Search 85,008 posts and 643 resources contributed by 42,757 members or post a topic.

Already Joined? Sign in
Event Viewer script for win2000 servers

Page 1 of 1 (3 items) | RSS

rated by 0 users
Answered (Verified) This post has 1 verified answer | 2 Replies | 2 Followers | 578 Views


53 Posts
Points 199
timf posted on Fri, Apr 3 2009 4:58 PM
rated by 0 users

I was able to get the event log counter vbscript to work with all of my windows 2003 servers. 

Has anyone been able to get it to work with windows 2000 server?  The script I am using to look for a event log comes up with the following error when I run it, even from a command prompt:

Error 0x80041010

Code 40041010

Source:  (null) 

The line that it indicates is an issue is:

Set oSvc = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\default")

Please note that I tried changing the \root\civ2  which seems to be the wmi settings on a win2k3 box, to \root\default which seems to fit a win2000 server.     Any thoughts of why this is failing? 

 

My entire script is:

Option Explicit
const INVALID_PARAMS = 1, SUCCESS = 0, FAIL = 1
Dim oColEvents, oSvc, lst_args
Dim strComputer, strEventArea , strEventID,strEventType, intEventID, strEventSource, strLoggedByUser, strTimeSpanMins, strFindExclusionText, strFindMatchText, strSQL, strSuffix
Dim arg_count, Item, count_unmatch
strSQL               = "Select * from Win32_NTLogEvent "
strComputer          = "localhost"
strEventArea         = ""
strEventType         = ""
intEventID           = 370
strEventSource       = ""
strLoggedByUser      = ""
strFindExclusionText = ""
count_unmatch        = 0
Set lst_args = WScript.Arguments
If lst_args.Count >0 Then
Else
   WScript.Echo "Message: Usage: wscript.exe WinEventLog.vbs ComputerName " & vbCRLF _
   & "-computer The computer name "  & vbCRLF _
   & "-area Name of Windows NT event log file. Together with RecordNumber, this is used to uniquely identify an instance of this class: Application, Security, System and etc." & vbCRLF _
   & "-type The Event Type: Error, Warning, Information, Success, Failure." & vbCRLF _
   & "-id Identifier of the event. This is specific to the source that generated the event log entry and is used, together with SourceName, to uniquely identify a Windows NT event type." & vbCRLF _
   & "-source Name of the source (application, service, driver, or subsystem) that generated the entry. It is used, together with EventIdentifier to uniquely identify a Windows NT event type" & vbCRLF _
   & "-exclusion Exclusions by Event Text" & vbCRLF _
   & "-match Content Matching Event Text" & vbCRLF _
   & "-timespan How many minutes old can the event be" & vbCRLF
   WScript.Echo "Statistic: 0"
   WScript.Quit( FAIL )
End If
For arg_count = 0 to lst_args.Length - 1
 If lst_args(arg_count) = "-area" Then
     strEventArea = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Logfile = '" + strEventArea + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
 ElseIf lst_args(arg_count) = "-computer" Then
    strComputer = lst_args(arg_count + 1)
     arg_count = arg_count + 1
 ElseIf lst_args(arg_count) = "-type" Then
    strEventType = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Type LIKE '%" + strEventType + "%'"
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-id" Then
    strEventID = lst_args(arg_count + 1)
    intEventID = CInt( strEventID )
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " EventCode = '" + strEventID + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
  ElseIf lst_args(arg_count) = "-source" Then
    strEventSource = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " SourceName LIKE '%" + strEventSource + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
  ElseIf lst_args(arg_count) = "-user" Then
    strLoggedByUser = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " User LIKE '%" + strLoggedByUser + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
   ElseIf lst_args(arg_count) = "-timespan" Then
    strTimeSpanMins = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
    dim  dNowStamp,dEndStamp, dToEndTime
    Set dNowStamp = CreateObject("WbemScripting.SWbemDateTime")
    Set dEndStamp = CreateObject("WbemScripting.SWbemDateTime")
    'dToEndTime = Now - 0.0416666666   '0.0416666666 represent 1hour; 1/24 of a day
    dToEndTime = Now - strTimeSpanMins / 1440

    dNowStamp.SetVarDate Now, True
    dEndStamp.SetVarDate dToEndTime, True  
     strSQL = strSQL + strSuffix + " TimeWritten < '" & dNowStamp  & "' and TimeWritten >= '" & dEndStamp & "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-exclusion" Then
    strFindExclusionText = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " NOT Message LIKE '%" + strFindExclusionText + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-match" Then
    strFindMatchText = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Message LIKE '%" + strFindMatchText + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  End If
Next
Set oSvc = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\default")
Set oColEvents = oSvc.ExecQuery(strSQL)
For Each Item In oColEvents
    WScript.Echo "Message: EventType " & Item.EventType & " Event ID " & Item.EventCode & " Source Event  " & Item.SourceName & vbCRLF  & Item.Message
Next
if oColEvents.Count  > 0 Then
  WScript.Echo "Statistic: " & CStr(oColEvents.Count)
  WScript.Quit(FAIL)
end if
WScript.Echo "Message: No events Found"
WScript.Echo "Statistic: 0"
WScript.Quit(FAIL)

 

Thanks in advance.

