#197504 - 2010-01-22 11:09 PM
event log
|
Hari_Kata
Fresh Scripter
Registered: 2008-01-20
Posts: 5
Loc: KL
|
Hi
$_objWMIQuery="SELECT * FROM Win32_NTLogEvent WHERE Logfile='System' and EventCode=10005"
$_colItems = $_objWMIService.ExecQuery($_objWMIQuery,,48)
If @ERROR $_colItems = 0 Exit Val('&' + Right(DecToHex(@ERROR), 4)) EndIf
For Each $_objItem In $_colItems
?$_objItem.Message
Next
$_colItems = 0
Above mentioned code is displaying the following output.
"COM got error "%1058" attempting to start the service wuauserv with arguments "
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
where as the actual Message in the system event log is as follows.
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service wuauserv with arguments "" in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How can i display the whole message correctly?
|
|
Top
|
|
|
|
|
#197505 - 2010-01-22 11:52 PM
Re: event log
[Re: Hari_Kata]
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Hari,
I initially thought you did not include the GetObject, and you did not, but now understand what is going on..
BREAK ON
CLS
$_strComputer = "."
$_objWMIService = GetObject("winmgmts:\\" + $_strComputer + "\root\CIMV2")
$_objWMIQuery="SELECT * FROM Win32_NTLogEvent WHERE Logfile='System' and EventCode=10005"
$_colItems = $_objWMIService.ExecQuery($_objWMIQuery,,48)
If @ERROR $_colItems = 0 Exit Val('&' + Right(DecToHex(@ERROR), 4)) EndIf
For Each $_objItem In $_colItems
?$_objItem.Message
Next
$_colItems = 0
?'Press a key..'
get $
Yep.. Running this through the "Scripting Guys: Script-O-Matic" we get the same thing..
Category: 0
CategoryString:
ComputerName: COMPUTER-DYER
Data:
EventCode: 10005
EventIdentifier: -1073731819
EventType: 1
InsertionStrings: 1053,WSearch,,{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
Logfile: System
Message: DCOM got error "%1053" attempting to start the service WSearch with arg
uments ""
in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
RecordNumber: 1966
SourceName: DCOM
TimeGenerated: 8/14/2009 11:01:09 AM
TimeWritten: 8/14/2009 11:01:09 AM
Type: error
User: NT AUTHORITY\SYSTEM
Oh, and BTW, you may want to look for WMIQuery over in the UDF Section as well..
Also, here is a script I put together that I use to e-mail yesterday's Event Log errors every day. It is in VBScript -
Option Explicit
Dim wbemFlagReturnImmediately, wbemFlagForwardOnly, IFlags
Dim strComputer, yMonth, yDay, cyYear, yyYear, DateToCheck
Dim objWMIService, dtmStartDate, dtmEndDate, DataList, colLoggedEvents
Dim AttDoc, FileSystem, oFile, objEvent, Message
Const CONVERT_TO_LOCAL_TIME = True
Const adVarChar = 200
'Const MaxCharacters = 900
wbemFlagReturnImmediately = 16
wbemFlagForwardOnly = 32
IFlags = wbemFlagReturnImmediately + wbemFlagForwardOnly
On Error Resume Next
strComputer = "."
