Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Filtering Event Logs 1

Status
Not open for further replies.
gmagerr

gmagerr

Technical User
Aug 11, 2001
323
0
0
US
Hi Guys

I have this script I'm working on that will go through the security logs of our domain controllers and return event id 672 category account logon. Basically I need to filter the events so that the event is = 672, the user ID begins with an underscore _gmagerr for example and the pre-authentication type = 2. Here's what I have. It just gets event id 672. Another thing that would be cool is if it would only return new events. Thanks in advance.

Code: 
'==========================================================================
' 
' NAME: Get EventID 672
' 
' AUTHOR: Guy Thomas Modified By Gene Magerr
' EMAIL: genemagerr@hotmail.com
'
' COMMENT:
'
' VERSION HISTORY:
' 1.0  09/21/07  Initial release
'
'==========================================================================
' VBScript Prefix Naming Standard
'==========================================================================
' arr   Array       Contains an array of variables.
' bln   Boolean     Can contain either True or False
' byt   Byte        Integer value in the range of 0 to 255.
' col   Collection  Technically, a collection is not a variable subtype. 
'                   It is mentioned in this table because it is good 
'                   practice to use the col  prefix to indicate a collection. 
'                   Collections are used extensively in system administration
'                   scripts.
' (None)Constant    Constant values contain no prefix and use UPPER Case
'                   letters with underscores. Constants cannot be altered
'                   like normal variables.
' cur   Currency    Range of -922,337,203,685,477.5808 to 
'                   922,337,203,685,477.5807
' dbl   Double      Contains a double-precision floating-point number in 
'                   the range
' dic   Dictionary  Scripting dictionaries
' dtm   Date (Time) either a Date, Time, or Date and Time
' err   Error       Contains an error number value.
' fun   Functions   Programatic Function
' g_    Globals     Variables with global scope
' int   Integer     Contains integer value in the range of -32,768 to 32,767.
' lng   Long        Contains an integer value in the range -2,147,483,648 To
'                   2,147,483,647.
' obj   Object      Contains a reference to an Object.
' sng   Single      Contains a single-precision floating-point number 
' str   String      A variable length string of textual data
' sub   Subroutines Programatting SubRouting
' var   Variant     A variable that can store different data types at 
'                   different times.
'==========================================================================
' VARIABLE DECLARATIONS
'==========================================================================
Option Explicit

Dim objFso, objFolder, objWMI, objEvent, objTextFile, dtmEventDate ' Objects
Dim strFile, strComputer, strFolder, strFileName, strPath, strTimeWritten ' Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents, objEmail

'==========================================================================
' STATIC VARIABLE ASSIGNMENTS
'==========================================================================


'==========================================================================
' MAIN SCRIPT CODE
'==========================================================================
intNumberID = 672 ' Event ID Number
intEvent = 1
intRecordNum = 1

strFileName = "\Event672.txt"
strFolder = "C:\GeneTest"
strPath = strFolder & strFileName

Set objFso = CreateObject("Scripting.FileSystemObject")

If objFSO.FolderExists(strFolder) Then
    Set objFolder = objFSO.GetFolder(strFolder)
Else
   Set objFolder = objFSO.CreateFolder(strFolder)
   Wscript.Echo "Folder created " & strFolder
End If
Set strFile = objFso.CreateTextFile(strPath, True)

Const ForReading = 1

Set objTextFile = objFSO.OpenTextFile("C:\servers.txt", ForReading)

Do Until objTextFile.AtEndOfStream 
    strComputer = objTextFile.Readline

Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )

'Wscript.Echo " Press OK and Wait 30 seconds (ish)"
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then

strFile.WriteLine ("Record No: ")& intEvent
strFile.WriteLine ("Category: " & objEvent.Category)
strFile.WriteLine ("Computer Name: " & objEvent.ComputerName)
strFile.WriteLine ("Event Code: " & objEvent.EventCode)
strFile.WriteLine ("Message: " & objEvent.Message)
strFile.WriteLine ("Record Number: " & objEvent.RecordNumber)
strFile.WriteLine ("Source Name: " & objEvent.SourceName)
'strFile.WriteLine ("Time Written: " & objEvent.TimeWritten)
dtmEventDate = objEvent.TimeWritten
strTimeWritten = WMIDateStringToDate(dtmEventDate)
strFile.WriteLine "Time Written: " & strTimeWritten
strFile.WriteLine ("Event Type: " & objEvent.Type)
strFile.WriteLine ("User: " & objEvent.User)
strFile.WriteLine (" ")
strFile.WriteLine ("===========================================================================")
strFile.WriteLine (" ")
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next
Wscript.Echo "Check " & strPath & " for " &intRecordNum & " events"

