[转帖] 日志相关

写入到自定义事件日志
2 _* K! X8 f! B2 R7 S8 E! Z4 J" Y4 X0 \
3 T0 I& d* v1 {3 v; f+ n
描述9 F' X/ t0 ^0 V& L$ d& D( T( N
6 B. m o: v& i
使用 EventCreate.exe 实用程序将事件写入到名为 Scriptsutility 的自定义事件日志。需要 Windows XP 或 Windows Server 2003。
* F" i4 H9 ^, V2 O4 V9 b0 N9 M. f' M5 Q& a/ Z' u. x# s
脚本代码 % A7 H/ ^8 i# C& `3 d/ ^. T7 {
Set WshShell = WScript.CreateObject("WScript.Shell")
& f4 {" s# o/ l. xstrCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _+ b7 i- ?: Z2 ~" f, T: W
Chr(34) & "Test event." & Chr(34)3 S0 O& G1 F: h5 O' h8 A" h5 `- ]
WshShell.Run strcommand
$ o1 R' `: v5 s* a4 p将事件写入到本地事件日志' n3 M0 O8 K* I9 |+ s! a/ i
描述) |; O2 `$ p" ^& v0 ]
将事件写入到本地计算机上的应用程序事件日志。6 s/ x& B* y8 |1 ~% W( Q
脚本代码
: m3 y: n4 J* V* @+ \4 C+ D' NConst EVENT_SUCCESS = 0
I* K* `' J; tSet objShell = Wscript.CreateObject("Wscript.Shell")
7 K/ ^2 G( a. }/ d9 }$ _3 k. U* UobjShell.LogEvent EVENT_SUCCESS, _2 O/ H `5 q3 b& c, `1 D1 ^
"Payroll application successfully installed."
! F6 d* R! `+ E/ E8 z; F+ d# }将事件写入到远程事件日志; j" Y1 `9 m3 A& ?* o8 D$ \
描述
4 S" Y+ X4 M3 E2 U4 x将事件写入到名为 PrimaryServer 的远程计算机上的应用程序事件日志。$ a$ N# L+ c( v5 B1 p0 |) _
脚本代码 9 U% W3 s, x# ]
Const EVENT_SUCCESS = 08 C1 Y5 U: _- w0 p' w. @
Set objShell = Wscript.CreateObject("Wscript.Shell")
) j/ b2 a! o4 h% Q2 ?- u NobjShell.LogEvent EVENT_SUCCESS, _
% \- L. v# n* D$ \4 H: F* w "Payroll application successfully installed." , [url=file://PrimaryServer/]\\PrimaryServer[/url]
$ }: } A' R+ K1 v; c" I创建事件日志备份的唯一文件名
& i0 P8 h9 W z2 ?0 {2 n- n描述2 K ], A3 P# o- w% ^
备份和清除应用程序事件日志，基于当前的日期为每个备份生成一个唯一的文件名。
* N3 z# c, `( J; k0 b脚本代码
7 J: ]# N+ _- y; F: x0 {+ b" [. @dtmThisDay = Day(Date)
% M. o& h% H( t: S0 ?, L5 SdtmThisMonth = Month(Date), }" }+ u M& l
dtmThisYear = Year(Date)
$ g4 [/ {8 M9 G, [4 ?( RstrBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay$ g: D- N( H( x8 v4 i" Y
strComputer = "."1 i* h7 x% U; w/ o Q" d
Set objWMIService = GetObject("winmgmts:" _
5 Q. L0 W+ r, i1 s* Z6 l+ v5 y & "{impersonationLevel=impersonate,(Backup)}!\\" & _5 @) Y! h! d: z9 O5 M; P2 H& K! _
strComputer & "\root\cimv2")+ K0 [& w h* @
Set colLogFiles = objWMIService.ExecQuery _1 T4 f& [. V6 U X
("Select * from Win32_NTEventLogFile where LogFileName='Application'"). \1 P' i; a" U8 r9 X9 B
For Each objLogfile in colLogFiles, l$ |2 k5 F. p) o- I
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _4 q1 h, L; K4 `7 f; O
"_application.evt")
% F: m0 j( c n* G4 C+ t objLogFile.ClearEventLog(). g" {& M# e' l9 L3 J) f
Next
+ e0 c5 Y( d; ~9 d1 t4 u! H0 P系统事件日志属性4 z$ g, U6 w2 N3 E% @5 S
描述/ O1 x/ z9 T/ j* P( d! X% A
报告当前记录在系统事件日志中的事件的数目。: f( `) J/ Y; \ E6 ]% e, q. b, f
脚本代码
; h2 M9 Y/ G. W, p) EstrComputer = "."3 d9 g" v/ ^6 M: r+ Q: x) E
Set objWMIService = GetObject("winmgmts:" _
4 i8 f. c# L* o: _" u. g9 j & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
( h; {0 F0 [$ D& \% ]" Q2 {' ]( ^Set colLogFiles = objWMIService.ExecQuery _
/ H6 q0 G' ~8 O! ]0 B0 R ("Select * from Win32_NTEventLogFile where LogFileName='System'")
" s! Q0 y* Z# u3 h+ u$ @For Each objLogFile in colLogFiles5 d7 m+ k3 y/ D/ G! V" g! l1 Z# f
Wscript.Echo objLogFile.NumberOfRecords9 ~1 D8 ]$ C9 ?4 L
Next. r5 U' ^' r3 |% q T, [8 L# y
安全日志属性
" ]$ k1 c$ ^! L5 N. d描述# J4 M! B3 Z- z
检索安全日志的属性。" ~% |0 U- |4 Z+ I5 s2 j
脚本代码 0 X6 ?& ]- Y0 h; _! g
strComputer = "."
