Recipe8.14.Script: Event Watcher


Recipe 8.14. Script: Event Watcher

You want to watch events in real time as they occur. The Event Viewer utility works fine to view the events that have occurred on a system at a particular point in time, but it doesn't provide an auto-refresh capability, so if you need to constantly monitor for new events, you have to manually refresh the screen.

Here is a simple piece of code that lets you view events as they happen:

' This code displays events for all logs as they occur.     Option Explicit     ' ------ SCRIPT CONFIGURATION ------ Dim strComputer : strComputer = "." ' ------ END CONFIGURATION --------- Dim objWMI : set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Dim colEvents : set colEvents = objWMI.ExecNotificationQuery( _                      "Select * from _ _InstanceCreationEvent WHERE " & _                      " TargetInstance ISA 'Win32_NTLogEvent'")  Do    Dim objEvent : set objEvent = colEvents.NextEvent    WScript.Echo "----------------------------"    WScript.Echo objEvent.TargetInstance.Logfile & " Event Log"    WScript.Echo "----------------------------"    WScript.Echo "Event ID:   " & objEvent.TargetInstance.EventIdentifier    WScript.Echo "Source:     " & objEvent.TargetInstance.SourceName    WScript.Echo "Category:   " & objEvent.TargetInstance.CategoryString    WScript.Echo "Event Type: " & objEvent.TargetInstance.Type    Dim strText    for each strText in objEvent.TargetInstance.InsertionStrings       WScript.Echo "Event Text: " & strText    next    WScript.Echo "Computer:   " & objEvent.TargetInstance.ComputerName    WScript.Echo "User:       " & objEvent.TargetInstance.User    WScript.Echo "Time:       " & objEvent.TargetInstance.TimeWritten    WScript.Echo  Loop

I've used a temporary WMI event consumer to monitor for new instances of the Win32_NTLogEvent class. The query for this event consumer is set in the colEvents variable. The Win32_NTLogEvent class represents Event Log events. Because I didn't restrict the query further, it will return any event that occurs. You could add additional criteria at the end of the Select statement to restrict the types of events it looks for. This query matches only new events in the Application log:

Select * from _ _InstanceCreationEvent   Where TargetInstance ISA 'Win32_NTLogEvent'    And TargetInstance.Logfile = 'Application'

This query matches only events in the System log that have an event ID of 1000:

Select * from _ _InstanceCreationEvent   Where TargetInstance ISA 'Win32_NTLogEvent'    And TargetInstance.Logfile = 'System'    And TargetInstance.EventIdentifier = '1000'

Following the instantiation of the colEvents variable is a Do loop. This causes the script to run indefinitely (until you type Ctrl-C to exit it). The colEvents.NextEvent statement in the Do loop simply causes the script to wait until it finds an event that matches the query previously set. So if no new events occur, you won't see any output from the script, but as soon as one does, you'll see something like the following:

C:\>cscript eventmonitor.vbs Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.     ---------------------------- Application Event Log ---------------------------- Event ID:   101 Source:     EventCreate Category: Event Type: Error Event Text: Just a test Computer:   rallen-w2k3 User:       rallen-w2k3\admin Time:       20040319090153. 000000-300



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net