Windows Server - Event log check

Asked By Georg
10-Apr-07 06:28 AM
Hi ,

I am running a script to find the event log errors for a group of servers.

--------------------
Const ForReading = 1
Const ForAppending = 8
Const CONVERT_TO_LOCAL_TIME = True


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("4/3/2007")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck -7, CONVERT_TO_LOCAL_TIME

Set objTextFile = objFSO.OpenTextFile _
("C:\servers.txt", ForReading)

Set objTextFile1 = objFSO.OpenTextFile _
("C:\service_status.txt", ForAppending, True)


Set objTextFile2 = objFSO.OpenTextFile _
("C:\log_status.txt", ForAppending, True)

Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
arrServiceList = Split(strNextLine , ",")


strComputer = arrServiceList(0)

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")



Set colRunningServices = objWMIService.ExecQuery("Select * from
Win32_Service")

For Each objService in colRunningServices
if  objService.StartMode = "Auto" then
if objService.State= "Stopped" then
objTextFile1.WriteLine arrServiceList(0) &vbtab & objService.DisplayName  &
VbTab & objService.State
End if
End if
Next
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '"  & dtmStartDate
& "' and TimeWritten < '" & dtmEndDate & "'")


For Each objEvent in colEvents

if  objEvent.Type = "error"  then
objTextfile2.WriteLine  "Computer Name: " & arrServiceList(0) _
& vbtab & objEvent.SourceName _
& vbtab & objEvent.TimeWritten _
& vbtab & objEvent.Type _
& vbtab & objEvent.User
End if
Next


Loop
----------------------------
The problem is this script checks the logs only for the day 4/3/2007.

I want to find the log error for period of time. For example: The time now
to last 7 days. ie. 4/3/2007 to 4/10/2007..

Please help me in this.

Regards,
George.
Windows Server Scripting Discussions
 
DateToCheck
(1)
CONVERT_TO_LOCAL_TIME
(1)
ObjTextFile
(1)
ObjEvent
(1)
SetVarDate
(1)
DtmStartDate
(1)
TimeWritten
(1)
DtmEndDate
(1)
  Richard Mueller [MVP] replied...
10-Apr-07 07:12 AM
To query from 4/3/2007 to 4/10/2007 you should use:

DateToCheck = CDate("4/3/2007")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck +7, CONVERT_TO_LOCAL_TIME

Or, to make the code more generic, I would suggest:

DateToCheck = Now()
dtmStartDate.SetVarDate DateToCheck -7, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
  Georg replied...
10-Apr-07 09:16 AM
Hi Richard,

I had changed start and end date. But still it is returning the 'error'
events for the day 3/4/2007

The query passing is

Select * from Win32_NTLogEvent Where TimeWritten >=
'20070403091237.000000-240' and TimeWritten < '20070410091237.000000-240'

Please help me in this.

Regards,
George.
  Richard Mueller [MVP] replied...
10-Apr-07 01:48 PM
The query works for me and returns 7 days of events from April 3 through
April 10. The UTC format for dates is independent of the locale setting, so
I don't see how you can get events for March with the query you show. The
UTC format is:

YYYYMMDDhhmmss.xxxxxx-zzz

where YYYY is the four digit year, MM the month, DD the day, hh the hours
(24 hour clock), mm the minutes, ss the seconds, xxxxxx the milliseconds,
and zzz the time zone offset.

One thought. You test for event type "error", but I believe it is "Error".
You might want to use LCase to make the check case insensitive:

If (LCase(objEvent.Type) = "error") Then

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
  Georg replied...
11-Apr-07 08:04 AM
Thanks Richard. The event type 'Error' is case sensitive. Now it returns the
events error for the last 7 days. Thanks for your help.