$ Y9 I {+ Y! d! s3 b6 GSet objWMIService = GetObject("winmgmts:" _
) J, c! ^: T, J% \8 S$ d & "{impersonationLevel=impersonate,(Security)}!\\" & _: G& o: C `# d0 n7 v: s \* e
strComputer & "\root\cimv2")5 v4 v3 m/ ^5 M; E' u1 t5 m
Set colLogFiles = objWMIService.ExecQuery _6 P: | F" k2 _3 `# ]; R' s& j
("Select * from Win32_NTEventLogFile where LogFileName='Security'")
4 ~3 e! N1 Z* x% DFor Each objLogFile in colLogFiles9 [; \. c/ y# }) A; w
Wscript.Echo objLogFile.NumberOfRecords
% C" N9 K4 B- @/ l Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize - {7 l/ d6 x& e/ U) Y$ m& D& y
Next
) `; ` c& u4 O+ u3 ?+ t M从事件日志中检索某一天发生的事件
+ F" N, N3 }8 \描述
# Y7 l/ x1 I1 Q7 C* Q6 _从所有的事件日志中检索在某个特定的日期发生的所有事件。
0 t- w7 R c! R9 u脚本代码
; w' `+ K3 P2 m* h% L9 x; V7 e: eConst CONVERT_TO_LOCAL_TIME = True
; x; b3 u. _. |; o8 R6 ^9 C9 bSet dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
1 U8 }+ \5 P) A7 M! BSet dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
! ?$ F. }+ X, v$ RDateToCheck = CDate("2/18/2002"). z: S" n8 h+ y/ G
dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME' f1 E% t8 q" @% g
dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
n( k" X' S: VstrComputer = "." _9 E0 i; D: u# Q
Set objWMIService = GetObject("winmgmts:" _
/ m& U2 ~$ u5 h0 n9 {3 c d0 t & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
8 ^) U" P9 S4 n' p' B) { ?- FSet colEvents = objWMIService.ExecQuery _( x2 H9 A9 M- [& }' r, p9 V6 U
("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
+ ~+ ~* Y3 L1 u! y5 N & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
. Q/ L8 _2 b; M8 H$ X5 v1 eFor each objEvent in colEvents' N+ a) Z7 l4 I( N L% f9 y. O
Wscript.Echo "Category: " & objEvent.Category
6 H9 ~( R/ t* d* C Wscript.Echo "Computer Name: " & objEvent.ComputerName. h- A8 L( P% c& h0 ~0 r, r
Wscript.Echo "Event Code: " & objEvent.EventCode& r% _) N3 X4 X% F; K
Wscript.Echo "Message: " & objEvent.Message) b! z& R/ n3 g0 ]( q
Wscript.Echo "Record Number: " & objEvent.RecordNumber
/ D# w0 |% `, k/ z. t& ?% A. Y1 Q Wscript.Echo "Source Name: " & objEvent.SourceName0 M) ?! z0 E9 u
Wscript.Echo "Time Written: " & objEvent.TimeWritten
8 z+ V( K" V! i% n2 P/ a Wscript.Echo "Event Type: " & objEvent.Type
2 w3 R0 b2 J& w Wscript.Echo "User: " & objEvent.User. d$ ?& [6 ^4 u3 t
Wscript.Echo objEvent.LogFile
/ v' {2 [: B* `+ T" i" x: WNext
8 r8 a3 ~$ Z0 ~, a4 w* m6 L% T从事件日志中检索特定的事件. |! d3 F. ~" |: k4 W
描述
6 y3 V1 T' G5 O" h( A从系统事件日志中检索所有事件代码为 6008 的事件。' n* B, w1 K& T" w
脚本代码
1 B8 |) ]* p: I9 p- N+ V; ]strComputer = "."- E; L* j" L1 `5 V4 r
Set objWMIService = GetObject("winmgmts:" _# W2 v i2 j; h3 s) [% b# X
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"); z9 {' k; E* \, K9 Z
Set colLoggedEvents = objWMIService.ExecQuery _
* g6 o7 |, X+ y1 K' S ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
) x6 F @3 c; c9 r & "EventCode = '6008'"): n% s a% J$ Y& U% ^1 R* ^+ ^
Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count G# F( ?, ~4 Q: K
从事件日志中检索所有的事件: S# D! m: p6 K% ~; T
描述 Q9 T) z4 Q! \0 M6 i, A. S( t& B" J
从计算机上的所有事件日志中检索所有的事件。注意：这主要是一个演示脚本。它可能会花几个小时或更长时间运行，这取决于事件日志中记录的数量。
# G* o& y; V: Z' b) F脚本代码 / O7 X( o2 m! @0 }6 g
strComputer = "."
