Retrieving Event Log Records from a Specified Day

Microsoft® Windows® 2000 Scripting Guide

microsoft windows 2000 scripting guide

« Previous | Next »   

When analyzing event logs, you will often want to review events that occurred only on a specific day or set of days. For example, if a computer had problems on August 15, 2002, you would want to review only the records from that date. At least for your initial investigation, you do not need records for the entire month of August.

The one complicating factor in retrieving events that occurred on a specific day is the fact that WMI stores dates using the Universal Time Coordinate (UTC) format. Because of this, you cannot use a standard date-time (such as 12/19/2002) in your queries. Instead, you have to use a UTC date-time format such as this:

20021219000000.000000-480 

UTC dates and techniques for converting them to standard dates (and vice-versa) are discussed in detail in "WMI Scripting Primer" in this book.

Scripting Steps

Listing 12.10 contains a script that queries the event logs for all events that occurred on December 19, 2002. To perform this task, the script must carry out the following steps:

  1. Create a variable named dtmStartDate, and set the value to 20021219000000.000000-480. This is a UTC date corresponding to the beginning of the day (hour 0) on December 19, 2002.
  2. Create a variable named dtmEndDate, and set the value to 20021220000000.000000-480. This is a UTC date corresponding to the beginning of the day (hour 0) on December 20, 2002. Your query will search for all events that were recorded on or after dtmStartDate (the start of the day on December 19), but before dtmEndDate (the start of the day on December 20).
  3. Create a variable to specify the computer name.
  4. Use a GetObject call to connect to the WMI namespace root\cimv2 on the computer, and set the impersonation level to "impersonate."
  5. Use the ExecQuery method to query the Win32_NTLogEvent class.

    To limit data retrieval to events that were recorded on December 19, 2002, include a Where clause specifying that the TimeWritten is both:

    • Greater than or equal to dtmStartDate
    • Less than dtmEndDate.

    Because no log file name is specified in the query, events will be returned from all the event logs except the Security event log.

  6. For each event in the collection, echo the event properties.

Listing 12.10   Querying an Event Log for All Events From a Specified Day

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 
dtmStartDate = "20021219000000.000000-480" dtmEndDate = "20021220000000.000000-480" strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colEvents = objWMIService.ExecQuery _     ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _         & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") For each objEvent in colEvents     Wscript.Echo "Category: " & objEvent.Category     Wscript.Echo "Computer Name: " & objEvent.ComputerName     Wscript.Echo "Event Code: " & objEvent.EventCode     Wscript.Echo "Message: " & objEvent.Message     Wscript.Echo "Record Number: " & objEvent.RecordNumber     Wscript.Echo "Source Name: " & objEvent.SourceName     Wscript.Echo "Time Written: " & objEvent.TimeWritten     Wscript.Echo "Event Type: " & objEvent.Type     Wscript.Echo "User: " & objEvent.User     Wscript.Echo objEvent.LogFile Next

send us your feedback Send us your feedback « Previous | Next »   


Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 635

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net