pzozulka
asked on
List specific Events from the Security Event Log
Greetings,
I am in charge of a server that needs to collect logon/logoff security logs from various workstations.
I looked into a couple books laying around and found a VBS script. However, the script backs up everything, I need to narrow it down to only a specific user, and only event id = 528 or 551.
The script is below, how can it be modified to be more specific, or are there any other script that can do what I need?
I am in charge of a server that needs to collect logon/logoff security logs from various workstations.
I looked into a couple books laying around and found a VBS script. However, the script backs up everything, I need to narrow it down to only a specific user, and only event id = 528 or 551.
The script is below, how can it be modified to be more specific, or are there any other script that can do what I need?
On Error Resume Next
Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent")
Set FSO = CreateObject("Scripting.FileSystemObject")
Set txt = FSO.CreateTextFile("C:\Scriptfiles\vbs\text.txt", True)
For each Entry in EventLog
If Len(Entry.Message) > 0 Then
For x = 1 to Len(Entry.Message)
Char = Mid(Entry.Message,x,1)
If Asc(Char) = 10 Then
MSG = MSG & " "
ElseIf Asc(Char) <> 13 Then
MSG = MSG & Char
End If
Next
EDate = Mid(Entry.TimeGenerated,5,2) & "/" & _
Mid(Entry.TimeGenerated,7,2) & "/" & _
Mid(Entry.TimeGenerated,1,4)
ETime = Mid(Entry.TimeGenerated,9,2) & ":" & _
Mid(Entry.TimeGenerated,11,2) & ":" & _
Mid(Entry.TimeGenerated,13,2)
ETime = FormatDateTime(ETime,3)
If IsNull(Entry.User) Then
User = "N/A"
Else
User = Entry.User
End If
If IsNull(Entry.CategoryString) Then
Category = "none"
Else
Category =Entry.CategoryString
End If
EVT = Entry.LogFile & VBtab & _
Entry.Type & VBtab & _
EDate & VBtab & _
ETime & VBTab & _
Entry.SourceName & VBtab & _
Category & VBtab & _
Entry.EventCode & VBtab & _
User & VBtab & _
Entry.ComputerName & VBtab & _
MSG
txt.writeline EVT
EVT = Null
Char = Null
MSG = Null
End If
Next
txt.close
Wscript.echo "Done"
Disregard the previous comment. I typed the wrong error codes. (just used them to test the solution)
The main idea is the same .
Set EventLog = GetObject("winmgmts:{imper
Pay attention to the exact_user_name. If it is in form Domain\User or Computer\User than you'll have to write it with a double slash like 'Domain\\User'
For additional fields avaiable for filtering take a look at http://msdn.microsoft.com/en-us/library/aa394226(VS.85).aspx
ASKER
Hey, thanks for your response. The text output file is empty, no data inside. Without making alterations the script runs fine, when I change the second line to the below it runs fine:
Set EventLog = GetObject("winmgmts:{imper sonationle vel=impers onate}").E xecQuery(" select * from Win32_NTLogEvent where logfile = 'Application'")
But when I change it to the below, it makes an empty output txt file:
Set EventLog = GetObject("winmgmts:{imper sonationle vel=impers onate}").E xecQuery(" select * from Win32_NTLogEvent where logfile = 'Security'")
Set EventLog = GetObject("winmgmts:{imper
But when I change it to the below, it makes an empty output txt file:
Set EventLog = GetObject("winmgmts:{imper
ASKER
I tried running the script with your alterations and it also make the output file blank.
the output file is empty when there is no records matching the search criteria.
Please verify that you have records matching your where clause.
Do you have any records in the security log?
Please verify that you have records matching your where clause.
Do you have any records in the security log?
ASKER
6,949 Events in Security Log.
Ok.
Let's try slightly different approach. In this version there is no filtering in the select statement.
Instead of this all the filtering is done in the for loop. To make the code more readable I've restructured it and also added some informational printouts to see what's going on.
Please pay attention that the On Error Resume Next directive is commented out.
This is to prevent silent skipping over the errors.
Just replace Your_User_Name with the real one and give a try.
Let's try slightly different approach. In this version there is no filtering in the select statement.
Instead of this all the filtering is done in the for loop. To make the code more readable I've restructured it and also added some informational printouts to see what's going on.
Please pay attention that the On Error Resume Next directive is commented out.
This is to prevent silent skipping over the errors.
Just replace Your_User_Name with the real one and give a try.
'On Error Resume Next
Set EventLog = GetObject("winmgmts:{impersonationlevel=impersonate}").ExecQuery("select * from Win32_NTLogEvent")
if EventLog.Count=0 Then
Wscript.echo "No Records Found"
else
Wscript.echo "Found " & EventLog.Count & " records"
Set FSO = CreateObject("Scripting.FileSystemObject")
Set txt = FSO.CreateTextFile("C:\text.txt", True)
i=0
For each Entry in EventLog
If Not IsNull(Entry.User) And InStr(Entry.User,"Your_User_Name") AND (Entry.EventCode=528 Or Entry.EventCode=551) then
SaveRecord Entry
i=i+1
end if
next
Wscript.echo "Added to file " & i & " records"
txt.close
end if
Wscript.echo "Done"
sub SaveRecord (Entry)
If Len(Entry.Message) > 0 Then
For x = 1 to Len(Entry.Message)
Char = Mid(Entry.Message,x,1)
If Asc(Char) = 10 Then
MSG = MSG & " "
ElseIf Asc(Char) <> 13 Then
MSG = MSG & Char
End If
Next
EDate = Mid(Entry.TimeGenerated,5,2) & "/" & _
Mid(Entry.TimeGenerated,7,2) & "/" & _
Mid(Entry.TimeGenerated,1,4)
ETime = Mid(Entry.TimeGenerated,9,2) & ":" & _
Mid(Entry.TimeGenerated,11,2) & ":" & _
Mid(Entry.TimeGenerated,13,2)
ETime = FormatDateTime(ETime,3)
If IsNull(Entry.User) Then
User = "N/A"
Else
User = Entry.User
End If
If IsNull(Entry.CategoryString) Then
Category = "none"
Else
Category =Entry.CategoryString
End If
EVT = Entry.LogFile & VBtab & _
Entry.Type & VBtab & _
EDate & VBtab & _
ETime & VBTab & _
Entry.SourceName & VBtab & _
Category & VBtab & _
Entry.EventCode & VBtab & _
User & VBtab & _
Entry.ComputerName & VBtab & _
MSG
txt.writeline EVT
EVT = Null
Char = Null
MSG = Null
End If
end sub
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks man, success.
Set EventLog = GetObject("winmgmts:{imper