- X \ T/ u* J0 u: \/ U7 O$ F: SSet objWMIService = GetObject("winmgmts:" _
2 Y+ G$ t! W, i & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
# U- V! }& s$ C9 WSet colLoggedEvents = objWMIService.ExecQuery _
# w% v; c4 v/ j' l" \4 t ("Select * from Win32_NTLogEvent")
2 P* Y) Y, C1 `8 f BFor Each objEvent in colLoggedEvents9 t, d8 G* o+ p9 g0 k' P
Wscript.Echo "Category: " & objEvent.Category
) w0 j% A0 ] X) n6 a( n Wscript.Echo "Computer Name: " & objEvent.ComputerName
7 R& r6 ]3 i$ @2 V Wscript.Echo "Event Code: " & objEvent.EventCode9 @; ?, Z) ]9 _3 Z$ u
Wscript.Echo "Message: " & objEvent.Message4 d/ F: E0 g8 n1 v( @! h( i# c0 E
Wscript.Echo "Record Number: " & objEvent.RecordNumber
( N, ]6 \+ B" ] Wscript.Echo "Source Name: " & objEvent.SourceName+ O4 {1 D7 @: [ y z. h
Wscript.Echo "Time Written: " & objEvent.TimeWritten
7 z9 T! Q/ I* ~) h Wscript.Echo "Event Type: " & objEvent.Type P& Q" C9 j3 \9 d
Wscript.Echo "User: " & objEvent.User
" k! j5 L# E& g3 o: q. vNext' k+ {; b! ~, f6 @" W8 R" _
在查询事件日志中查询“停止”事件
$ G8 B, r" u% ?5 C+ @' [描述$ Q! X7 O' r2 Z- d, Z6 q7 `6 O
在系统事件日志中查询与“停止“事件（蓝屏）有关的事件。9 c1 w/ q4 N( i
脚本代码 - j3 ~! ?! U( g9 o: v) P* V
strComputer = "."2 N3 o- i3 ~# \% |, y
Set objWMIService = GetObject("winmgmts:" _8 a! B# T J% k1 m0 A- f' r
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
) p8 O' t" M9 QSet colLoggedEvents = objWMIService.ExecQuery _
, i4 r' l {0 ]( X$ S! X5 _ ("Select * from Win32_NTLogEvent Where Logfile = 'System'" _
& r% |3 E* u9 ~9 ?3 j6 W, B & " and SourceName = 'SaveDump'")" k1 R1 w! _& g; l
For Each objEvent in colLoggedEvents
( f, V# e a4 y: m# l) T Wscript.Echo "Event date: " & objEvent.TimeGenerated
( l# X/ R7 ~* F4 e2 i4 ]3 U% O4 E9 J Wscript.Echo "Description: " & objEvent.Message$ ]) {2 Q! y/ C2 N3 C+ J- r
