注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

BCB-DG's Blog

...

 
 
 

日志

 
 

VBScript操作Windows的Event Log  

2011-04-19 11:15:00|  分类: Delphi |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
//轉

用 eventcreate 命令定制并写入 Event Log
Set WshShell = WScript.CreateObject("WScript.Shell")  strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _     Chr(34) & "Test event." & Chr(34) WshShell.Run strCommand 

在本地机器上写入 Event Log
Const EVENT_SUCCESS = 0  Set objShell = Wscript.CreateObject("Wscript.Shell")  objShell.LogEvent EVENT_SUCCESS, _     "Payroll application successfully installed." 

在远程机器上写入 Event Log
Const EVENT_SUCCESS = 0  Set objShell = Wscript.CreateObject("Wscript.Shell")  objShell.LogEvent EVENT_SUCCESS, _     "Payroll application successfully installed." , "\\PrimaryServer" 

实时监控 Event
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate, (Security)}!\\" & _         strComputer & "\root\cimv2")  Set colMonitoredEvents = objWMIService.ExecNotificationQuery _         ("Select * from __instancecreationevent where " _         & "TargetInstance isa 'Win32_NTLogEvent' " _             & "and TargetInstance.EventCode = '533' ")  Do     Set objLatestEvent = colMonitoredEvents.NextEvent      strAlertToSend = objLatestEvent.TargetInstance.User _           & " attempted to access DatabaseServer."      Wscript.Echo strAlertToSend Loop 

修改 Event Log 的属性
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate,(Security)}!\\" & _         strComputer & "\root\cimv2")  Set colLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile")  For each objLogfile in colLogFiles     strLogFileName = objLogfile.Name     Set wmiSWbemObject = GetObject _         ("winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2:" _             & "Win32_NTEventlogFile.Name='" & strLogFileName & "'")     wmiSWbemObject.MaxFileSize = 2500000000     wmiSWbemObject.OverwriteOutdated = 14     wmiSWbemObject.Put_  Next 

列出所有系统 Event Log 的属性
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set colLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile where LogFileName='System'")  For Each objLogFile in colLogFiles     Wscript.Echo objLogFile.NumberOfRecords Next 

列出指定条件的 Event
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set colLoggedEvents = objWMIService.ExecQuery _         ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _             & "EventCode = '6008'")  Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count 

列出某一天的 Event Log
Const CONVERT_TO_LOCAL_TIME = True  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") DateToCheck = CDate("2/18/2002") dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME  strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colEvents = objWMIService.ExecQuery _     ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _          & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")   For Each objEvent in colEvents     Wscript.Echo "Category: " & objEvent.Category     Wscript.Echo "Computer Name: " & objEvent.ComputerName     Wscript.Echo "Event Code: " & objEvent.EventCode     Wscript.Echo "Message: " & objEvent.Message     Wscript.Echo "Record Number: " & objEvent.RecordNumber     Wscript.Echo "Source Name: " & objEvent.SourceName     Wscript.Echo "Time Written: " & objEvent.TimeWritten     Wscript.Echo "Event Type: " & objEvent.Type     Wscript.Echo "User: " & objEvent.User     Wscript.Echo objEvent.LogFile Next 

显示 Event Log 的属性
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set objInstalledLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile")  For each objLogfile in objInstalledLogFiles     Wscript.Echo "Name: " &  objLogfile.LogFileName      Wscript.Echo "Maximum Size: " &  objLogfile.MaxFileSize      If objLogfile.OverWriteOutdated > 365 Then         Wscript.Echo "Overwrite Outdated Records: Never."      ElseIf objLogfile.OverWriteOutdated = 0 Then         Wscript.Echo "Overwrite Outdated Records: As needed."      Else         Wscript.Echo "Overwrite Outdated Records After: " &  _             objLogfile.OverWriteOutdated & " days" &      End If Next 

显示所有已经停止的 Event
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set colLoggedEvents = objWMIService.ExecQuery _     ("Select * from Win32_NTLogEvent Where Logfile = 'System'" _         & " and SourceName = 'SaveDump'")  For Each objEvent in colLoggedEvents     Wscript.Echo "Event date: " & objEvent.TimeGenerated     Wscript.Echo "Description: " & objEvent.Message Next 

创建 Event Log 的备份文件
dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay  strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate,(Backup)}!\\" & _         strComputer & "\root\cimv2")  Set colLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile where LogFileName='Application'")  For Each objLogfile in colLogFiles     objLogFile.BackupEventLog("c:\scripts\" & strBackupName & _         "_application.evt")     objLogFile.ClearEventLog() Next 

创建自定义的 Event
Const NO_VALUE = Empty  Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.RegWrite _     "HKLM\System\CurrentControlSet\Services\EventLog\Scripts\", NO_VALUE 

把昨日的 Event Log 倒入数据库
Set objConn = CreateObject("ADODB.Connection") Set objRS = CreateObject("ADODB.Recordset")  objConn.Open "DSN=EventLogs;" objRS.CursorLocation = 3 objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")  DateToCheck = Date - 1 dtmEndDate.SetVarDate Date, True dtmStartDate.SetVarDate DateToCheck, True  strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set colEvents = objWMIService.ExecQuery _     ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _          & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")   For each objEvent in colEvents     objRS.AddNew     objRS("Category") = objEvent.Category     objRS("ComputerName") = objEvent.ComputerName     objRS("EventCode") = objEvent.EventCode     objRS("Message") = objEvent.Message     objRS("RecordNumber") = objEvent.RecordNumber     objRS("SourceName") = objEvent.SourceName     objRS("TimeWritten") = objEvent.TimeWritten     objRS("Type") = objEvent.Type     objRS("User") = objEvent.User     objRS.Update Next  objRS.Close objConn.Close 

备份并清除大的 Event Log
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _         & strComputer & "\root\cimv2")  Set colLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile")  For Each objLogfile in colLogFiles     If objLogFile.FileSize > 100000 Then        strBackupLog = objLogFile.BackupEventLog _            ("c:\scripts\" & objLogFile.LogFileName & ".evt")        objLogFile.ClearEventLog()     End If Next 

备份并清除某一个Event Log
strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate,(Backup)}!\\" & _         strComputer & "\root\cimv2")  Set colLogFiles = objWMIService.ExecQuery _     ("Select * from Win32_NTEventLogFile where LogFileName='Application'")  For Each objLogfile in colLogFiles     errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")     If errBackupLog <> 0 Then                 Wscript.Echo "The Application event log could not be backed up."     Else         objLogFile.ClearEventLog()     End If Next 

把 WMI 数据加入到 Event Log
Const EVENT_FAILED = 2  Set objShell = Wscript.CreateObject("Wscript.Shell") Set objNetwork = Wscript.CreateObject("Wscript.Network") strComputer = "." Set objWMIService = GetObject("winmgmts:" _     & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  Set colDiskDrives = objWMIService.ExecQuery _     ("Select * from win32_perfformatteddata_perfdisk_logicaldisk")  For Each objDisk in colDiskDrives     strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _         & VbCrLf Next  strEventDescription = "Payroll application could not be installed on " _      & objNetwork.UserDomain & "\" & objNetwork.ComputerName _          & " by user " & objNetwork.UserName & _             ". Free space on each drive is: " & strDriveSpace objShell.LogEvent EVENT_FAILED, strEventDescription 
  评论这张
 
阅读(1985)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017