WMI 101: Event Logging

IIS Scripting Solutions

This month, I show you two simple Windows Management Instrumentation (WMI) scripts. These scripts are based on scripts in the WMI software development kit (SDK). You can download the WMI SDK from http://msdn.microsoft.com/downloads/sdks/wmi/default.asp. WMI scripts often come in handy for managing IIS, and because IIS runs on Windows 2000 or Windows NT 4.0, you can manage not only IIS but also the server on which it runs.

One feature of the Windows OS that has been around since NT 3.1 is the event log. Event logs provide a place for recording OS, security, and application events. Event-log management is important because you must manage the size of and periodically clear the logs. A simple WMI script can help you manage logs.

Using the WMI Sample Scripts
The script listeventsbycode.vbs, which Listing 1 shows, uses WMI to extract specific events from the event logs. This sample script doesn't look for an event in a particular event log but rather looks up the event ID in all logs. The script displays the results to the user.

To use this script, simply execute it and pass it the event ID that you want to retrieve as a parameter. For example, to search for event ID 0, type

listeventsbycode2   0

at the command prompt. To search for event ID 414, type

listeventsbycode2  414

at the command prompt. The iEventCode variable, which callout A in Listing 1 shows, sets the EventCode property in the script.

When the script executes, it displays a separate dialog box that shows each event you searched for that the script found in the logs.

The code backcleareventlog.vbs, which Listing 2 shows, accomplishes two tasks. First, it backs up the Application and System event logs to the Temp folder. You can open the logs later with Event Viewer. Second, the script clears those event logs. Messages appear to keep you up-to-date on the script's progress.

To use backcleareventlog.vbs, you need to modify a couple of settings. First, if you want to back up and clear any logs other than Application and System, you need to change the entry in the Select statement to point to those logs. For example, the first line in the script executes the Select statement, which specifies which event logs to process. To change this statement to process the three standard logs, modify it to look like this:

set LogFileSet = _ GetObject("winmgmts: _
	{impersonationLevel= _
	impersonate, (Backup)}"). _
	ExecQuery("select * from _
	Win32_NTEventLogFile where " & _
	"LogfileName='Application' OR _
	LogfileName='System' OR _
	LogfileName='Security'")

Now backcleareventlog.vbs will process the Security log in addition to the other two logs.

Second, you might want to change the folder in which the script stores the backup files. To change this folder, change C:\Temp in the line at callout A in Listing 2 to point to the folder you want to use. Finally, you probably want the script to run with no UI, which is usually the case when you run a script automatically or start a script and walk away while the script does its magic. To make backcleareventlog.vbs work without a UI, remove the two lines that begin with WScript. To stop these lines from executing, place a comment character in front of each line. The standard VBScipt comment character is a single quote ('). Comment characters make the text following the comment character nonexecutable.

WMI Makes Log Management Easy
Managing event logs and other Windows features can be cumbersome when you use only the GUI tools. WMI provides a handy, automated way to access many Windows features. You can use WMI and other types of scripting (e.g., VBScript, Perl) to perform many more tasks with event logs and other OS features.

As you can see from these examples, you can quickly automate tasks such as backing up or querying an event log. You can also accomplish tasks such as stopping servers and listing services. In particular, the script in Listing 1 also shows how to pass parameters to a script, which is handy when you need to change the values the script uses each time it runs, such as the event ID I used in this article's example. (For information about the Win32_NTLogEvent WMI class I used in these two samples, see the table at http://msdn.microsoft.com/library/psdk/wmisdk/clasops_4ag5.htm. For more information about scripting, see the Microsoft Windows Script Technologies Web site at http://msdn.microsoft.com/scripting and the Windows Scripting Solutions Web site at http://www.winscriptingsolutions.com.)

In this column, I explore various scripts that automate tasks that IIS administrators often face. In the next issue, I show you how to automatically retrieve the names of all Web sites on one or more servers on a LAN or WAN.

End of Article

I have tried your backcleareventlog2.vbs and it works great with system and application event logs but when i add the security log it fails. The statement it fails on is the RetVal = LogFile.BackupEventlog(sBackupName) with a access denied statement. Since I am local admin I don't understand how this can be.

Kenneth Meyer May 10, 2002

I noticed the same thing as Kenneth. I did some research and it turns out that you have to add the "Security" privilege to the winmgts statement like this:

set LogFileSet = GetObject("winmgmts:{impersonationLevel=impersonate,(Security,Backup)}").ExecQuery("select * from Win32_NTEventLogFile where " &
"LogfileName='Application' OR LogfileName='System' OR LogfileName='Security'")

I hope this code comes out alright (word-wrap - yuk!)

Also the script in the article saves the logs as .log files. By default these files are opened by TextPad. Since the files are meant to be read by Event Viewer, they are not human readable using TextPad. You should change the line in the script that reads:
sBackupName = "C:\Temp\Logs\" & Logfile.LogfileName & dDate & ".log"
to sBackupName = "C:\Temp\Logs\" & Logfile.LogfileName & dDate & ".evt"

To read the files you will need to open Event Viewer and right-click on the the top-level of the tree, and select Open Log File.

I also found it helpful to insert a date in the file names (ex. Application20030109.evt). Otherwise, the script will overwrite the old log files each time it runs (without prompting the user).

If you would like to see my modified script, you can email me and I'll send it to you.

Cheers,
Sean

Sean Bernard January 10, 2003

Good start then falls short

Koe Wilson October 22, 2003

Can i suggest that the modified scripts by Sean Barnard also be made available.

thanks
Malcolm

Malcolm November 19, 2003

Would you do me a favor?
I want to get only "specific time" of event log by using WMI. for example, 05/01/2004-05/15/2004.
I couldn't solve in my favor.
Would you mind helping me if you know about this solution.
Sincerely,

kimiok May 19, 2004

are you able to run this on remote machines? IE this run on machine 1 and pulls the event logs from machine 2 and 3?

flightgod160 July 22, 2004 (Article Rating:

)

When processing the Security Log, you must include a different impersonate level.

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")

-MikeBlane

Anonymous User January 13, 2005 (Article Rating:

)

there are some comments with problems... and no correction or feedback

Anonymous User May 13, 2005 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.