Loop
objTextFile.Close

Set objEmail = CreateObject("CDO.Message")
objEmail.From = "gmagerr@hotmail.com"
objEmail.To = "gmagerr@hotmail.com"
objEmail.Subject = strComputer & " EventID 672"
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then
objEmail.TextBody = objEmail.TextBody & ("Record No: ")& intEvent & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Category: " & objEvent.Category) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Computer Name: " & objEvent.ComputerName) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Event Code: " & objEvent.EventCode) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Message: " & objEvent.Message) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Record Number: " & objEvent.RecordNumber) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Source Name: " & objEvent.SourceName) & vbCrLf 
'objEmail.TextBody = objEmail.TextBody & ("Time Written: " & objEvent.TimeWritten) & vbCrLf 
dtmEventDate = objEvent.TimeWritten
strTimeWritten = WMIDateStringToDate(dtmEventDate)
objEmail.TextBody = objEmail.TextBody & ("Time Written: " & strTimeWritten) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Event Type: " & objEvent.Type) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("User: " & objEvent.User) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & (" ") & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("===========================================================================") & vbCrLf 
objEmail.TextBody = objEmail.TextBody & (" ") & vbCrLf 
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next

objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/sendusing")[/URL] = 2
objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserver")[/URL] = "smtp.server" 
objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserverport")[/URL] = 25
objEmail.Configuration.Fields.Update
objEmail.Send

WScript.Quit

'==========================================================================
' SUBS AND FUNCTIONS
'==========================================================================
'==========================================================================
' This function will take the objEvent.TimeWritten which returns the time
' using WMI’s default Universal Time Coordinate format. In other words, 
' you’ll get back results similar to this: 20041025124000.000000-420
' and convert it to the proper date and time format
'==========================================================================
Function WMIDateStringToDate(dtmEventDate)

WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
& " " & Mid (dtmEventDate, 9, 2) & ":" & _
Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, 13, 2))

End Function
 
Sort by date Sort by votes
You should be able to limit a lot of what you are currently getting by playing with your query.

"Select * from Win32_NTLogEvent Where Logfile = 'Security' Where EventCode='672' And User Like '_gmagerr%'"

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
 
Upvote 0 Downvote
hi dm, i didn't know you could use Where Logfile='Security' Where EventCode='672'

"Select * from Win32_NTLogEvent Where Logfile = 'Security' And EventCode='672' And User Like '_gmagerr%'"

i thought you could only have one Where condition, and have to use the Ands. that's really neat!

 
Upvote 0 Downvote
Actually I think you may be right sheepz...must have been my typo. Sorry for the confusion.

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
 
Upvote 0 Downvote
Oops...that damn trigger finger... should be one Where and then And's

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
 
Upvote 0 Downvote
Thanks guys
I'd actually like to return all of the users whos accounts start with an underscore. i was just using mine as an example. How would I do that?
Thanks
 
Upvote 0 Downvote
Code: 
User Like '_%'

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886
 
Upvote 0 Downvote
No that query didn't work (User Like '_%'). Heres what I got in return, along with a bunch of other non admin accounts. When I ran it with (User Like '_gmagerr%') I didn't get anything back and I know that account has logged in.

Code: 
Record No: 1

Category: 9 string Account Logon
ComputerName: DC1
Logfile: Security source Security
EventCode: 672
Message: Authentication Ticket Request:

	User Name:		gmagerr

	Supplied Realm Name:	mydomain

	User ID:			mydomain\gmagerr

	Service Name:		krbtgt

	Service ID:		mydomain\krbtgt

	Ticket Options:		0x40810010

	Result Code:		-

	Ticket Encryption Type:	0x17

	Pre-Authentication Type:	2

	Client Address:		192.168.1.33

	Certificate Issuer Name:	

	Certificate Serial Number:	

	Certificate Thumbprint:	


Record Number: 19184516
Source Name: Security
Time Written: 9/23/2007 6:45:47 AM
EventType: 4
Type: Audit Success
User: NT AUTHORITY\SYSTEM
 
Upvote 0 Downvote
sorry fot the typo:
Code: 
User Like '[_]%'

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886
 
Upvote 0 Downvote
Thanks PHV but it didn't work. Here's my query
Code: 
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security' And User Like '[_]%'" )
 
Upvote 0 Downvote
Actually I think we're trying to get the info from the wrong place. The user in the event i posted above is
Code: 
User: NT AUTHORITY\SYSTEM
We need to get the user ID that's in the message portion. How do we do that?
Code: 
Message: Authentication Ticket Request:

