Recipe 8.14. Script: Event WatcherYou want to watch events in real time as they occur. The Event Viewer utility works fine to view the events that have occurred on a system at a particular point in time, but it doesn't provide an auto-refresh capability, so if you need to constantly monitor for new events, you have to manually refresh the screen. Here is a simple piece of code that lets you view events as they happen: ' This code displays events for all logs as they occur. Option Explicit ' ------ SCRIPT CONFIGURATION ------ Dim strComputer : strComputer = "." ' ------ END CONFIGURATION --------- Dim objWMI : set objWMI = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Dim colEvents : set colEvents = objWMI.ExecNotificationQuery( _ "Select * from _ _InstanceCreationEvent WHERE " & _ " TargetInstance ISA 'Win32_NTLogEvent'") Do Dim objEvent : set objEvent = colEvents.NextEvent WScript.Echo "----------------------------" WScript.Echo objEvent.TargetInstance.Logfile & " Event Log" WScript.Echo "----------------------------" WScript.Echo "Event ID: " & objEvent.TargetInstance.EventIdentifier WScript.Echo "Source: " & objEvent.TargetInstance.SourceName WScript.Echo "Category: " & objEvent.TargetInstance.CategoryString WScript.Echo "Event Type: " & objEvent.TargetInstance.Type Dim strText for each strText in objEvent.TargetInstance.InsertionStrings WScript.Echo "Event Text: " & strText next WScript.Echo "Computer: " & objEvent.TargetInstance.ComputerName WScript.Echo "User: " & objEvent.TargetInstance.User WScript.Echo "Time: " & objEvent.TargetInstance.TimeWritten WScript.Echo Loop I've used a temporary WMI event consumer to monitor for new instances of the Win32_NTLogEvent class. The query for this event consumer is set in the colEvents variable. The Win32_NTLogEvent class represents Event Log events. Because I didn't restrict the query further, it will return any event that occurs. You could add additional criteria at the end of the Select statement to restrict the types of events it looks for. This query matches only new events in the Application log: Select * from _ _InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And TargetInstance.Logfile = 'Application' This query matches only events in the System log that have an event ID of 1000: Select * from _ _InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent' And TargetInstance.Logfile = 'System' And TargetInstance.EventIdentifier = '1000' Following the instantiation of the colEvents variable is a Do loop. This causes the script to run indefinitely (until you type Ctrl-C to exit it). The colEvents.NextEvent statement in the Do loop simply causes the script to wait until it finds an event that matches the query previously set. So if no new events occur, you won't see any output from the script, but as soon as one does, you'll see something like the following: C:\>cscript eventmonitor.vbs Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. ---------------------------- Application Event Log ---------------------------- Event ID: 101 Source: EventCreate Category: Event Type: Error Event Text: Just a test Computer: rallen-w2k3 User: rallen-w2k3\admin Time: 20040319090153. 000000-300 |