Recipe8.2.Viewing Events

Recipe 8.2. Viewing Events

Problem

You want to view events in an event log.

Solution

Using a graphical user interface

1. Open the Event Viewer (eventvwr.msc). To connect to a remote computer, in the left pane right-click the Event Viewer icon and select Connect to another computer.

2. In the left pane, click on the event log containing the events you want to view.

3. Double-click on an event you want to view in the right pane.

Using a command-line interface

You can use either the eventquery.vbs or psloglist commands to list the events in an event log. In both of the following examples, the last 10 records from the Application log are displayed. Both commands have numerous other options to view events, so look at the command syntax help for more information.

> eventquery.vbs /s <ServerName> /l <LogName> /R <MaxEvents>

For example:

> eventquery.vbs /s server01 /l Application /R 10

Using psloglist:

> psloglist \\<ServerName> -n <MaxEvents> <LogName>

For example:

> psloglist \\server01 -n 10 Application

Using VBScript

' This code displays events in an Event Log. ' ------ SCRIPT CONFIGURATION ------ strLog = "<LogName>"       ' e.g., Application intNum = <intMax>          ' e.g., 10  (Max number of events to display) strServer = "<ServerName>" ' e.g., fs01 (use "." for local server) ' ------ END CONFIGURATION ---------     ' These constants are taken from WbemFlagEnum const wbemFlagReturnImmediately = 16 const wbemFlagForwardOnly = 32     ' This first part is used to determine how many events are in the log set objWMI = GetObject("winmgmts:\\" & strServer & "\root\cimv2") set colLogs = objWMI.ExecQuery("Select * from Win32_NTEventlogFile " & _               "Where Logfilename = '" & strLog & "'",, _               wbemFlagReturnImmediately + wbemFlagForwardOnly) if colLogs.Count > 1 then    WScript.Echo "Fatal error.  Number of logs found: " & colLogs.Count    WScript.Quit end if for each objLog in colLogs    intLogMax = objLog.NumberofRecords next     if intLogMax > intNum then    intNum = intLogMax - intNum else    intNum = intLogMax end if     ' Now I get all of the events up to total of intNum set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent " & _                 "Where Logfile = '" & strLog & "' and RecordNumber >= " & _                 intNum,,wbemFlagReturnImmediately + wbemFlagForwardOnly) for each objEvent in colEvents    Wscript.Echo "Date: " & objEvent.TimeWritten    Wscript.Echo "Source: " & objEvent.SourceName    Wscript.Echo "Category: " & objEvent.Category    Wscript.Echo "Type: " & objEvent.Type    Wscript.Echo "Event Code: " & objEvent.EventCode    Wscript.Echo "User: " & objEvent.User    Wscript.Echo "Computer: " & objEvent.ComputerName    Wscript.Echo "Message: " & objEvent.Message    WScript.Echo "------" next

Discussion

An event log message is composed of several fields. Table 8-2 explains each field.

Using VBScript

One thing to note in the VBScript solution is my use of two WMI constants: wbemFlagReturnImmediately and wbemFlagForwardOnly. By default, when you use the ExecQuery method to enumerate a collection, the underlying query has to complete before the code will start iterating over the matching records. When you query large event logs, this can impact the performance of the script significantly while it waits to return thousands of records. If you pass wbemFlagReturnImmediately + wbemFlagForwardOnly (48 is the result) as the third parameter to ExecQuery, performance will be greatly improved. wbemFlagReturnImmediately causes ExecQuery to return immediately and allows you to start enumerating over the matching objects as they are returned. wbemFlagForwardOnly requests an enumerator that you cannot rewind, which means WMI can release the objects after you've viewed them.

See Also

Recipe 8.10, Recipe 8.12, and MSDN: Improving Enumeration Performance