Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to Retrieve Events For One Day From An Event Log on Windows 2000/NT

28 views
Skip to first unread message

Wensi Peng

unread,
Mar 26, 2003, 5:43:42 PM3/26/03
to
Hi,

The below VBScript is from MS. It requires on XP/2003. How can one modify it
and make it running on Windows 2000 server?

Much Thanks,

Wensi

Retrieve Events For One Day From An Event Log

Description
Retrieves all the events recorded on a specific date from all the event
logs.

Script Code

Const CONVERT_TO_LOCAL_TIME = True
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
DateToCheck = CDate("2/18/2002")
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo objEvent.LogFile
Next


The System Administration Scripting Guide, part of the Windows .NET Server
Resource Kit. For more information, contact scri...@microsoft.com.

Torgeir Bakken (MVP)

unread,
Mar 26, 2003, 7:29:47 PM3/26/03
to
Wensi Peng wrote:

> The below VBScript is from MS. It requires on XP/2003. How can one modify it
> and make it running on Windows 2000 server?

Hi

It is the 'WbemScripting.SWbemDateTime' part that is only supported on WinXP and
better.

More on WMI Date and Time Format here:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/date_and_time_format.asp


Here is a script that will work on pre-WinXP as well:

' Get eventlogs for today and yesterday:

dtmEndDate = CDate(Date)
dtmStartDate = dtmEndDate - 1


' Converting to WMI "date"
dtmEndDate = Year(dtmEndDate) _
& Right( "00" & Month(dtmEndDate), 2) _
& Right( "00" & Day(dtmEndDate), 2)

dtmStartDate = Year(dtmStartDate) _
& Right( "00" & Month(dtmStartDate), 2) _
& Right( "00" & Day(dtmStartDate), 2)

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
For each objEvent in colEvents
Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User
Wscript.Echo objEvent.LogFile
Next


--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter


Wensi Peng

unread,
Mar 27, 2003, 8:17:08 PM3/27/03
to
Thank you so much. It works. I would like to retrieve one day event logs in
Asynchronous Event Log Query.
That's combine both scripts. How to do it?


Asynchronous Event Log Query

Description
Uses an asynchronous query to retrieve all the events recorded in all the
event logs. This approach is faster than retrieving a large number of events
using a synchronous query.

Script Code

Const POPUP_DURATION = 10
Const OK_BUTTON = 0
Set objWSHShell = Wscript.CreateObject("Wscript.Shell")


strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent"
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _
"Event Retrieval", OK_BUTTON)
Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)
WScript.Echo "Asynchronous operation is done."
End Sub
Sub SINK_OnObjectReady(objEvent, objAsyncContext)


Wscript.Echo "Category: " & objEvent.Category
Wscript.Echo "Computer Name: " & objEvent.ComputerName
Wscript.Echo "Event Code: " & objEvent.EventCode
Wscript.Echo "Message: " & objEvent.Message
Wscript.Echo "Record Number: " & objEvent.RecordNumber
Wscript.Echo "Source Name: " & objEvent.SourceName
Wscript.Echo "Time Written: " & objEvent.TimeWritten
Wscript.Echo "Event Type: " & objEvent.Type
Wscript.Echo "User: " & objEvent.User

End Sub


"Torgeir Bakken (MVP)" <Torgeir.B...@hydro.com> wrote in message
news:3E8245FB...@hydro.com...

Torgeir Bakken (MVP)

unread,
Mar 27, 2003, 8:37:25 PM3/27/03
to
Wensi Peng wrote:

> Thank you so much. It works. I would like to retrieve one day event logs in
> Asynchronous Event Log Query.
> That's combine both scripts. How to do it?
>
> Asynchronous Event Log Query
>
> Description
> Uses an asynchronous query to retrieve all the events recorded in all the
> event logs. This approach is faster than retrieving a large number of events
> using a synchronous query.

Hi

I suggest using a semisynchronous call adding the wbemFlagForwardOnly flag for
optimization. Combining wbemFlagReturnImmediately with wbemFlagForwardOnly
results in a forward-only enumerator. A forward-only enumerator performs much
faster than the default enumerator, because WMI doesn't maintain references to
objects in the SWbemObjectSet.

When using ExecQuery for large data sets on remote computers, you really *need*
this setting.

ExecQuery("Select ...", "WQL", 48) or ExecQuery("Select ...",, 48)

The WBEM_FLAG_FORWARD_ONLY combined with the WBEM_FLAG_RETURN_IMMEDIATELY flag
sums up to a decimal value of 48 in the iFlag argument in ExecQuery.

If you don't use it for large collections, you risk that the scripts will be dog

slow and in some cases grind to a halt all together. A snail will be quick in
comparison ;-)


Platform SDK: Windows Management Instrumentation
IWbemServices::ExecQuery
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/iwbemservices_execquery.asp

Calling a Method
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/calling_a_method.asp

Making a Semisynchronous Call with VBScript
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/making_a_semisynchronous_call_with_vbscript.asp

So, in the script I provided, change

Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")

to

Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _

& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'",, 48)

0 new messages