    User Name:        gmagerr

    Supplied Realm Name:    mydomain

    User ID:            mydomain\gmagerr

    Service Name:        krbtgt

    Service ID:        mydomain\krbtgt

    Ticket Options:        0x40810010

    Result Code:        -

    Ticket Encryption Type:    0x17

    Pre-Authentication Type:    2

    Client Address:        192.168.1.33

    Certificate Issuer Name:    

    Certificate Serial Number:    

    Certificate Thumbprint:
 
Upvote 0 Downvote
Instead of: User Like do a search for Message Like

"Select * from Win32_NTLogEvent Where Logfile = 'Security' And Message Like '%gmagerr%'"

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
 
Upvote 0 Downvote
Thanks for the reply, that didn't return any results either. Darn this is a tough one for me.
 
Upvote 0 Downvote
Like operator is only supported winxp up. What is the os in question?
 
Upvote 0 Downvote
So like should operates. In that case, you have problem with the moniker in order to query the security logfile.

>Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
[tt]Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate[red],(Security)[/red]}!\\" & strComputer & "\root\cimv2")[/tt]
 
Upvote 0 Downvote
Thanks tsuji, This is what i have now and it's not working when i put the like in the query. How can I go about doing this? Could I put the objEvent.Message into a variable and then do an istr to see if the underscore is there. I'm drawing a blank.

Code: 
'==========================================================================
' 
' SCRIPT NAME: EventID 672 Security.vbs
' 
' AUTHOR: Gene Magerr
' EMAIL: genemagerr@hotmail.com
'
' COMMENT: Original script by Guy Thomas, Modified by Gene Magerr
'
' VERSION HISTORY:
' 1.0   09/22/07  Initial release
'
'==========================================================================
' VBScript Prefix Naming Standard
'==========================================================================
' arr = Array		Contains an array of variables.
' bln = Boolean     Can contain either True or False
' byt = Byte        Integer value in the range of 0 to 255.
' col = Collection  Technically, a collection is not a variable subtype. 
'                   It is mentioned in this table because it is good 
'                   practice to use the col  prefix to indicate a collection. 
'                   Collections are used extensively in system administration
'                   scripts.
' Constant     		Constant values contain no prefix and use UPPER Case
'                   letters with underscores. Constants cannot be altered
'                   like normal variables.
' cur = Currency    Range of -922,337,203,685,477.5808 to 
'                   922,337,203,685,477.5807
' dbl = Double      Contains a double-precision floating-point number in 
' dic = Dictionary  Scripting dictionaries the range
' dtm = Date (Time) either a Date, Time, or Date and Time
' fun = Functions   Programatic Function
' err = Error       Contains an error number value.
' int = Integer     Contains integer value in the range of -32,768 to 32,767.
' lng = Long        Contains an integer value in the range -2,147,483,648 To
'                   2,147,483,647.
' obj = Object      Contains a reference to an Object.
' sng = Single      Contains a single-precision floating-point number 
' str = String      A variable length string of textual data
' sub = Subroutines Programatting SubRouting
' var = Variant     A variable that can store different data types at 
'                   different times.
' Wsh = Object		Windows Scripting Host Object
' g_  = Globals     Variables with global scope
'==========================================================================
Option Explicit

'==========================================================================
' If testmode is set to true, all wscript.echo messages will be displayed,
' if set to False no messages are displayed
'==========================================================================
TestMode = True

'==========================================================================
' VARIABLE DECLARATIONS
'==========================================================================
Dim WshShell, WshNetwork, objFSO, objFolder, objFile, objWMI, objEvent, dtmEventDate
Dim strComputer, strFileName, strFile, strFolder, strPath, TestMode, strTimeWritten
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents, objEmail, strServers

Set WshShell = CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FilesystemObject")

'==========================================================================
' STATIC VARIABLE ASSIGNMENTS
'==========================================================================
Const ForReading = 1

'==========================================================================
' MAIN SCRIPT CODE
'==========================================================================
strComputer = "."
strFileName = "\Event672.txt"
strFolder = "C:\logs"
strPath = strFolder & strFileName

' Set numbers
intNumberID = 672 ' Event ID Number
intRecordNum = 0


If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
If TestMode = True Then
WScript.Echo "Just created " & strFolder
End If
End If

If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
If TestMode = True Then
WScript.Echo "Just created " & strFolder & strFileName
End If
End If 

Set objFile = Nothing
Set objFolder = Nothing

If TestMode = True Then
Wscript.Echo " Press OK and Wait 30 seconds (ish)"
End If
Set strFile = objFSO.CreateTextFile(strPath, True)

