WMI & Eventlogs

Discussion in 'Scripting' started by Babu VT, Jun 24, 2009.

  1. Babu VT

    Babu VT Guest

    Hi,
    I'm trying to get all "Error" events from Today's System event log using
    WMI.
    This is my query,
    Select * from Win32_NTLogEvent Where Logfile = 'System' And Type = 'error'
    And TimeWritten > '20090624'

    However this query doesn't pickup error events in earlier part of the day
    like 24/06/2009 02:00am etc. Can you please help me to find what is wrong
    here.

    I also tried a query something like this based on a internet search but
    still no luck,

    y = Year(dDate)
    m = Right("0" & Month(dDate),2)
    d = Right("0" & Day(dDate), 2)
    dteCutOffDate = y & m & d & "000000.000000" & TBias

    Set colLoggedEvents = objWMI.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'System' And Type =
    'error' And TimeWritten > '" & dteCutOffDate & "'")


    Function TBias
    Set TZone = GetObject("winmgmts:\\.\root\cimv2").ExecQuery ("select * from
    Win32_TimeZone")
    For Each Zone in TZone
    TBias = Zone.Bias
    Next
    Set TZone = Nothing
    End Function
     
    Babu VT, Jun 24, 2009
    #1
    1. Advertisements

  2. This example from "Microsoft Windows 2000 Scripting Guide" demonstrates how
    to query the logs based on the TimeWritten property:

    http://www.microsoft.com/technet/scriptcenter/guide/sas_log_lfas.mspx

    Note the format for dates is yyyymmddHHMMSS.xxxxxx-UUU, where yyyy is the
    year, mm the month, dd the day, HH the hour (24 hour format), MM the
    minutes, SS the seconds, xxxxxx the milliseconds, and UUU the number of
    minutes of offset from UTC.
     
    Richard Mueller [MVP], Jun 24, 2009
    #2
    1. Advertisements

  3. The following worked for me:
    ==============
    Option Explicit
    Dim objWMIService, strComputer, colEvents, objEvent
    Dim dtmToday

    strComputer = "MyComputer"

    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\" _
    & strComputer & "\root\cimv2")

    dtmToday = CStr(Year(Now())) _
    & Right("0" & CStr(Month(Now())), 2) _
    & Right("0" & CStr(Day(Now())), 2) _
    & "000000.000000" & TBias()

    Set colEvents = objWMIService.ExecQuery _
    ("SELECT * FROM Win32_NTLogEvent WHERE LogFile = 'System' " _
    & "AND Type = 'Error' AND TimeWritten >= '" & dtmToday & "'")
    For Each objEvent In colEvents
    Wscript.Echo objEvent.EventCode & ", " & objEvent.TimeWritten
    Next

    Function TBias()
    Dim TZone, Zone

    Set TZone = objWMIService.ExecQuery ("SELECT * FROM Win32_TimeZone")
    For Each Zone in TZone
    TBias = Zone.Bias
    Next
    End Function
     
    Richard Mueller [MVP], Jun 24, 2009
    #3
  4. I cannot test, but perhaps your time zone bias is positive, or less than 3
    digits. I don't know what Win32_TimeZone returns in these cases, and I
    cannot confirm that a "+" should replace the "-" if the bias is positive.
    However, this may be a more accurate function:
    =======
    Function TBias()
    Dim TZone, Zone, lngBias

    Set TZone = objWMIService.ExecQuery ("SELECT * FROM Win32_TimeZone")
    For Each Zone in TZone
    lngBias = Zone.Bias
    Next
    If (lngBias < 0) Then
    TBias = "-" & Right("000" & CStr(Abs(lngBias)), 3)
    Else
    TBias = "+" & Right("000" & CStr(lngBias), 3)
    End If
    End Function
    =========
    This function assumes that objWMIService has global scope and is bound in
    the main program. This saves a bit of processing. Your original query also
    works.
     
    Richard Mueller [MVP], Jun 24, 2009
    #4
  5. Babu VT

    Babu VT Guest

    Thanks a lot Richard.Your help in this case is much appreciated... I was
    able to do what I want from your code snippets :)
     
    Babu VT, Jun 27, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.