Link to home
Start Free TrialLog in
Avatar of kwkaan
kwkaan

asked on

Windows WMI failed to get Security Log

Hi,

I am preparing a VBA script to capture the security log entries into a text file.  However, it works for Windows Application log and System log, but it failed with Security log (always return 0 records without error).

P.S. I am logged on as administrator to run this script.

Here is my script:

------------------------------------------------------------------------

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'")

Set objFSO = CreateObject("scripting.FileSystemObject")

strSystem = SurveyHost()

LogFile=ExecutingFrom & strSystem & "Events.log"

set f = objFSO.OpenTextFile(LogFile, 8, True, -2)

for each LogEvent in colLoggedEvents
      sMessage = left(LogEvent.TimeGenerated,4) & "-" & mid(LogEvent.TimeGenerated,5,2) & "-" & mid(LogEvent.TimeGenerated,7,2) & " " & mid(LogEvent.TimeGenerated,9,2) & ":" & mid(LogEvent.TimeGenerated,11,2) & ":" & mid(LogEvent.TimeGenerated,13,2) & chr(9)
      if LogEvent.EventCode = "624" then
            sMessage = sMessage & LogEvent.EventCode & " - User Account Created" & chr(9)
      elseif LogEvent.EventCode = "628" then
            sMessage = sMessage & LogEvent.EventCode & " - Reset Account Password " & chr(9)
      elseif LogEvent.EventCode = "630" then
            sMessage = sMessage & LogEvent.EventCode & " - User Account Deleted " & chr(9)
      elseif LogEvent.EventCode = "632" then
            sMessage = sMessage & LogEvent.EventCode & " - Add User Group " & chr(9)
      elseif LogEvent.EventCode = "633" then
            sMessage = sMessage & LogEvent.EventCode & " - Remove User Group " & chr(9)      
      elseif LogEvent.EventCode = "642" then
            sMessage = sMessage & LogEvent.EventCode & " - Account Changed " & chr(9)
      elseif LogEvent.EventCode = "676" then
            sMessage = sMessage & LogEvent.EventCode & " - User Account Disabled " & chr(9)      
      elseif LogEvent.EventCode = "627" then
            sMessage = sMessage & LogEvent.EventCode & " - User Password Change " & chr(9)
      elseif LogEvent.EventCode = "675" then
            sMessage = sMessage & LogEvent.EventCode & " - User Logon Failure " & chr(9)      
      elseif LogEvent.EventCode = "676" then
            sMessage = sMessage & LogEvent.EventCode & " - User Account Failure (No Shut User) " & chr(9)
      End if
      sMessage = sMessage & LogEvent.User & chr(9)
      sMessage = sMessage & LogEvent.ComputerName & chr(9)


      f.WriteLine sMessage

Next

f.close

------------------------------------------------------------------------


Please advise,

Thanks,
Ivan
ASKER CERTIFIED SOLUTION
Avatar of ScrptMasta
ScrptMasta

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kwkaan
kwkaan

ASKER

Sorry, Something I missed: 'ExecutingFrom' is a function that return the log file path.
Most likely the problem is that the query has timed out.  You can change the script to be asyncronous (if you're that brave)... or you can use other command-line tools in your script to get the same information.

I've found that using WMI is a very poor choice for dealing with Event View logs.  After spending quite a few hours making my VB.Net application's WMI query finally work, I was disappointed at the permformance, and took another approach.  (WMI would take several minutes to read the Security logs!!!)