Next, A/ f6 l3 P8 s1 y
查询特定的事件日志: ^4 o/ }9 [, E8 [% T* v' X' i
描述
% \/ D9 O) G; ?, c, I0 l* M从 System 事件日志中检索所有的事件。
6 h7 w3 B R, v7 ]脚本代码
8 H/ S4 W- d+ C. m9 dstrComputer = "."
1 [& s6 l _5 {4 D5 o; mSet objWMIService = GetObject("winmgmts:" _6 y2 l# x4 g/ p( O- n2 z
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
! F( D, v: X* x: @, |) _$ sSet colLoggedEvents = objWMIService.ExecQuery _+ o8 p5 d+ y0 q2 T6 k
("Select * from Win32_NTLogEvent Where Logfile = 'Application'")" q0 E# H- b- N- h5 k
For Each objEvent in colLoggedEvents
* g# S3 h1 H5 y: M# A' R Wscript.Echo "Category: " & objEvent.Category
1 s& I2 ^4 K- O% v7 F Wscript.Echo "Computer Name: " & objEvent.ComputerName
: i1 d/ h P( z Wscript.Echo "Event Code: " & objEvent.EventCode) L! w9 X) k( M2 ^6 c/ P$ Z* M8 |
Wscript.Echo "Message: " & objEvent.Message# z# B1 H! r/ Y) w: @
Wscript.Echo "Record Number: " & objEvent.RecordNumber
( O: L0 s0 d5 m7 {7 z Wscript.Echo "Source Name: " & objEvent.SourceName7 R" ] u* F7 P) x2 k/ y8 u1 ?
Wscript.Echo "Time Written: " & objEvent.TimeWritten& I3 Z! y! ^2 m5 A
Wscript.Echo "Event Type: " & objEvent.Type( b# f$ H! c" Q
Wscript.Echo "User: " & objEvent.User
4 V' A' ?9 l; K/ h/ n6 X5 t" bNext
: X6 m9 n0 F+ a( Y. l4 e分析固定列宽格式的日志( g4 M7 h) x k- ?6 ~+ o
描述; l: f7 y: r0 O1 E
将 NetSetup 日志中的信息提取到单个字段和记录中。; i+ x1 Z8 Y8 F
脚本代码
/ E* n6 l' d3 `2 dConst ForReading = 1* x; N! C9 h6 q8 L% x
Set objFSO = CreateObject("Scripting.FileSystemObject")
. F" `9 t! C; `2 j! B9 i- `Set objTextFile = objFSO.OpenTextFile("C:\Windows\Debug\Netsetup.log", _
2 g, j6 Y/ \9 J ForReading)
. C# f% r7 q2 u6 ZDo While objTextFile.AtEndOfStream <> True6 J# ]1 {. g; l1 i9 B
strLinetoParse = objTextFile.ReadLine
( y' Z" M6 [! `: z2 _" W dtmEventDate = Mid(strLinetoParse, 1, 6)* Y3 H4 F( k; c1 [6 {5 T3 [
dtmEventTime = Mid(strLinetoParse, 7, 9)/ u9 k+ G3 M' t+ d8 O! `2 \
strEventDescription = Mid(strLinetoParse, 16)5 n$ O8 U0 K* C( \- A' L
Wscript.Echo "Date: " & dtmEventDate
% T% i* B6 y' d" }) v Wscript.Echo "Time: " & dtmEventTime' H* [, `; k. p9 y( b
Wscript.Echo "Description: " & strEventDescription & VbCrLf
; I j8 r3 M. j- W8 l% }Loop& ~# H$ p) e) A X
objFSO.Close
( A: y) c) [4 B$ N分析逗号分隔符格式的值日志
; N$ J, }- G9 e. u描述( F: G/ q7 @% M. n
将 DHCP Server 日志中的信息提取到单个字段和记录中。' T, s0 }! ~$ |3 t6 F" z- r! i
脚本代码 + O1 A4 j0 f# i$ b' ~9 I
Const ForReading = 15 y' E- A- G! S1 P1 V! X
Set objFSO = CreateObject("Scripting.FileSystemObject")9 P6 i8 b, P1 Z! e, D
Set objTextFile = objFSO.OpenTextFile("C:\Windows\System32\DHCP\" _
8 _; `: @+ {+ e6 U1 ]2 z" l & "DhcpSrvLog-Mon.log", ForReading) r+ _( F5 v) l ~ R7 M: L# t7 n
Do While objTextFile.AtEndOfStream <> True
1 X. B! D, a4 X6 [5 L5 N If inStr(objtextFile.Readline, ",") Then- b# z4 g7 L2 L4 W
arrDHCPRecord = split(objTextFile.Readline, ",")
; D5 R5 `2 J& v# i8 B wscript.echo "Event ID: " & arrDHCPRecord(0)
4 r3 x% m/ Z, `4 d wscript.echo "Date: " & arrDHCPRecord(1) \ [2 v/ v; o7 F5 [- s& q
wscript.echo "Time: " & arrDHCPRecord(2)
% x$ h3 y* h- G) m# ^ wscript.echo "Description: " & arrDHCPRecord(3)) @! K! G$ U# ~
wscript.echo "IP Address: " & arrDHCPRecord(4)5 ], D) r9 k/ ?
wscript.echo "Host Name: " & arrDHCPRecord(5) o& C5 S4 i$ k% q
wscript.echo "MAC Address: " & arrDHCPRecord(6)
4 B" a$ X( f3 M. e0 K Else
y" T6 i" \& ^1 [* e objTextFile.Skipline$ r$ p) G! ^7 \9 N
End If) |4 z7 [8 ]) _6 P' H" R! v
i = i + 1
1 r) l( M$ B- v$ y5 c9 vLoop
# W, W4 _. s7 \; | O7 ]事件日志属性" |/ ~; L6 c* c# l
描述
# M+ \6 K! ^! I: g! o检索计算机上所有事件日志的属性列表（Security 事件日志除外）。
( B( [7 Q' _* }: [ S, P" m0 U脚本代码 6 K0 s# h: V, T( z
strComputer = "."
