Win32_NTLogEvent

Parsing the Windows Event log for specific data

If you’ve ever tried to find a specific event log entry in a system you know what a chore it can be to find them. Sure, you can filter on the event ID and get closer but, some applications (and system components) log every event that’s from the same source as the same event ID.

IIS is terribly bad about this! Additionally, Microsoft’s search filtering isn’t powerful enough to search in the even description or the event message. The script below solves that problem!

GetLogInfo “ServerName”,”EventID”, “application”, “20081218″

Function GetLogInfo( StrComputer1, EventID, EventLogType, YYYYMMDD)

 Dim objWMIService, colItems, objItem
 Dim TempStr

 On Error Resume Next
  ‘ error control block
  Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}//” & strComputer1 & “\root\cimv2″)
  Set colItems = objWMIService.ExecQuery (”Select * from Win32_NTLogEvent Where EventCode=” & EventID & ” and logfile=’” & EventlogType & “‘”)
  For Each objItem in colItems
       TempStr = “”
       If mid(objItem.timegenerated,1,8) = YYYYMMDD Then
         TempStr = objItem.message         
         If Replace(TempStr,”Exception message: Request timed out.”,””) <> TempStr Then 
            TempStr = Mid(TempStr,InStr(1,TempStr,”Request URL: “)+13, 100)
            TempStr = Mid(TempStr,1,InStr(1,TempStr,”.aspx”)+4)
            WScript.Echo StrComputer1 & “,” & TempStr
         End if
       End if
  Next
 On Error GoTo 0
End Function

Searching the Windows Eventlog for specific events with WMI

On occasion as a systems administrator you have to find the proverbial needle in the haystack with respect to the events in the event logs. You know what I mean, the one event you care about and need to know when it occured as part of your troubleshooting… then throw in that you need to do it in many servers. That’s a mess!

Sure, you can use event viewer and pull out some superadmin skills to filter the events to only see the ones you want– but your still only looking at one server at a time! Yes, you could export the events from multiple servers to a CSV file and then compile them into one excel spreadsheet– but that would take hours to do.

What if I told you there was a way to do it with VBScript? How much would you expect to pay? Three easy payments of 19.99?? … WAIT, don’t answer because it’s FREE!

The script below calls a function it defines called GetLogInfo to gather the requested event information to standard the standard output (the console). The function uses the Win32_NTLogEvent class from— you guessed it, our life long friend WMI! It accepts four inputs, in order; a string that is the name of the server, the Event ID that you are looking for, the specific application log you want to search, and the date in YYYYMMDD format. (Hint: if you have custom event logs on your server, or it is a DNS server or a Domain Controller, you can specify the name of the log instead of Application, System, or Security to get at the log information.)

Here is the script I wrote:

GetLogInfo “ServerName”,”1309″, “application”, “20081218″

Function GetLogInfo( StrComputer1, EventID, EventLogType, YYYYMMDD)

    Dim objWMIService, colItems, objItem
    Dim TempStr

    On Error Resume Next
    ‘ error control block
    Set objWMIService = GetObject(”winmgmts:{impersonationLevel=impersonate}//”_
    & strComputer1 & “\root\cimv2″)
    Set colItems = objWMIService.ExecQuery (”Select * from Win32_NTLogEvent Where EventCode=” &_
    EventID & ” and logfile=’” & EventlogType & “‘”)
    For Each objItem in colItems
        TempStr = “”
        If mid(objItem.timegenerated,1,8) = YYYYMMDD Then
            TempStr = objItem.message
        End if
    Next
    On Error GoTo 0
End Function