kwkaan
asked on
Windows WMI failed to get Security Log
Hi,
I am preparing a VBA script to capture the security log entries into a text file. However, it works for Windows Application log and System log, but it failed with Security log (always return 0 records without error).
P.S. I am logged on as administrator to run this script.
Here is my script:
-------------------------- ---------- ---------- ---------- ---------- ------
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=imper sonate}!\\ .\root\cim v2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
Set objFSO = CreateObject("scripting.Fi leSystemOb ject")
strSystem = SurveyHost()
LogFile=ExecutingFrom & strSystem & "Events.log"
set f = objFSO.OpenTextFile(LogFil e, 8, True, -2)
for each LogEvent in colLoggedEvents
sMessage = left(LogEvent.TimeGenerate d,4) & "-" & mid(LogEvent.TimeGenerated ,5,2) & "-" & mid(LogEvent.TimeGenerated ,7,2) & " " & mid(LogEvent.TimeGenerated ,9,2) & ":" & mid(LogEvent.TimeGenerated ,11,2) & ":" & mid(LogEvent.TimeGenerated ,13,2) & chr(9)
if LogEvent.EventCode = "624" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Created" & chr(9)
elseif LogEvent.EventCode = "628" then
sMessage = sMessage & LogEvent.EventCode & " - Reset Account Password " & chr(9)
elseif LogEvent.EventCode = "630" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Deleted " & chr(9)
elseif LogEvent.EventCode = "632" then
sMessage = sMessage & LogEvent.EventCode & " - Add User Group " & chr(9)
elseif LogEvent.EventCode = "633" then
sMessage = sMessage & LogEvent.EventCode & " - Remove User Group " & chr(9)
elseif LogEvent.EventCode = "642" then
sMessage = sMessage & LogEvent.EventCode & " - Account Changed " & chr(9)
elseif LogEvent.EventCode = "676" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Disabled " & chr(9)
elseif LogEvent.EventCode = "627" then
sMessage = sMessage & LogEvent.EventCode & " - User Password Change " & chr(9)
elseif LogEvent.EventCode = "675" then
sMessage = sMessage & LogEvent.EventCode & " - User Logon Failure " & chr(9)
elseif LogEvent.EventCode = "676" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Failure (No Shut User) " & chr(9)
End if
sMessage = sMessage & LogEvent.User & chr(9)
sMessage = sMessage & LogEvent.ComputerName & chr(9)
f.WriteLine sMessage
Next
f.close
-------------------------- ---------- ---------- ---------- ---------- ------
Please advise,
Thanks,
Ivan
I am preparing a VBA script to capture the security log entries into a text file. However, it works for Windows Application log and System log, but it failed with Security log (always return 0 records without error).
P.S. I am logged on as administrator to run this script.
Here is my script:
--------------------------
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=imper
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'")
Set objFSO = CreateObject("scripting.Fi
strSystem = SurveyHost()
LogFile=ExecutingFrom & strSystem & "Events.log"
set f = objFSO.OpenTextFile(LogFil
for each LogEvent in colLoggedEvents
sMessage = left(LogEvent.TimeGenerate
if LogEvent.EventCode = "624" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Created" & chr(9)
elseif LogEvent.EventCode = "628" then
sMessage = sMessage & LogEvent.EventCode & " - Reset Account Password " & chr(9)
elseif LogEvent.EventCode = "630" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Deleted " & chr(9)
elseif LogEvent.EventCode = "632" then
sMessage = sMessage & LogEvent.EventCode & " - Add User Group " & chr(9)
elseif LogEvent.EventCode = "633" then
sMessage = sMessage & LogEvent.EventCode & " - Remove User Group " & chr(9)
elseif LogEvent.EventCode = "642" then
sMessage = sMessage & LogEvent.EventCode & " - Account Changed " & chr(9)
elseif LogEvent.EventCode = "676" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Disabled " & chr(9)
elseif LogEvent.EventCode = "627" then
sMessage = sMessage & LogEvent.EventCode & " - User Password Change " & chr(9)
elseif LogEvent.EventCode = "675" then
sMessage = sMessage & LogEvent.EventCode & " - User Logon Failure " & chr(9)
elseif LogEvent.EventCode = "676" then
sMessage = sMessage & LogEvent.EventCode & " - User Account Failure (No Shut User) " & chr(9)
End if
sMessage = sMessage & LogEvent.User & chr(9)
sMessage = sMessage & LogEvent.ComputerName & chr(9)
f.WriteLine sMessage
Next
f.close
--------------------------
Please advise,
Thanks,
Ivan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Most likely the problem is that the query has timed out. You can change the script to be asyncronous (if you're that brave)... or you can use other command-line tools in your script to get the same information.
I've found that using WMI is a very poor choice for dealing with Event View logs. After spending quite a few hours making my VB.Net application's WMI query finally work, I was disappointed at the permformance, and took another approach. (WMI would take several minutes to read the Security logs!!!)
I've found that using WMI is a very poor choice for dealing with Event View logs. After spending quite a few hours making my VB.Net application's WMI query finally work, I was disappointed at the permformance, and took another approach. (WMI would take several minutes to read the Security logs!!!)
ASKER