7 B" [9 [! v p; I4 kSet objWMIService = GetObject("winmgmts:" _; f4 `7 @1 h9 |8 t3 g1 i ~
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
, h! s P( s! ~- N4 c$ U+ mSet objInstalledLogFiles = objWMIService.ExecQuery _
# H2 I3 [, O) s) j! B# i: ^ ("Select * from Win32_NTEventLogFile"), b8 T" r" p$ A- y
For each objLogfile in objInstalledLogFiles3 M! f. L' @* w4 D# N1 h
Wscript.Echo "Name: " & objLogfile.LogFileName
& P# L& f/ r- d! L: d6 A Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
5 L& q2 s- w0 |9 |+ @! t. e2 B If objLogfile.OverWriteOutdated > 365 Then d! {; w6 H7 \2 d. R5 e
Wscript.Echo "Overwrite Outdated Records: Never." & VbCrLf
7 l+ n) @! @. h) O7 I ElseIf objLogfile.OverWriteOutdated = 0 Then
4 h+ }9 r# O U4 Z$ s Wscript.Echo "Overwrite Outdated Records: As needed." & VbCrLf5 B* T' e2 H/ s: y! m
Else
# Q e4 ]0 b( g+ N$ A: N Wscript.Echo "Overwrite Outdated Records After: " & _( \# X- E1 @; |8 X6 d0 _
objLogfile.OverWriteOutdated & " days" & VbCrLf
) z/ M0 z% L2 Z* W* [ a End If5 U; E2 F3 _+ A; ~& _( K9 s$ O1 e6 V( x
Next, E+ N( N$ h5 t3 w
Create a Custom Event Log
4 f8 O. u8 j) _7 v- Y描述
v. u$ E7 {# E( O. a' mCreates a custom event log named Scripts.
d6 d3 P/ n4 I9 U3 a4 A脚本代码
4 j8 G |7 p$ `$ E4 zConst NO_VALUE = Empty. j1 b4 v$ n- W' e
Set WshShell = WScript.CreateObject("WScript.Shell")5 A" O) F$ ?- r% }, Q
WshShell.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", _
/ n" p) n& Y+ o$ v3 C8 ]+ r NO_VALUE" |6 }, u- l8 O) ?
将先前日期的事件日志事件复制到数据库8 D s. q+ Q' w4 ]4 [7 x4 ~
描述9 h+ s/ z3 S. O+ J' C
从所有的事件日志中检索以前记录的事件，并且将这些记录写入带有 DSN Name EventLogs 的数据库。需要 Windows XP 或 Windows Server 2003。
! s% `3 ?( ? Q1 K2 L- [1 j脚本代码 4 E: v* Q, U% g
Set objConn = CreateObject("ADODB.Connection")& M3 R3 d; `+ \! A6 [! e
Set objRS = CreateObject("ADODB.Recordset")
- t- O5 J) o* R7 l2 T3 G0 DobjConn.Open "DSN=EventLogs;"/ |7 M6 M, a5 R D' L1 @. e
objRS.CursorLocation = 3
9 R! W2 @8 n2 N1 P eobjRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
6 D3 ^; i4 q4 y7 M2 }% x$ HSet dtmStartDate = CreateObject("WbemScripting.SWbemDateTime"). u/ |2 n+ z( l& r
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
/ _3 r; I; t8 Q5 w9 n/ {DateToCheck = Date - 1
! Z' C- v5 G# s5 R5 ldtmEndDate.SetVarDate Date, True6 d6 k9 ^5 e/ ?# N/ m0 O" z
dtmStartDate.SetVarDate DateToCheck, True5 V# W& H2 E7 h, z5 b" x
strComputer = "."