Regards,
George.
Previous Discussion:  File creation date. No change?
Create New Account
help
Bold = True objExcel.Cells(4, 5).Font.Size = 11 x = 5 y = 1 For Each objEvent in colLoggedEvents If objEvent.Type = "error" or objEvent.Type = "warning" Then strTimeGen = (evtdatetime(objEvent.TimeGenerated)) strLogfile = objEvent.Logfile strType = objEvent.Type strEventCode = objEvent.EventCode srtMessage = Trim( Replace( objEvent.Message, vbCrLf, " ")) y1 = y objExcel.Cells(x, y1).Value = strTimeGen y1 = y1 + 1 objExcel.Cells
Restarted" End if End If Set objSvc = Nothing Sub CreateEvent(intEventNumber, intEventType, strEventSource, strEventMessage) Set objEvent = ScriptContext.CreateEvent() objEvent.EventNumber = intEventNumber objEvent.EventType = intEventType objEvent.EventSource = strEventSource objEvent.Message = strEventMessage ScriptContext.Submit objEvent End Sub - - Jerry MOM Discussions ScriptContext.CreateEvent (1) ScriptContext.Submit (1) ObjEvent.EventSource (1 ObjEvent.EventNumber (1) ObjSvc.StartService (1) ObjEvent.EventType (1) BolGenerateEvent (1) ObjEvent.Message (1) Hi Jerry
objFile.FileSize + " which is OK." End if Next Sub CreateEvent(intEventNumber, intEventType, strEventSource, strEventMessage) Set objEvent = ScriptContext.CreateEvent() objEvent.EventSource = strEventSource objEvent.EventNumber = intEventNumber objEvent.EventType = intEventType objEvent.Message = strEventMessage ScriptContext.Submit objEvent End Sub * ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Here's my problem: When I run responsetest.exe against the script, I doing wrong? MOM Discussions ScriptContext.CreateEvent (1) ObjWMIService.ExecQuery (1) ScriptContext.Submit (1) ObjWMIService (1) ObjEvent.EventNumber (1) ObjEvent.EventSource (1) ObjEvent.EventType (1) ObjFile.FileSize (1) Hi computerbobster@gmail.com, If you want
ForReading = 1 Const WbemAuthenticationLevelPktPrivacy = 6 strUser = "Administrator" strPassword = "domainadminpassword" Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile(". \ computers.txt", ForReading) Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator") ' strComputerUser = "Computer" & vbTab & "Logged in User" Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' Insert your code here ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Set objWMIService = objwbemLocator.ConnectServer (strComputer, strNamespace, strUser, strPassword) objWMIService.Security_ strComputer ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' Start Spooler service. ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = errReturnCode = objService.StartService() ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' End of your code. ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Loop Wscript.Echo "Done!" objTextFile.Close Line 39 is the rundll32 printui.dll, PrintUIEntry / gd / n \ cmw-file2 \ iR2800-fax suggestions? Thanks in advance, Linn Windows Server Scripting Discussions WbemScripting.SWbemLocator (1) Scripting.FileSystemObject (1) ObjTextFile.AtEndOfStream (1) ObjWMIService.ExecQuery (1) ObjFSO.OpenTextFile (1) WbemAuthenticationLevelPktPrivacy (1) ObjWMIService.Security (1) WScript.Shell WbemAuthenticationLevelPktPrivacy = 6 strUser = "Administrator" strPassword = "domainadminpassword" Dim sCmd(4) Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile(". \ computers.txt", ForReading) Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator") Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' Insert your code here ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ' Remove old printer, need to shell out the command. ' = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = sCmd
Discussions ScriptContext.CreateEvent (1) ObjWMIService.ExecQuery (1) ScriptContext.Submit (1) ObjDisk.DeviceID (1) ObjWMIService (1) ObjEvent.EventNumber (1) ObjEvent.EventSource (1) ObjEvent.EventType (1) Hi Andy, here's a little script that gives you back the size 16 CreateEvent 100, EVENT_TYPE_INFORMATION, "Script Test", "Hello world." Sub CreateEvent(intEventNumber, intEventType, strEventSource, strEventMessage) Set objEvent = ScriptContext.CreateEvent() objEvent.EventSource = strEventSource objEvent.EventNumber = intEventNumber objEvent.EventType = intEventType objEvent.Message = strEventMessage ScriptContext.Submit objEvent End Sub - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Gunter You could try this one out too