MightyR1
MM club member
To get the last message (thanks Jens for the UDF):Break on $rc =SetOption (wrapateol ,'on' )$events =Readeventlog ('system' ,26 )$ = $events [0 ,9 ]$ Exit 0 ;FUNCTION ReadEventlog() ; ;ACTION Retrieves events from the eventlog ; ;AUTHOR Jens Meyer ; ;VERSION 1.5 ; ;KIXTART VER 4.20 ; ;SYNTAX RETCODE = READEVENTLOG(EVENTLOG, EVENTID, OPTIONAL COMPUTER, OPTIONAL DATETIME, ; OPTIONAL USERNAME, OPTIONAL PASSWORD) ; ;PARAMETERS EVENTLOG ; Name of the eventlog, e.g. 'Security', 'System','Application' ; Alternatively, a custom WQL query can be provided. Date fields in ; a WQL query MUST be properly formatted as YYYY/MM/DD HH:MM:SS:000 ; ; EVENTID ; Optional Event ID number to be retrieved ; ; COMPUTER ; optional name of a remote computer which eventlog is to be queried. If no ; username/password is provided then the current users credentials will be ; used to connect to the remote event log. ; ; DATETIME ; optional date/time string denoting the start date of the events in ; the form of YYYY/MM/DD HH:MM:SS, YYY/MM/DD, or HH:MM:SS ; ; USERNAME ; optional username which will be used to connect to a remote computer ; ; PASSWORD ; optional password which will be used to connect to the remote computer ; ;RETURN array of events or empty string ; ;REMARKS returns a 2-dimensional array with the following columns. If custom WQL is ; used, then the SELECT part of the custom WQL determines the field assignments. ; ; Column 0 = Category ; Column 1 = CategoryString ; Column 2 = ComputerName ; Column 3 = Data ; Column 4 = EventCode ; Column 5 = EventIdentifier ; Column 6 = EventType ; Column 7 = InsertionStrings ; Column 8 = Logfile ; Column 9 = Message ; Column 10 = RecordNumber ; Column 11 = Source Name ; Column 12 = TimeGenerated ; Column 13 = TimeWritten ; Column 14 = Type ; Column 15 = User ; ;DEPENDENCIES WMI ; ;EXAMPLE $events = ReadEventlog('Security',528) ; $events = ReadEventlog('Security',528,,'COMPUTER') ; $events = ReadEventlog('Security',528,'2002/09/01 00:00:00','COMPUTER','Administrator','password') ; $events = ReadEventlog('SELECT TimeGenerated, User FROM Win32_NTLogEvent ; WHERE Logfile="Security" AND EventCode=528 AND ; TimeGenerated>="2002/09/01 00:00:00:000"' ; ;KIXTART BBS http:// www .kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=12&t=000270 ; Function ReadEventlog ($eventlog , optional $eventid , optional $computer , optional $datetime , optional $username , optional $Password )Dim $objLocator , $objWBEM , $objWMIResults , $namespace , $objWMIResultsCopy Dim $event , $item , $wqlQuery , $eventarray , $itemname , $itemvalue Dim $customwql , $customfields , $field Dim $rownumber , $arrayrows , $arraycolumns , $columnnumber Dim $byte , $datastring , $date , $time , $querydate , $querytime , $timezone Dim $objWMIService , $colItems , $objItem $namespace = 'root\CIMV2' $arrayrows =50 If Trim ($eventlog )='' Exit 87 EndIf ; check to see whether we're connecting to a local or remote eventlog $computer =Trim ($computer )Select Case $computer =@WKSTA $computer ='.' Case $computer Case 1 $computer ='.' EndSelect If $username AND $computer <'.' ; create locator object for connection to a remote computer $objLocator = CreateObject ('WbemScripting.SWbemLocator' )If @ERROR Exit @ERROR EndIf ; create a (credentialed, if username/password provided) connection to a remote computer $objWBEM =$objLocator.ConnectServer ($computer ,$namespace ,$username ,$Password )If @ERROR Exit @ERROR EndIf ; set the impersonation level $objWBEM.Security_.ImpersonationLevel = 3 If @ERROR Exit @ERROR EndIf Else ;set the impersonation level and make sure we have security permissions If $eventlog ='Security' OR (Left ($eventlog ,6 )='select' AND InStr ($eventlog ,'Security' ) AND InStr ($eventlog ,'Logfile' ))$objWBEM =GetObject ('winmgmts:{impersonationLevel=impersonate, (Security)}!