! u$ i3 ]9 } k2 gSet objWMIService = GetObject("winmgmts:" _
! W5 s1 ?5 R! N- s* B& h & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")" W: M8 Z6 {1 Z# v0 W
Set colEvents = objWMIService.ExecQuery _
9 H( U1 i" t. `9 U ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _ 6 l4 N$ G$ i4 P/ k* J U) S
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") & |' H( Y# ~1 o
For each objEvent in colEvents O/ u! V( g& [" W4 G4 s1 P$ Q* G
objRS.AddNew
1 F1 w2 |- D, L objRS("Category") = objEvent.Category
% A- Y; _& N& p( w objRS("ComputerName") = objEvent.ComputerName/ d: u! H2 x0 A8 L! U
objRS("EventCode") = objEvent.EventCode
@' k m/ ~, ]3 c4 _- t objRS("Message") = objEvent.Message
. k( y3 h" N3 d7 u: p6 @ objRS("RecordNumber") = objEvent.RecordNumber3 U( V3 w' i6 ~ n: P+ @8 O
objRS("SourceName") = objEvent.SourceName
0 k7 r" ?, ~2 ~ Y$ t% w objRS("TimeWritten") = objEvent.TimeWritten
; ?' ^3 d* ]* T: e. t! D9 Z$ z/ K objRS("Type") = objEvent.Type
$ P5 ~+ N% G, {* r( j objRS("User") = objEvent.User
R3 n( G# b! \8 U objRS.Update2 B( s7 j/ H/ D1 a/ c6 w
Next9 E+ T+ b9 U1 |4 f6 o! ^
objRS.Close
8 Y) ?* ?; `- TobjConn.Close
6 p- p: Q( y2 ^- [! T9 f2 V将事件日志事件复制到数据库9 A, _$ C0 J+ M* I6 [
描述% y( L: }& |8 \# P( ^. E
从所有的事件日志中检索事件，并且这些事件记录在带有 DSN Name EventLogs 的数据库中。1 e9 ^+ a, P! ]+ a+ g
脚本代码 6 O2 @' W5 v6 P) Q1 @2 _$ k2 L
Set objConn = CreateObject("ADODB.Connection")
1 |( w4 m0 W# T+ ]Set objRS = CreateObject("ADODB.Recordset")
! b2 ^. n2 Y/ d/ k# i+ ~, b9 hobjConn.Open "DSN=EventLogs;"! K; c8 g* V: h% T1 o2 R, J; B
objRS.CursorLocation = 3
+ A2 k, f7 O) q# C6 ?: TobjRS.Open "SELECT * FROM EventTable" , objConn, 3, 3
3 N8 t. C! v% i3 v# ~, F0 ?strComputer = "."3 _+ e F) _& O4 M+ ?
Set objWMIService = GetObject("winmgmts:" _
" B/ z, ?; }4 `7 \ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
3 [3 @) d) m! W! R: e0 x) RSet colRetrievedEvents = objWMIService.ExecQuery _( V! e6 H: f" |4 X) q( n. e8 \& V
("Select * from Win32_NTLogEvent")# w2 b3 ~4 y$ \4 I$ ]
For Each objEvent in colRetrievedEvents7 g; y$ E& n l% f/ S* p
objRS.AddNew
& J! M0 J' `! ]" `9 x7 b, I objRS("Category") = objEvent.Category
2 V3 v) w3 A; S! |% b: d# j objRS("ComputerName") = objEvent.ComputerName
7 i. V! O3 l) L8 m6 p* V objRS("EventCode") = objEvent.EventCode
! w# F4 K2 N3 }6 u" Y! k+ D objRS("Message") = objEvent.Message! z u! ?$ K# g$ J
objRS("RecordNumber") = objEvent.RecordNumber
* w. N+ |7 U% D objRS("SourceName") = objEvent.SourceName+ k6 F* }% [0 G7 T) P) z" K
objRS("TimeWritten") = objEvent.TimeWritten2 ?5 C1 F! ^# K* k3 e
objRS("Type") = objEvent.Type
* {) x9 p7 A) z8 w objRS("User") = objEvent.User
+ S1 g9 l0 X8 I3 A6 |6 h objRS.Update
: z) J+ v) X8 o5 Q6 BNext
5 z& T' J! P! `6 w! h! }objRS.Close& G. l' u- P' p" q% Q1 r/ i
objConn.Close
* H. Z* p9 b3 I5 Y8 |/ `# k& D配置事件日志属性
9 n/ U9 T2 F6 T l) P2 h描述. }0 ^- S2 Z$ A0 f [: Z" N# [
将所有日志的最大大小设置为 250 MB，并使该日志能够改写时间超过 14 天的任何事件。
* a$ R+ o# h4 r4 G6 t+ X, T脚本代码 + x# G- ^9 K# G" Q: p
strComputer = "."
