Read Information from Eventlog - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Advanced Scripting » Read Information from Eventlog

Page 1 of 1

Topic Options

#212750 - 2017-10-17 10:58 AM Read Information from Eventlog
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	Hello, how can i read the information "BootTime", "MainPathBootTime", "BootPostBootTime" from the latest eventlog (Microsoft-Windows-Diagnostics-Performance/Operational) eventid 100 and write it into a txt file. Sorry for my englisch :-) Edited by stefanhfli (2017-10-17 11:25 AM)
Top

#212751 - 2017-10-17 11:33 AM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	Hi and welcome, for reading events try this udf by Jens: http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=189983 for writing Arrays to a file this function by Conrad always is handy: http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Board=7&Number=187759 Hope this gets you started. If any problems arise.. you know, just ask. _________________________
Top

#212752 - 2017-10-17 12:47 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	I used these 2 Options with an example syntax: $array = ReadEventlog('Security',4732) $abs=WriteFile('c:\KIX\file.txt',$array) For this example i get an output in the file.txt. When i use the following syntax i don´t get an output and i don´t no why: $array = ReadEventlog('Microsoft-Windows-Diagnostics-Performance/Operational',100) $abs=WriteFile('c:\KIX\file.txt',$array)
Top

#212753 - 2017-10-17 12:56 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	To filter the last event you will need to pass a WQL query including TimeGenerated and your 3 parameters to Readeventlog() and sort the resulting array using one of the sorting functions in the UDF library $;\)$ _________________________
Top

#212754 - 2017-10-17 12:58 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	hmm ... let's try the WQL query first. Maybe Jens' function just works for the main event logs System, Security and Appication (as it was written in 2001) _________________________
Top

#212755 - 2017-10-17 01:03 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	as expected .. returns an empty string $\:\($ _________________________
Top

#212756 - 2017-10-17 01:05 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	Ok thanks for your help. I think that is too complicated for me.
Top

#212757 - 2017-10-17 01:26 PM Re: Read Information from Eventlog [Re: stefanhfli]
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	Is there no other way to get the 3 Informations?
Top

#212758 - 2017-10-17 01:48 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	easy.. I have 2 ways now. Please be patient. Will come back to you after my meeting $;\)$ _________________________
Top

#212762 - 2017-10-17 04:19 PM Re: Read Information from Eventlog [Re: Jochen]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	Ok, found something .. Win32_NTLogEvent class is not capable by default to read the new set of "Application and Services" logs introduced with Win7/Server 2008. There is a workaround creating a registry key (for each logfile its own) $\:\)$ (provided the user running the script has sufficient access) In your case it is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational Which is, to say the least, kinda annoying. Furthermore I only managed by now to get a direct request to ReadEventlog() to work for me. Like ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100) which is a pain to sort out as it returns a metric ton of data $\:D$ A WQL Query like this (tried of course other, simpler combinations) returns only empty strings Code: if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational") @error ?? endif $events = ReadEventlog('SELECT InsertionStrings FROM Win32_NTLogEvent WHERE Logfile="Microsoft-Windows-Diagnostics-Performance/Operational" AND EventCode=100') if ubound($events,1) > -1 "BootTime: " + split($events[0,0],@crlf)[5] ? "MainPathBootTime: " + split($events[0,0],@crlf)[6] ? "BootPostBootTime: " + split($events[0,0],@crlf)[19] ? endif get $ [Edit] the above query is of course nonsense. A quick peek at the class in wbemtest uncovers this. ~~Still, using the correct statements like TimeGenerated and Message returns nothing~~ [/Edit] [Edit2] Meh, InsertionStrings holds the information we're looking for. Edited code above is working now. Please Note that it will return only the latest event. Of course $events hold all available events but events[0,0] is the latest [/Edit2] Edited by Jochen (2017-10-18 09:47 AM) _________________________
Top

#212764 - 2017-10-17 05:10 PM

Re: Read Information from Eventlog [Re: Jochen]

Jochen Offline

KiX Supporter

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany

Allright allright,

in the end just splitting the correct array element by crlf peeking the correct positions and bam:

Code:

break on
$= setoption("WrapatEOL","ON")


if not keyexist("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    $ = addkey("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Microsoft-Windows-Diagnostics-Performance/Operational")
    @error ??
endif

$events = ReadEventlog("Microsoft-Windows-Diagnostics-Performance/Operational", 100)

if ubound($events,1) > -1
    "BootTime: " + split($events[0,7],@crlf)[5] ?
    "MainPathBootTime: " + split($events[0,7],@crlf)[6]   ?
    "BootPostBootTime: " + split($events[0,7],@crlf)[19]   ?
endif
get $

wonder if there is a more comfortable way using Powershell ... guess not!

_________________________

Top

#212766 - 2017-10-18 09:38 AM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	Hello Jochen, thanks for your help, you are great. I have customized it for our environment and now i have what i want. Thanks !!!
Top

#212767 - 2017-10-18 09:44 AM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	You're welcome. Please take note on my edits on the try with WQL statement. Works now too $;\)$ _________________________
Top

#212800 - 2017-11-01 12:26 PM Re: Read Information from Eventlog [Re: Jochen]
stefanhfli stefanhfli Fresh Scripter Registered: 2015-01-29 Posts: 7 Loc: Germany	Hello Jochen, I need your help again. When i try to get the BootStartTime from the eventlog with "BootStartTime: " + split($events[0,7],@crlf)[1] ? i get an empty string.
Top

#212802 - 2017-11-01 05:16 PM Re: Read Information from Eventlog [Re: stefanhfli]
Jochen Jochen KiX Supporter Registered: 2000-03-17 Posts: 6380 Loc: Stuttgart, Germany	Hi again, doesn't work for me too. Same for BootEndTime $\:\($ For BootStartTime we can use the information from the Message column (9). Now it starts to get ugly. Note the split on ":[TAB]" and for format reasons the join split on ?/"". Next thing you need to know is that these are UTC times. so there will be a bit calculation work left for you to do. Code: "BootStartTime: " + join(split(split($events[0,9],": ")[4],'?'),'') ? _________________________
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org