Set strServers = objFSO.OpenTextFile("C:\servers.txt", ForReading)

Do Until strServers.AtEndOfStream 
    strComputer = strServers.Readline

Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )
'"Select * from Win32_NTLogEvent Where Logfile = 'Security' And User Like '_gmagerr%'"
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then
If objEvent.EventType=4 Then
strFile.WriteLine("Record No: ")& intEvent & vbCrLf
strFile.WriteLine("Category: " & objEvent.Category & " string " & objEvent.CategoryString) 
strFile.WriteLine("ComputerName: " & objEvent.ComputerName) 
strFile.WriteLine("Logfile: " & objEvent.Logfile & " source " & objEvent.SourceName) 
strFile.WriteLine("EventCode: " & objEvent.EventCode) 
strFile.WriteLine("Message: " & objEvent.Message)
strFile.WriteLine("Record Number: " & objEvent.RecordNumber)
strFile.WriteLine("Source Name: " & objEvent.SourceName)
dtmEventDate = objEvent.TimeWritten
strTimeWritten = WMIDateStringToDate(dtmEventDate)
strFile.WriteLine "Time Written: " & strTimeWritten
strFile.WriteLine("EventType: " & objEvent.EventType) 
strFile.WriteLine("User: " & objEvent.User) 
strFile.WriteLine(" ")
strFile.WriteLine("===========================================================================")
strFile.WriteLine(" ")
intRecordNum = intRecordNum +1
End If
End If
intEvent = 1
Next
Wscript.Echo "Check " & strPath & " for " & intRecordNum & " events"
Loop

strServers.Close


Set objEmail = CreateObject("CDO.Message")
objEmail.From = "gmagerr@hotmail.com"
objEmail.To = "gmagerr@hotmail.com"
objEmail.Subject = strComputer & " EventID 672"
intEvent = 1
For Each objEvent in colLoggedEvents
If objEvent.EventCode = intNumberID Then
objEmail.TextBody = objEmail.TextBody & ("Record No: ")& intEvent & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Category: " & objEvent.Category) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Computer Name: " & objEvent.ComputerName) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Event Code: " & objEvent.EventCode) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Message: " & objEvent.Message) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Record Number: " & objEvent.RecordNumber) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Source Name: " & objEvent.SourceName) & vbCrLf 
dtmEventDate = objEvent.TimeWritten
strTimeWritten = WMIDateStringToDate(dtmEventDate)
objEmail.TextBody = objEmail.TextBody & ("Time Written: " & strTimeWritten) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("Event Type: " & objEvent.Type) & vbCrLf
objEmail.TextBody = objEmail.TextBody & ("User: " & objEvent.User) & vbCrLf 
objEmail.TextBody = objEmail.TextBody & (" ") & vbCrLf 
objEmail.TextBody = objEmail.TextBody & ("===========================================================================") & vbCrLf 
objEmail.TextBody = objEmail.TextBody & (" ") & vbCrLf 
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next

objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/sendusing")[/URL] = 2
objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserver")[/URL] = "mail.hotmail.com" 
objEmail.Configuration.Fields.Item ("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserverport")[/URL] = 25
objEmail.Configuration.Fields.Update
objEmail.Send

WScript.Quit

'==========================================================================
' SUBS AND FUNCTIONS
'==========================================================================
'==========================================================================
' This function will take the objEvent.TimeWritten which returns the time
' using WMI’s default Universal Time Coordinate format. In other words, 
' you’ll get back results similar to this: 20041025124000.000000-420
' and convert it to the proper date and time format
'==========================================================================
Function WMIDateStringToDate(dtmEventDate)

WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _
Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _
& " " & Mid (dtmEventDate, 9, 2) & ":" & _
Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, 13, 2))

End Function
 
Upvote 0 Downvote
Ok, Maybe we aren't able to query from the objEvent.Message portion of the script. How about this. Could I go through the text file that was created and filter that way? Here's a couple of lines from the text file. How would I filter this to extract only the entries where the user ID was and underscore account for example domain\_gmagerr I'd want all of the info for the underscore accounts pulled and I guess written to a new text file. Everything between the ==================================== lines.

Help.


