Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
When analyzing event logs, you will often want to review events that occurred only on a specific day or set of days. For example, if a computer had problems on August 15, 2002, you would want to review only the records from that date. At least for your initial investigation, you do not need records for the entire month of August.
The one complicating factor in retrieving events that occurred on a specific day is the fact that WMI stores dates using the Universal Time Coordinate (UTC) format. Because of this, you cannot use a standard date-time (such as 12/19/2002) in your queries. Instead, you have to use a UTC date-time format such as this:
20021219000000.000000-480
UTC dates and techniques for converting them to standard dates (and vice-versa) are discussed in detail in "WMI Scripting Primer" in this book.
Scripting Steps
Listing 12.10 contains a script that queries the event logs for all events that occurred on December 19, 2002. To perform this task, the script must carry out the following steps:
- Create a variable named dtmStartDate, and set the value to 20021219000000.000000-480. This is a UTC date corresponding to the beginning of the day (hour 0) on December 19, 2002.
- Create a variable named dtmEndDate, and set the value to 20021220000000.000000-480. This is a UTC date corresponding to the beginning of the day (hour 0) on December 20, 2002. Your query will search for all events that were recorded on or after dtmStartDate (the start of the day on December 19), but before dtmEndDate (the start of the day on December 20).
- Create a variable to specify the computer name.
- Use a GetObject call to connect to the WMI namespace root\cimv2 on the computer, and set the impersonation level to "impersonate."
- Use the ExecQuery method to query the Win32_NTLogEvent class.
To limit data retrieval to events that were recorded on December 19, 2002, include a Where clause specifying that the TimeWritten is both:
- Greater than or equal to dtmStartDate
- Less than dtmEndDate.
Because no log file name is specified in the query, events will be returned from all the event logs except the Security event log.
- For each event in the collection, echo the event properties.
Listing 12.10 Querying an Event Log for All Events From a Specified Day
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| dtmStartDate = "20021219000000.000000-480 " dtmEndDate = "20021220000000.000000-480 " strComputer = ". " Set objWMIService = GetObject( "winmgmts: " _ & "{impersonationLevel=impersonate}!\\ " & strComputer & "\root\cimv2 ") Set colEvents = objWMIService.ExecQuery _ ( "Select * from Win32_NTLogEvent Where TimeWritten >= ' " _ & dtmStartDate & "' and TimeWritten < ' " & dtmEndDate & "' ") For each objEvent in colEvents Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User Wscript.Echo objEvent.LogFile Next |
Send us your feedback | « Previous | Next » |