Per
Thu Jan 26 16:17:47 CST 2006
Yes, this code Richard provided is awesome! :)
I bet there are many more people wondering how to do this! :)
Thanks again Richard!
/ Per
"Theo Coolen" <TheoCoolen@discussions.microsoft.com> wrote in message
news:05A26964-A896-4D78-8392-2B52324A4D22@microsoft.com...
> Interesting source exectly what I am looking for.
>
> Tx for sharing! ;)
>
> "Per Hagstrom" wrote:
>
>>
>> "Richard Mueller" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in
>> message
>> news:%23mEKJUfIGHA.604@TK2MSFTNGP14.phx.gbl...
>> > Per Hagstrom wrote:
>> >
>> >> Trying to make a script that takes 4 different event log files, and
>> >> create one summary log file, with all the events sorted by date.
>> >>
>> >> Any suggestions?
>> >>
>> >> TIA!
>> >>
>> >> / Per
>> >>
>> >> ps. To simplify, lets say we have 4 columns, DATE/TIME, EVENT, SOURCE,
>> >> DEST and logfiles, Log1, Log2, Log3, Log4.
>> >>
>> > Hi,
>> >
>> > If you mean the Windows Event logs, these are not comma delimited
>> > files.
>> > You use the Win32_NTLogEvent class of WMI to read the logs. These logs
>> > are
>> > huge and it can take awhile just to read them. A quick example to
>> > output
>> > all log entries (except the security event log) entered on 1/24/2006:
>> >
>> > ==================
>> > Dim strComputer, objWMIService, colLoggedEvents, objEvent
>> > Dim dtmStart, dtmEnd
>> >
>> > ' Specify time in UTC. The -360 is the time zone offset.
>> > dtmStart = "20060124000000.000000-360"
>> > dtmEnd = "20060125000000.000000-360"
>> >
>> > ' Specify computer. "." is the local machine.
>> > strComputer = "."
>> > Set objWMIService = GetObject("winmgmts:" _
>> > & "{impersonationLevel=impersonate}!\\" & strComputer _
>> > & "\root\cimv2")
>> > Set colLoggedEvents = objWMIService.ExecQuery _
>> > ("SELECT * FROM Win32_NTLogEvent WHERE TimeWritten >= '" _
>> > & dtmStart & "' AND TimeWritten < '" & dtmEnd & "'")
>> > For Each objEvent In colLoggedEvents
>> > Wscript.Echo objEvent.TimeWritten & "," & objEvent.EventCode _
>> > & "," & objEvent.SourceName
>> > Next
>> > ===================
>> >
>> > The most efficient way to sort is to use a disconnected recordset. The
>> > same example but sorting by TimeWritten could be:
>> >
>> > ======================
>> > Const adVarChar = 200
>> > Const MaxCharacters = 255
>> >
>> > dtmStart = "20060124000000.000000-360"
>> > dtmEnd = "20060125000000.000000-360"
>> >
>> > strComputer = "."
>> >
>> > ' Setup disconnected recordset with 3 fields.
>> > Set objDataList = CreateObject("ADODB.RecordSet")
>> > objDataList.Fields.Append "Date", adVarChar, MaxCharacters
>> > objDataList.Fields.Append "Event", adVarChar, MaxCharacters
>> > objDataList.Fields.Append "Source", adVarChar, MaxCharacters
>> > objDataList.Open
>> >
>> > Set objWMIService = GetObject("winmgmts:" _
>> > & "{impersonationLevel=impersonate}!\\" & strComputer _
>> > & "\root\cimv2")
>> > Set colLoggedEvents = objWMIService.ExecQuery _
>> > ("SELECT * FROM Win32_NTLogEvent WHERE TimeWritten >= '" _
>> > & dtmStart & "' AND TimeWritten < '" & dtmEnd & "'")
>> > For Each objEvent In colLoggedEvents
>> > ' Read each event into the disconnected recordset.
>> > objDataList.AddNew
>> > objDataList("Date") = objEvent.TimeWritten
>> > objDataList("Event") = objEvent.EventCode
>> > objDataList("Source") = objEvent.SourceName
>> > objDataList.Update
>> > Next
>> >
>> > ' Sort the dataset by TimeWritten
>> > objDataList.Sort = "Date"
>> >
>> > ' Enumerate disconnected recordset and display sorted events.
>> > objDataList.MoveFirst
>> > Do Until objDataList.EOF
>> > Wscript.Echo objDataList.Fields.Item("Date") _
>> > & "," & objDataList.Fields.Item("Event") _
>> > & "," & objDataList.Fields.Item("Source")
>> > objDataList.MoveNext
>> > Loop
>> > =======================
>> >
>> > Again, it can take a long time to process the event logs. For more
>> > information on using WMI to read the logs, see:
>> >
>> >
http://www.microsoft.com/technet/scriptcenter/guide/sas_log_overview.mspx
>> >
>> > You can specify which event logs to process with a clause similar to
>> > "WHERE LogFile = 'System'" in the SELECT statement. If you are dealing
>> > with some other comma delimited log, you can use the FileSystemObject
>> > to
>> > read the text file, and use the Split function to break up each line
>> > into
>> > an array.
>> >
>> > --
>> > Richard
>> > Microsoft MVP Scripting and ADSI
>> > Hilltop Lab -
http://www.rlmueller.net
>> >
>>
>> Ahhh! Nice! That should work!
>> To explain my scenario a little better... the log files (log1-4) are
>> captured security event for when somebody resets a password.
>> I have already reformated the output to these logfiles to have only 4
>> columns. (Date, User, Computer, TargetUser)
>> Then I want to combine all the DC's log files into one logfile, and sort
>> all
>> the events by date.
>> Your sort-code should take care of my problem!
>>
>> Many thanks!!! :)
>>
>> / Per
>>
>> ps. Script will work almost exactly like I want now, only thing I would
>> have
>> liked to have added would be the workstation that executed the password
>> reset, rather than what DC executed it, but since the event log doesn't
>> capture that info, I guess there is no easy way to solve that.. ?! :)
>>
>>
>>