Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
Although events are automatically recorded on a computer (except for security events, which must be enabled by using Group Policy), few administrators routinely analyze their event logs. This is due in part to the limitations inherent within Event Viewer and in part to the nature of how events are recorded throughout the enterprise. The impediments to routinely analyzing event logs include:
The WMI class Win32_NTLogEvent class can be used to extract records from an event log and either display the results of those queries or save them to a file. This enables you to automate the process of analyzing event logs by creating scripts that do such things as:
Several key event properties that can be returned using WMI are shown in Table 12.4.
Table 12.4 Event Properties in WMI
Property | Description |
---|---|
Category | Classification of the event as determined by the source. Although primarily used when recording Security events, this property is available in other event logs as well. Common Security categories include Logon/Logoff, Account Management, and System Event. |
ComputerName | Name of the computer on which the event occurred. |
EventCode | Identification number for a particular kind of event. For example, a successful logoff is recorded in the Security log with the Event ID 538. However, Event IDs are not necessarily unique. It is possible that, when retrieving Event ID 538, you can get other kinds of events with ID 538. If this happens, you might need to filter by the source as well as ID. |
Message | Event description. |
RecordNumber | Record number for the event. Record numbers are always unique; they are not reset to 1 when an event log is cleared. As a result, the highest record number also indicates the number of records that have been written to the event log since the operating system was installed. |
SourceName | Application that generated the event. |
TimeWritten | Time that the record was written to the event log in the Universal Time Coordinate (UTC) format yyyymmddHHMMSS.xxxxxx-UUU, where: yyyy represents the year mm represents the month dd represents the day HH represents the hour (in 24-hour format) MM represents the minutes SS represents the seconds xxxxxx represents the milliseconds UUU represents the number of minutes to be subtracted from the current time in order to calculate Greenwich mean time For example, an event recorded on October 31, 2002, at 10:45:39 A.M. Pacific time looks like this:
|
Type | Error type. Values are: 1 = Error 2 = Warning 4 = Information 8 = Audit success 16 = Audit failure |
User | User account under which the event occurred. Rather than storing the user account name, the event log stores the user s Security Identifier (SID). This means the user field will "disappear" if a user account is deleted and the SID is no longer valid. When you back up an event log, however, the actual user name (rather than the SID) is included in the backup file. |
The way an event log query is constructed can have a huge impact on how long it takes WMI to process the query and return the requested information. This is not necessarily true of other managed objects. For example, a query that returns all the properties for all the installed services on a typical Windows 2000 based computer takes about 2 seconds to complete. A filtered query that returns the properties of a single service takes about 1 second to complete, a difference of only 1 second.
However, query times for different types of event log queries can vary widely. The relative query times for several different types of event log queries run on a Windows 2000 Server based test computer are listed in Table 12.5. The test computer had a total of 13,743 events recorded in its event logs, with 669 of these in the System event log. Retrieving all the events from all the event logs required over 2 hours to complete. When the query was modified so that it retrieved events from only the System event log, the process took just 4 minutes.
Table 12.5 Relative Event Log Query Times
Query Type | Query Time (hours:minutes:seconds) |
---|---|
Select all events from all event logs | 2:06:15 |
Select events only from the System event log | 0:04:03 |
Select events only from the System event log that have EventCode 1000 | 0:01:33 |
Select events only from the System event log that have EventCode 1000 and occurred on a specific day | 0:00:17 |
Event log queries can also return a very large amount of information compared with queries for other WMI classes, such as Win32_Service. Retrieving the properties for all the services on the test computer and saving them to a text file resulted in a file that was less than 13 KB. Performing the same task with the event logs resulted in a text file of nearly 1 MB. Attempting to retrieve events from large event logs over the network could cause a script to take hours to run and might generate a huge amount of network traffic.
Because of the length of time it can take an event log query to run and the large amount of information that can be returned, it is important that you carefully design your queries for retrieving data from the event logs. Unless you need to return all the events from all the event logs on a computer, write your queries so that they do one or more of the following:
Send us your feedback | « Previous | Next » |