Answered (Verified) Verified Answer


22 Posts
Points 74
Answered (Verified) dayley replied on Wed, Jul 22 2009 10:52 AM
rated by 0 users
Verified by AllisonB

I think the problem is with 'CreateObject("WbemScripting.SWbemDateTime")'.  Windows 2000 doesn't support this, so the out-of-the-box Orion monitor fails.  I'm surprised that SolarWinds hasn't fixed this yet...

Resources for a potential work-around:

http://www.freevbcode.com/ShowCode.asp?ID=6774

http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_onfu.mspx?mfr=true

http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul06/hey0721.mspx

http://technet.microsoft.com/en-us/magazine/2006.07.scriptingguy.aspx

http://www.microsoft.com/technet/scriptcenter/resources/qanda/nov07/hey1116.mspx (good description of UTC)

  • | Post Points: 21

All Replies


22 Posts
Points 74
Answered (Verified) dayley replied on Wed, Jul 22 2009 10:52 AM
rated by 0 users
Verified by AllisonB

I think the problem is with 'CreateObject("WbemScripting.SWbemDateTime")'.  Windows 2000 doesn't support this, so the out-of-the-box Orion monitor fails.  I'm surprised that SolarWinds hasn't fixed this yet...

Resources for a potential work-around:

http://www.freevbcode.com/ShowCode.asp?ID=6774

http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_onfu.mspx?mfr=true

http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul06/hey0721.mspx

http://technet.microsoft.com/en-us/magazine/2006.07.scriptingguy.aspx

http://www.microsoft.com/technet/scriptcenter/resources/qanda/nov07/hey1116.mspx (good description of UTC)

  • | Post Points: 21

22 Posts
Points 74
dayley replied on Wed, Aug 12 2009 4:09 PM

Workaround example (not optimized):

 

Option Explicit
const INVALID_PARAMS = 1, SUCCESS = 0, FAIL = 1
Dim oColEvents, oSvc, lst_args
Dim strComputer, strEventArea , strEventID,strEventType, intEventID, strEventSource, strLoggedByUser, strTimeSpanMins, strFindExclusionText, strFindMatchText, strSQL, strSuffix
Dim arg_count, Item, count_unmatch


strSQL               = "Select * from Win32_NTLogEvent "
strComputer          = "localhost"
strEventArea         = ""
strEventType         = ""
intEventID           = 0
strEventSource       = ""
strLoggedByUser      = ""
strFindExclusionText = ""
count_unmatch        = 0

 

' Converts a date to UTC format: <Year><Month><Day><Hour><Minutes><Seconds>.<milliseconds><time zone offset>
Function ConvertDateToUTC(dte)
     Dim strDateNow, oComp, oColTime, LocalTimeZone, TimeZoneOffset

     Set oComp = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")

     Set oColTime = oComp.ExecQuery("SELECT * FROM Win32_ComputerSystem")

     'Get the machine's current time zone offset
     'Use Win32_ComputerSystem CurrentTimeZone property, because it automatically adjusts the
     'Time Zone bias for daylight saving time Win32_Time Zone Bias property does not.
     For Each LocalTimeZone In oColTime
      TimeZoneOffset = LocalTimeZone.CurrentTimeZone
     Next

     strDateNow = Year(dte) & FormatArgs(Month(dte)) & FormatArgs(Day(dte))
     strDateNow = strDateNow & FormatArgs(Hour(dte)) & FormatArgs(Minute(dte)) 
     strDateNow = strDateNow & FormatArgs(Second(dte)) & ".000000" & TimeZoneOffset
     'WScript.Echo strDateNow
     ConvertDateToUTC = strDateNow
End Function


' Makes single digit month and day
Function FormatArgs(str)
   if Len(str) < 2 Then str = "0" & str
   FormatArgs = str
   If not IsNumeric(str) Then
 WScript.Echo "Message: FormatArgs::Invalid arguments"
 Usage
   End If
End Function