Code: 
Record No: 1

Category: 9 string Account Logon
ComputerName: SMDC1
Logfile: Security source Security
EventCode: 672
Message: Authentication Ticket Request:

	User Name:		SMEMAIL$

	Supplied Realm Name:	domain.com

	User ID:			domain\SMEMAIL$

	Service Name:		krbtgt

	Service ID:		domain\krbtgt

	Ticket Options:		0x40810010

	Result Code:		-

	Ticket Encryption Type:	0x17

	Pre-Authentication Type:	2

	Client Address:		192.168.2.4

	Certificate Issuer Name:	

	Certificate Serial Number:	

	Certificate Thumbprint:	


Record Number: 19669576
Source Name: Security
Time Written: 9/24/2007 2:09:29 PM
EventType: 4
User: NT AUTHORITY\SYSTEM
 
===========================================================================
 
Record No: 1

Category: 9 string Account Logon
ComputerName: SMDC1
Logfile: Security source Security
EventCode: 672
Message: Authentication Ticket Request:

	User Name:		gmagerr

	Supplied Realm Name:	domain

	User ID:			domain\_gmagerr

	Service Name:		krbtgt

	Service ID:		domain\krbtgt

	Ticket Options:		0x40810010

	Result Code:		-

	Ticket Encryption Type:	0x17

	Pre-Authentication Type:	2

	Client Address:		192.168.5.3

	Certificate Issuer Name:	

	Certificate Serial Number:	

	Certificate Thumbprint:	


Record Number: 19669571
Source Name: Security
Time Written: 9/24/2007 2:09:29 PM
EventType: 4
User: NT AUTHORITY\SYSTEM
 
===========================================================================
 
Record No: 1

Category: 9 string Account Logon
ComputerName: SMDC1
Logfile: Security source Security
EventCode: 672
Message: Authentication Ticket Request:

	User Name:		SMEMAIL$

	Supplied Realm Name:	domain.com

	User ID:			domain\SMEMAIL$

	Service Name:		krbtgt

	Service ID:		domain\krbtgt

	Ticket Options:		0x40810010

	Result Code:		-

	Ticket Encryption Type:	0x17

	Pre-Authentication Type:	2

	Client Address:		172.16.3.88

	Certificate Issuer Name:	

	Certificate Serial Number:	

	Certificate Thumbprint:	


Record Number: 19669563
Source Name: Security
Time Written: 9/24/2007 2:09:28 PM
EventType: 4
User: NT AUTHORITY\SYSTEM
 
===========================================================================
 
Upvote 0 Downvote
I still think you should be able to limit your results by changing your query to look for the specific EventCode and EventType numbers in your query. If you can't search the Message correctly through the query then using a regular expression may help further filter your results.

Code: 
Dim RegEx : Set RegEx = New RegExp
RegEx.Pattern = "User ID:.+\\_.+"
RegEx.IgnoreCase = True
RegEx.Global = True

...code

For Each objEvent in colLoggedEvents
' 	If objEvent.EventCode = intNumberID Then ' limit this through your query
' 		If objEvent.EventType=4 Then ' limit this through your query
	If RegEx.Test(objEvent.Message) Then
			strFile.WriteLine("Record No: ")& intEvent & VbCrLf
			strFile.WriteLine("Category: " & objEvent.Category & " string " & objEvent.CategoryString)
			strFile.WriteLine("ComputerName: " & objEvent.ComputerName)
			strFile.WriteLine("Logfile: " & objEvent.Logfile & " source " & objEvent.SourceName)
			strFile.WriteLine("EventCode: " & objEvent.EventCode)
			strFile.WriteLine("Message: " & objEvent.Message)
			strFile.WriteLine("Record Number: " & objEvent.RecordNumber)
			strFile.WriteLine("Source Name: " & objEvent.SourceName)
			dtmEventDate = objEvent.TimeWritten
			strTimeWritten = WMIDateStringToDate(dtmEventDate)
			strFile.WriteLine "Time Written: " & strTimeWritten
			strFile.WriteLine("EventType: " & objEvent.EventType)
			strFile.WriteLine("User: " & objEvent.User)
			strFile.WriteLine(" ")
			strFile.WriteLine("===========================================================================")
			strFile.WriteLine(" ")
			intRecordNum = intRecordNum +1
' 		End If
' 	End If
	End If
	intEvent = 1
Next

--------------------------------------------------------------------------------
dm4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Program Jim
  • Locked
  • Question
Event Log Time Period Check
Replies
1
Views
51
SkipVought
S
Phatxausage
  • Locked
  • Question
Working with Windows event log and CSV file
Replies
2
Views
35
markdmac
markdmac
GomezAddamz
  • Locked
  • Question
HTA: Wait for event before continuing script
Replies
5
Views
114
GomezAddamz
GomezAddamz
Jeepix
  • Locked
  • Question
Write current network drive mappings to event log -Help please! 1
Replies
9
Views
77
Jeepix
Jeepix
Briandr
  • Locked
  • Question
Script generate event id messages?
Replies
0
Views
23
Briandr
Briandr

Part and Inventory Search

Sponsor

Back
Top