'Connect To WMI
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
yMonth = Right(100 + Month(Date() - 1), 2)
yDay = Right(100 + Day(Date() - 1), 2)
cyYear = Left(Year(Date() - 1), 2)
yyYear = Right(100 + Year(Date() - 1), 2)
DateToCheck = Date()
dt_name = Left(Starttm,2) & Mid(Starttm,4,2) & Mid(Starttm,7,4)
'Get yesterday In UTC
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateToCheck - 1, CONVERT_TO_LOCAL_TIME
'Get Today In UTC
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmEndDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
' Create disconnected dataset To sort found events by Time
' the WMI scan collects events from newest To oldest
Set DataList = CreateObject("ADOR.Recordset")
DataList.Fields.Append "TimeGenerated", adVarChar, 50
DataList.Fields.Append "EventCode", adVarChar, 10
DataList.Fields.Append "Logfile", adVarChar, 50
DataList.Fields.Append "Type", adVarChar, 50
DataList.Fields.Append "Message", adVarChar, 8192
DataList.Open
Set colLoggedEvents = objWMIService.ExecQuery _
( "Select * From Win32_NTLogEvent Where Logfile = 'Application' " & _
"And TimeWritten >= '" & _
dtmStartDate & _
"' And TimeWritten < '" & _
dtmEndDate & _
"'",, IFlags )
'EventType Value = Meaning
' 1 = Error
' 2 = Warning
' 3 = Information
' 4 = Security Success
' 5 = Security Failure
' 8 = Security audit success
' 16 = Security audit failure
'CCYYMMDD.csv
AttDoc = cyYear & yyYear & yMonth & yDay & ".csv"
Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set oFile = FileSystem.CreateTextFile(AttDoc, True)
' Event properties are:
' objEvent
' Category
' CategoryString
' ComputerName
' Data
' EventCode
' EventIdentifier
' EventType
' InsertionStrings
' Logfile
' Message = DESCRIPTION
' RecordNumber
' SourceName
' TimeGenerated
' TimeWritten
' Type
' User
' -- Write a header to the logfile
oFile.WriteLine("TimeGenerated,EventCode,LogFile,Type,Message")
' -- Build the RecordSet
For Each objEvent In colLoggedEvents
'Wscript.Echo objEvent.TimeGenerated
DataList.AddNew
DataList("TimeGenerated") = objEvent.TimeGenerated
DataList("EventCode") = objEvent.EventCode
DataList("Logfile") = objEvent.Logfile
DataList("Type") = objEvent.Type
DataList("Message") = objEvent.Message
Message = Replace(DataList("Message"), vbcrlf, " ")
Message = Replace(Message, Chr(34), Chr(34) & Chr(34))
Message = Trim(Message)
If InStr(Message, Chr(10)) Then
Message = Chr(34) & Message & Chr(34)
Else
Message = Message
End If
DataList("Message") = Message
DataList.Update
Next
DataList.Sort = "TimeGenerated"
'DataList.Sort = "strRecordNumber"
DataList.MoveFirst 'oldest to newest
Do Until DataList.EOF
'DataList.MoveLast 'newest to oldest
'Do Until DataList.BOF
oFile.WriteLine(evtdatetime(DataList.Fields.Item("TimeGenerated")) & "," & _
DataList.Fields.Item("EventCode") & _
"," & _
DataList.Fields.Item("Logfile") & _
"," & _
DataList.Fields.Item("Type") & _
"," & _
DataList.Fields.Item("Message"))
DataList.MoveNext
' - original - Loop
'DataList.MovePrevious
Loop
WScript.Echo "Done!!"
WScript.quit
Function evtdatetime(evttime)
Dim tmGen, dtPart, tmPart
tmGen = Left(evttime, 14)
dtPart = Left(tmGen, 8)
tmPart = Right(tmGen, 6)
evtdatetime = Mid(dtPart, 5, 2) & "/" & Right(dtPart, 2) & "/" & Left(dtPart, 4) & " " & _
Left(tmPart, 2) & ":" & Mid(tmPart, 3, 2) & ":" & Right(tmPart, 2)
End Function
HTH,
Kent
Edited by Kdyer (2010-01-23 12:24 AM)
|
|
Top
|
|
|
|
|
#197506 - 2010-01-23 01:05 AM
Re: event log
[Re: Kdyer]
|
Hari_Kata
Fresh Scripter
Registered: 2008-01-20
Posts: 5
Loc: KL
|
Kdyer,
Checked the code with WMIQuery UDF. But no go. Same output as my code.
From previous posts, Glenn played with event logs.
Glenn,
Any help from your side in this issue ...............
|
|
Top
|
|
|
|
|
#197510 - 2010-01-23 02:51 PM
Re: event log
[Re: Glenn Barnas]
|
Hari_Kata
Fresh Scripter
Registered: 2008-01-20
Posts: 5
Loc: KL
|
Kdyer,
I ran your vb script for my event. It also giving the wrong output as my code.
Found that when the script is unable to get the string which is in between ". It is just omitting the part in between or giving some other.
Now my question is, how can i check if " is present in a string?
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 601 anonymous users online.
|
|
|
