Event Log Monitor

Post by **Marcus Tettmar** » Sun Nov 18, 2007 8:56 pm

The following script demonstrates a simple Event Log monitor. The script can be set with the event log and event code to watch and then scheduled to run periodically. When a new matching event is found the script will send an email indicating how many matches were found.

Code: Select all

//Config
Let>LogFile=System
//Event code 6008 is "Unexpected Shutdowns"
Let>EventCode=6008
Let>iniFile=%SCRIPT_DIR%\EventMonitor.ini
Let>mailserver=mail.host.com
Let>[email protected]

VBSTART
Function ReadEventLog(LogFile,Code)
  Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
  Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = '" & LogFile & "' and EventCode = '" & Code & "'")
  ReadEventLog = colLoggedEvents.Count
End Function
VBEND

//Get current event count
VBEval>ReadEventLog("%LogFile%","%EventCode%"),locCount

//Get stored  value from ini file
IfFileExists>iniFile
  ReadIniFile>iniFile,LogFile,EventCode,storeCount
  If>storeCount>locCount
    Let>newCount=locCount-storeCount
    SMTPSendMail>recipient,mailserver,[email protected],Event Monitor,Event %EventCode% Detected,%newCount% Events of Type %EventCode% Detected in log: %LogFile%
  Endif
Else
  //first time we've run, create INI file
  WriteLn>iniFile,r,
Endif

//Store current count
EditIniFile>iniFile,LogFile,EventCode,locCount

Modify the config section for the event log and event code to monitor and the email settings to send the notification email with. If your mail server requires authentication you will need to add in SMTP_AUTH etc.

Schedule the script to run at the required intervals. Use different versions of the script for different event types (or consider modularising with the Include statement to avoid duplication).

The script could be modified to pop up a message box instead/as well as send an email, or run another script or application ... or do whatever is required.

alanimal · Post by **alanimal** » Wed Oct 17, 2012 12:21 am

Excellent script thanks Marcus!!

I am currently using it, and I was wanting to know if it is it possible to scan the windows event logs of other servers?

Rather than having to install MS on all my servers - I prefer to have the one server doing all the monitoring.

I have 5 servers on the same network - and if I can check all their event logs as well that would be ideal.

Post by **Marcus Tettmar** » Wed Oct 17, 2012 11:54 am

Look at this line:

winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2

Replace . with another computer name ....

http://msdn.microsoft.com/en-us/library ... s.85).aspx

alanimal · Post by **alanimal** » Wed Oct 17, 2012 9:54 pm

Thanks Marcus,

so, the code is

Code: Select all

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")

If I set this to (servername = ITSDEV)

Code: Select all

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\&ITSDEV&\root\cimv2")

I think my syntax is wrong perhaps? I get an error

Microsoft VBScript runtime error: 462
The Remote server machine does not exist or is unavailable: 'GetObject'
Line 10, column 2

There are no network or permission issues as that has been sorted - I am sure it is just my coding.[/img]

alanimal · Post by **alanimal** » Thu Oct 18, 2012 12:31 am

ok, sorted now

Code: Select all

VBSTART
strComputer = "ITSDEV"
Function ReadEventLog(LogFile,Code)
  Set objWMIService = GetObject("winmgmts:"&"{impersonationLevel=impersonate}!\\"&strComputer&"\root\cimv2")
  Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = '" & LogFile & "' and EventCode = '" & Code & "'")
  ReadEventLog = colLoggedEvents.Count
End Function
VBEND

Event Log Monitor

Event Log Monitor

Multiple Server Support?