\\' +$computer +'\' +$namespace )Else $objWBEM =GetObject ('winmgmts:{impersonationLevel=impersonate}!\\' +$computer +'\' +$namespace )EndIf If @ERROR Exit @ERROR EndIf EndIf ; check to see whether we're looking for an event ID or if there's a custom queryIf Left ($eventlog ,6 )='select' $wqlquery =$eventlog $arraycolumns =Trim (SubStr ($wqlquery ,InStr ($wqlquery ,' ' )+1 ,InStr ($wqlquery ,'FROM' )-InStr ($wqlquery ,' ' )-2 ))If InStr ($arraycolumns ,'*' )$arraycolumns =16 $customwql =0 Else $customfields =Split (Trim ($arraycolumns ),',' )For $arraycolumns =0 to Ubound ($customfields )$customfields [$arraycolumns ]=Trim ($customfields [$arraycolumns ])Next $arraycolumns =Ubound ($customfields )+1 $customwql =1 EndIf Else $customwql =0 $arraycolumns =16 $eventid =Val ($eventid )$wqlQuery ="SELECT * FROM Win32_NTLogEvent WHERE Logfile='" +$eventlog +"' AND EventCode=" +Val ($eventID )If $datetime $colItems = $objWBEM.ExecQuery ('Select CurrentTimeZone from Win32_ComputerSystem' )If @ERROR Exit @ERROR EndIf For Each $objItem In $colItems $timezone = $objItem.CurrentTimeZone Next $objWMIService = 0 $colItems = 0 $objItem = 0 $datetime =Trim ($datetime )Select Case InStr ($datetime ,' ' )$date =Left ($datetime ,InStr ($datetime ,' ' )-1 )$time =SubStr ($datetime ,InStr ($datetime ,' ' )+1 )Case InStr ($datetime ,'/' )$date =$datetime $time ='00:00:00' Case InStr ($datetime ,':' )$date =@DATE $time =$datetime Case 1 $date =@DATE $time =@TIME EndSelect If $date AND $time $datetime =Join (Split ($date ,'/' ),'' )+Join (Split ($time ,':' ),'' )+'.000000' +$timezone Else $datetime ='' EndIf $wqlQuery =$wqlQuery +' AND TimeGenerated>="' +$datetime +'"' EndIf EndIf $objWMIResults = $objWBEM.ExecQuery ($wqlQuery ,'WQL' ,48 )If @ERROR Exit @ERROR EndIf $rownumber = 0 $columnnumber = 0 For Each $event In $objWMIResults If $rownumber mod $arrayrows = 0 ReDim preserve $eventarray [$rownumber +$arrayrows ]EndIf $eventarray [$rownumber ]=$event.Properties_ $rownumber =$rownumber +1 Next If $rownumber ReDim preserve $eventarray [$rownumber -1 ]Else $ReadEventlog ='' Return EndIf ReDim $readeventlog [$rownumber -1 ,$arraycolumns -1 ]$rownumber =0 For Each $event In $eventarray $columnnumber = 0 For Each $item In $event $itemname =$item.name $itemvalue =$item.value If $customwql =0 OR AScan ($customfields ,$itemname )+1 Select Case $itemname ='Data' $datastring ='' For Each $byte In $item.value If $byte =0 $byte =46 EndIf $datastring =$datastring +Chr ($byte )Next $readeventlog [$rownumber ,$columnnumber ]=$datastring Case $itemname ='InsertionStrings' $readeventlog [$rownumber ,$columnnumber ]=Join ($itemValue ,@CRLF Case $itemname ='TimeGenerated' OR $itemName ='TimeWritten' $time =Left ($itemValue ,4 )+'/' +SubStr ($itemValue ,5 ,2 )+'/' +SubStr ($itemValue ,7 ,2 )+' ' $time =$time +SubStr ($itemValue ,9 ,2 )+':' +SubStr ($itemValue ,11 ,2 )+':' +SubStr ($itemValue ,13 ,2 )$readeventlog [$rownumber ,$columnnumber ]=$time Case 1 $readeventlog [$rownumber ,$columnnumber ]=$itemValue EndSelect $columnnumber =$columnnumber +1 EndIf Next $rownumber =$rownumber +1 Next $objWMIResults = 0 $objWBEM = 0 $objLocator = 0 Exit 0 EndFunction [ 26. September 2003, 07:28: Message edited by: MightyR1 ]
_________________________