/ H9 N5 w' |; _5 Z, W, D3 v- PSet objWMIService = GetObject("winmgmts:" _& t! c& N. b+ z% j( G( W
& "{impersonationLevel=impersonate,(Security)}!\\" & _
& H2 p& `. Z( E/ @) ` strComputer & "\root\cimv2")7 T4 M9 N5 M/ w" V* ~: w( r$ y
Set colLogFiles = objWMIService.ExecQuery _
- B1 |- ^( W8 Y$ {/ E$ {% _7 r ("Select * from Win32_NTEventLogFile")
: {$ f$ l6 u: K6 C1 L- c O$ z5 Q; I# pFor each objLogfile in colLogFiles$ C7 t/ {% G& A' ^3 I5 Q. u; m1 ~1 P
strLogFileName = objLogfile.Name
8 Y0 {; |3 {; O- l0 ` x, { Set wmiSWbemObject = GetObject _
4 _* a! n4 c1 y ("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _# M& [2 Q; J$ v( ~$ [# u+ q# r
& "Win32_NTEventlogFile.Name='" & strLogFileName & "'")
8 L/ k6 c8 p# ]& z/ @ wmiSWbemObject.MaxFileSize = 25000000004 y' |9 H |) s
wmiSWbemObject.OverwriteOutdated = 14) c. l0 b: q) t# s! ~- J
wmiSWbemObject.Put_ ) k3 F( m* ~! G! \! H
Next# D9 ~) {2 i; S7 Z, h" G
备份和清除大型事件日志5 X, {8 g5 W1 k* v1 U
描述
" H/ p8 s/ P$ C1 T" o0 N& X如果事件日志文件的大小大于 20 MB，就将其备份和清除。
! q \* g$ O% k( f1 i) p/ k4 Z脚本代码
) ^& m: W/ p9 cstrComputer = "."
9 `) j, ?( u# a; M- WSet objWMIService = GetObject("winmgmts:" _
, X4 \) `6 r$ t0 i & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _
, W2 u1 c- P* ?) Y- N! W & strComputer & "\root\cimv2"): w9 T6 y5 z6 I L! {# {/ F* o
Set colLogFiles = objWMIService.ExecQuery _
9 C8 N1 Y! }. C1 z z6 G7 i1 |# S ("Select * from Win32_NTEventLogFile")% m! I. G! k7 V
For each objLogfile in colLogFiles
( L! S7 v1 X5 M; F If objLogFile.FileSize > 100000 Then# v( l8 a2 `5 ^
strBackupLog = objLogFile.BackupEventLog _$ C5 Y; ]' |6 S& V( R r
("c:\scripts\" & objLogFile.LogFileName & ".evt")1 p8 d' W7 k9 Q
objLogFile.ClearEventLog()# G) r* D! p) K$ X$ C3 K* J; t$ a
End If
3 u1 n' W, y7 [) t& wNext" d p& {9 b; V/ C8 E2 ?0 b) P, p
备份和清除事件日志
: v* d8 n. ]% T描述9 |1 S' {# c% B h7 D, F
备份和清除应用程序事件日志。6 q- W8 e1 w; N
脚本代码 ' U0 h1 E- o, E ^
strComputer = "."
. Z0 D0 P- `" J) n; xSet objWMIService = GetObject("winmgmts:" _% C8 {1 a+ S% a4 E% r0 ^6 J6 y
& "{impersonationLevel=impersonate,(Backup)}!\\" & _+ Q- e( Q/ v4 ~8 {
strComputer & "\root\cimv2")
{9 I5 M" P! R0 P( I4 i! C5 `Set colLogFiles = objWMIService.ExecQuery _4 E& i0 r5 A! b0 u7 W
("Select * from Win32_NTEventLogFile where LogFileName='Application'")5 j6 s4 R! [4 z7 [: x' S
For Each objLogfile in colLogFiles4 a$ J+ l& t0 `: P
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
. V3 |8 O3 I/ p7 k" ^: ^( U4 X If errBackupLog <> 0 Then
! `7 Z+ t$ P$ `) w( E; v8 B9 s1 E Wscript.Echo "The Application event log could not be backed up."9 \! [' W/ g& G9 B4 l$ {, K! S
Else7 @: w2 c, c% S* {9 t) I% m/ V
objLogFile.ClearEventLog()
. \9 q( \9 G/ { End If
4 F( d" Y8 W: S# f" KNext7 V, u& D5 v- J- }: ~; G) }7 O
异步事件日志查询
( D4 p5 H- s8 [% v描述
! V0 Y( B/ |" `$ `& B; P4 _4 j4 b使用异步查询检索所有事件日志中的所有事件。这种方法比使用异步查询检索大量事件更快一些。( J1 G9 j6 h3 M' ^
脚本代码
( B' O/ ]) j9 ~2 Y! r: C9 F1 qConst POPUP_DURATION = 10; @/ ] @/ D9 K+ n5 o
Const OK_BUTTON = 0
, G. u. j# @7 o5 ~" \. }Set objWSHShell = Wscript.CreateObject("Wscript.Shell")# k, A N0 m |, x( R' F
strComputer = "."+ t6 B4 L) C; e* c6 V
Set objWMIService = GetObject("winmgmts:" _
' K; J6 V0 D6 z5 {5 Z) }4 w & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
1 A/ ? Z- O5 j6 s1 v4 FSet objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_")
{1 Q1 y' L9 r( {objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent", B, d" {# ?: Y+ @3 P" D
Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _! K1 `- Z; p3 y* m" @ a
"Event Retrieval", OK_BUTTON)
. {$ d5 n. X; JSub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext)4 L3 e& e0 j4 ^9 k
WScript.Echo "Asynchronous operation is done."