 
Set lst_args = WScript.Arguments

If lst_args.Count >0 Then
Else
   WScript.Echo "Message: Usage: wscript.exe WinEventLog.vbs ComputerName " & vbCRLF _
   & "-computer The computer name "  & vbCRLF _
   & "-area Name of Windows NT event log file. Together with RecordNumber, this is used to uniquely identify an instance of this class: Application, Security, System and etc." & vbCRLF _
   & "-type The Event Type: Error, Warning, Information, Success, Failure." & vbCRLF _
   & "-id Identifier of the event. This is specific to the source that generated the event log entry and is used, together with SourceName, to uniquely identify a Windows NT event type." & vbCRLF _
   & "-source Name of the source (application, service, driver, or subsystem) that generated the entry. It is used, together with EventIdentifier to uniquely identify a Windows NT event type" & vbCRLF _
   & "-exclusion Exclusions by Event Text" & vbCRLF _
   & "-match Content Matching Event Text" & vbCRLF _
   & "-timespan How many minutes old can the event be" & vbCRLF
   WScript.Echo "Statistic: 0"
   WScript.Quit( FAIL )
End If

For arg_count = 0 to lst_args.Length - 1
 If lst_args(arg_count) = "-area" Then
     strEventArea = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Logfile = '" + strEventArea + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
 ElseIf lst_args(arg_count) = "-computer" Then
    strComputer = lst_args(arg_count + 1)
     arg_count = arg_count + 1
 ElseIf lst_args(arg_count) = "-type" Then
    strEventType = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Type = '" + strEventType + "'"
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-id" Then
    strEventID = lst_args(arg_count + 1)
    intEventID = CInt( strEventID )
   
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " EventCode = '" + strEventID + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
  ElseIf lst_args(arg_count) = "-source" Then
    strEventSource = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " SourceName = '" + strEventSource + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch + 1
  ElseIf lst_args(arg_count) = "-user" Then
    strLoggedByUser = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " User = '" + strLoggedByUser + "'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
   ElseIf lst_args(arg_count) = "-timespan" Then
    strTimeSpanMins = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
    dim  dNowStamp,dEndStamp, dToEndTime
    'Set dNowStamp = CreateObject("WbemScripting.SWbemDateTime")
    'Set dEndStamp = CreateObject("WbemScripting.SWbemDateTime")

    'dToEndTime = Now - 0.0416666666   '0.0416666666 represent 1hour; 1/24 of a day
    dToEndTime = Now - strTimeSpanMins / 1440

    'dNowStamp.SetVarDate Now, True
           dNowStamp = ConvertDateToUTC(Now)

    'dEndStamp.SetVarDate dToEndTime, True
           dEndStamp = ConvertDateToUTC(dToEndTime)
   
     strSQL = strSQL + strSuffix + " TimeWritten < '" & dNowStamp  & "' and TimeWritten >= '" & dEndStamp & "'"
    'WScript.Echo strSQL

     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-exclusion" Then
    strFindExclusionText = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " NOT Message LIKE '%" + strFindExclusionText + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  ElseIf lst_args(arg_count) = "-match" Then
    strFindMatchText = lst_args(arg_count + 1)
     if count_unmatch then
       strSuffix = " AND"
     else
       strSuffix = "Where "
     end if
     strSQL = strSQL + strSuffix + " Message LIKE '%" + strFindMatchText + "%'"
     arg_count = arg_count + 1
     count_unmatch = count_unmatch +1
  End If
Next

Set oSvc = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2")

Set oColEvents = oSvc.ExecQuery(strSQL)

For Each Item In oColEvents
    WScript.Echo "Message: EventType " & Item.EventType & " Event ID " & Item.EventCode & " Source Event  " & Item.SourceName & vbCRLF  & Item.Message
Next

if oColEvents.Count > 0 Then
  WScript.Echo "Statistic: " & CStr(oColEvents.Count)
  WScript.Quit(SUCCESS)
end if

WScript.Echo "Message: No events Found"
WScript.Echo "Statistic: 0"
WScript.Quit(SUCCESS)

  • | Post Points: 1
Page 1 of 1 (3 items) | RSS

© 2003 - 2010 SolarWinds, Inc. All Rights Reserved.

Who is SolarWinds?

SolarWinds is rewriting the rules for how companies manage their networks. Guided by a global community of network engineers, SolarWinds develops simple and powerful network management software and network monitoring software for networks of all sizes. SolarWinds also offers a network certification program to become a SolarWinds Certified Professional (SCP).

What is thwack?

thwack, SolarWinds online community site, was designed by network engineers, for network engineers. thwack is a vibrant, growing community of more than 30,000 IT pros who share a passion for technology.

Explore Resources, Answers, Templates, and Advice

Download Free Networking Tools

Learn More About SolarWinds Products