"\root\CIMV2")
If Err.Number = 0 Then
  Set colLogs = System.ExecQuery("select * from Win32_NTEventLogFile",,48)

  For Each refLog In colLogs
       LogName = ServerName& "_" & LogFileName(refLog.LogFileName) & _
       "_" & DateString

  If FSO.FileExists(strArchiveFolder & "\" & LogName & ".evt") Then _
     FSO.DeleteFile(strArchiveFolder & "\" & LogName & ".evt")
  If Purge Then
      RetVal = reflog.ClearEventlog(strArchiveFolder & "\" & LogName & ".evt")
  Else
       RetVal = reflog.BackupEventlog(strArchiveFolder & "\" & LogName & ".evt")
  End If
     If RetVal = 0 Then
        Output vbTab & "Log was archived in .evt format: " & LogName & ".evt"
         If Purge Then Output vbTab & "All events were cleared from the log"
     Else
        Output vbTab & "Error while archiving in .evt format."
     End If
  Next
Else
  Output vbTab & "Failed connect to the server"
End If
Set colLogs = Nothing
Set refLogs = Nothing
Set System = Nothing

Output "----------------------------------------"
OutPut "Finished at: " & CStr(Now)
Output ""
Output ""
Set WS = Nothing
Set FullLog = Nothing
Set FSO = Nothing

Function CurrentDate
  Today = Date
  If Month(Today) < 10 Then
    CurrentDate = "0" & CStr(Month(Today))
  Else
    CurrentDate = CStr(Month(Today))
  End If
  If Day(Today) < 10 Then
    CurrentDate = CurrentDate & "0" & CStr(Day(Today))
  Else
    CurrentDate = CurrentDate & CStr(Day(Today))
  End If
  CurrentDate = CurrentDate & CStr(Year(Today))
  If Hour(Time) < 10 Then
    CurrentDate = CurrentDate & "0" & CStr(Hour(Time))
  Else
    CurrentDate = CurrentDate & CStr(Hour(Time))
  End If
End Function

Function LogFileName(LogName)
  Select Case LogName
    Case "Application"
           LogFileName = "app"
    Case "Directory Service"
           LogFileName = "dir"
    Case "DNS Server"
           LogFileName = "dns"
    Case "File Replication Service"
           LogFileName = "rep"
    Case "Security"
           LogFileName = "sec"
    Case "System"
           LogFileName = "sys"
  End Select
End Function

Sub Output(Text)
End Sub

 

[krammer]

Ok, so my problem was here:

strArchiveFolder = "C:\EventLogs"

should be:

strArchiveFolder = "C:\Event Logs"

But...it is only working with my local PC, and not remote ones...

 

[krammer]

Could this be happening because it might be looking for the "Event Logs" folder on each remote machine that I connect to in the loop?

 

[Brycspain]

The script you posted doesn't work. I've been trying to figure it out and can't. It's like there is something missing but I can't put my finger on it. When you run it is a file created?

 

[krammer]

Yeah I get the .evt file created...

 

[krammer]

Which one of the scripts that I posted are you trying to run, first or second one?

Both scripts you need to create a folder, "C:\Event Logs", and place the script in there.

For the first one thats reading from the text file, place the text file in that same directory. Each server that you want to connect to will be on a new line in that text file.

Make sure the script has "C:\Event Logs" and not "C:\EventLogs", that was my first mistake.

 

[PScottC]

Try this:

Set System = GetObject("winmgmts:{(Backup,Security)}[red]![/red]\\" & ServerName & _
"\root\CIMV2")

When specifying security settings in the moniker you must place an exclamation before the system/namespace section of the moniker.

[URL unfurl="true"]http://msdn2.microsoft.com/en-us/library/aa389292(VS.85).aspx[/url]


PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[krammer]

I had that in the first script that I posted...but here are some results of testing I did that might help solving the problem:

- When using strArchiveFolder = "C:\Event Logs" , works fine on the local machine, but for a PC in the txt file thats a remote machine, it will put the .evt's on that machine and not the machine you run the script from.

- I changed strArchiveFolder = "\\localPC\C$\Event Logs" , but still did not work with putting the .evt's all in one location.

Maybe this will help...

 

[Brycspain]

I looked everywhere and can't seem to find any code that will let you do what you want from a remote computer. Copy this code to all the servers you want to save the logs for and use Task Scheduler to run the script when you need the logs backed up. You can also place the .evt files on a centralized share which is your goal anyway. You might want to comment out the code that wipes your existing evt entries.

'==========================================================================
'
' NAME: DumpEventLogs.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor    
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 1/12/2004
' COPYRIGHT (c) 2004 All Rights Reserved
'
' COMMENT: Edit the Destination Server path below to indicate where to dump files to.  
'          Run this script on the server who's event logs are to be saved.
'
' This script and many more are included in 
'               The Spider's Parlor Admin Script Pack
'==========================================================================

Dim DestServer
' Put in the UNC path for where you want the logs to be stored
DestServer = "\\backupserver\C$\Logs\"


'Create the Time variables
sDate=Right("0" & Month(Date),2) _
& "-" & Right("0" & Day(Date),2) _
& "-" & Right(Year(Date),2)

sTime = DatePart("h", Now) & DatePart("n", Now)

set oFSO = CreateObject("Scripting.FileSystemObject")


'If correct folder doesn't exist, make it
if Not oFSO.FolderExists(DestServer & sDate) then
   set oFolder = oFSO.CreateFolder(DestServer & sDate )
end if

'Gets the log files for this machine
strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
        & strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile")


'This section goes out and gets the hostname this is run on for us.

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)

For Each objItem in colItems
  strHOSTNAME = objItem.Name
NEXT


'Now archive the logs and clear them
if oFSO.FolderExists(DestServer & sDate) then
  For Each objLogfile in colLogFiles
    strBackupLog = objLogFile.BackupEventLog _
        (DestServer & sDate & "\"  & strHOSTNAME & "_" & objLogFile.LogFileName & "_" & sDate & "_" & sTime & ".evt")
    objLogFile.ClearEventLog()
  Next
end if

 

[PScottC]

If you don't care about the .evt format of the file, you can use WMI to extract the events to flat file on the script machine.

I'm actually working on a similar script that will extract only the Warnings and Errors that occurred in the last 24 hours from a set of machines.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[krammer]

Brycspain-

I have looked everywhere too with no luck, but will keep looking. Thanks for that code, I have seen one similar to that as well to move the files.

PScottC-

That would actually be much better and preferred...if its easy to view in the flat file...

Let me know what you come up with and I'll try to help. I have an "email portion" of the script that I just finished to attach all files of a specified extension and send it...that was mainly for the .evt files when they were all extracted to a central location from each server.