O% z8 ~0 }4 [. [End Sub; \, x7 h3 A1 l# r& M
Sub SINK_OnObjectReady(objEvent, objAsyncContext)- L8 d* O s0 f; a- {& m8 q
Wscript.Echo "Category: " & objEvent.Category1 _7 f9 g; b, _9 [0 x! R
Wscript.Echo "Computer Name: " & objEvent.ComputerName8 T( ?7 I' e# g2 c; O
Wscript.Echo "Event Code: " & objEvent.EventCode* A% p% u' t+ z0 E
Wscript.Echo "Message: " & objEvent.Message+ M- V9 S$ n7 z' _0 ~8 H! V% k( X/ R
Wscript.Echo "Record Number: " & objEvent.RecordNumber- ?0 k/ O/ {6 C/ x
Wscript.Echo "Source Name: " & objEvent.SourceName
! X/ J' F* o2 c Wscript.Echo "Time Written: " & objEvent.TimeWritten" E3 G0 A+ p: x) w# m
Wscript.Echo "Event Type: " & objEvent.Type
5 F+ P% O! c s9 {3 ?3 U Wscript.Echo "User: " & objEvent.User
! }8 V% ?. S r3 Y9 oEnd Sub; X5 D4 v( l/ P$ ] H- F9 H
向事件日志条目添加 WMI 数据
8 j9 h/ M( i, M描述
J# N5 r- _6 x+ S3 J0 P写入包括附加信息（例如用户名和计算机上可用磁盘空间的数量）的事件。* [, ^1 }% a! O6 _
脚本代码 $ Q/ v$ x$ L% i4 S, e
Const EVENT_FAILED = 2 V: ?9 B5 @1 e, z
Set objShell = Wscript.CreateObject("Wscript.Shell")9 x, S4 i" i+ n. p
Set objNetwork = Wscript.CreateObject("Wscript.Network")9 k0 w+ @; @8 R" [# n- y; r2 V+ E
strComputer = "."/ _+ O9 _) L; r! g
Set objWMIService = GetObject("winmgmts:" _1 d" Q# ~: x4 f/ @6 m+ ?: R% r
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
2 L1 c" K/ y, {& lSet colDiskDrives = objWMIService.ExecQuery _
9 u# p5 B' _; B: g ("Select * from win32_perfformatteddata_perfdisk_logicaldisk")
/ u( C; o2 Q2 y- g, }For each objDisk in colDiskDrives
* z" l) y1 L- q# g3 k strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _
' m7 s6 K* G. X- O% D& `, Q& z & VbCrLf0 w. S* z# e5 M0 k: w. g& M
Next; W6 G5 B% r' }( v
strEventDescription = "Payroll application could not be installed on " _ " t$ j) G! K5 Q% G& p
& objNetwork.UserDomain & "\" & objNetwork.ComputerName _ " B7 x; {$ K% p3 ~. P) h- T1 Y
& " by user " & objNetwork.UserName & _3 e& M0 ]$ R$ B4 I' h# B0 O
". Free space on each drive is: " & strDriveSpace
: a, S: Q9 L# v# fobjShell.LogEvent EVENT_FAILED, strEventDescription
( D1 B# v' I4 v7 a) {! W& e向事件日志条目添加一个支持 URL+ ]7 J: i7 s: U! S7 R
描述8 J1 u) n) J# R5 b' D
将一个事件写入包括支持 URL 的应用程序事件日志。需要 Windows XP 或 Windows Server 2003。
% X% c- A" c$ J- @脚本代码 / G* o( N1 m" L3 d& F7 M$ k; {
Const EVENT_FAILED = 1) k( E" U8 {' T$ {
Set objShell = Wscript.CreateObject("Wscript.Shell")+ S5 x' ?3 A4 c' p8 l
objShell.LogEvent EVENT_FAILED, _7 C4 f) g* f+ ^2 }" D2 x7 }
"Payroll application could not be installed." _6 p |& q8 C+ n. |+ z1 i' E
& "Additional information is available from http://www.fabrikam.com."