?
Solved

auto query windows security log for specific event id

Posted on 2010-08-24
4
Medium Priority
?
692 Views
Last Modified: 2012-05-10
hi

I have been running with powershell for a fair while now, so my vbscript is a little rusty..!
I am wanting to schedule a job to run on a legacy exchange 2003 server and export 1009 events from the security log.

I am auditing the legacy infrastructure to ensure recently migrated users are not accessing their old mailboxes by mistake - these will of course be closed shortly but for a week or so I would like to audit.

I am running dumpeventlog.vbs but I would like something that I can auto-schedule to specifically export 1009 events from the security log only...

I am not able to install anything in the legacy environment and powershell is a no-go.

Any help pointers much appreciated...

Cheers
Bry
0
Comment
Question by:bryan oakley-wiggins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:bryan oakley-wiggins
ID: 33510580
sorry, I meant from the appluication log as this is where exchange logons audits are written to :-)
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33511785
you could take a look at using WMI:    http://www.computerperformance.co.uk/vbscript/wmi_event_log.htm
0
 
LVL 5

Accepted Solution

by:
MaxSoullard earned 2000 total points
ID: 33512054
try this vb

Just instantiate the strTxtFile variable with the path for a result file. I recoment with a CSV extension
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Application' and " & "EventCode = '1009'")

strResult = "Category,Computer Name,Event Code,Message,Record Number,Source Name,Time Written,Event Time,User" & VbCrLf
For Each objEvent in colLoggedEvents
strResult = strResult & objEvent.Category & "," & objEvent.ComputerName & "," & objEvent.EventCode & "," & Replace(objEvent.Message,VbCrLf,"") & "," & objEvent.RecordNumber & "," & objEvent.SourceName & "," & objEvent.TimeWritten & "," & objEvent.Type  & "," & objEvent.User & VbCrLf

Next


Const ForReading = 1
Const ForWriting = 2

strTxtFile = "RESULTS TEXT FILE PATH"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strTxtFile, ForWriting,true)
objFile.Write(strResult)
objFile.Close

Open in new window

0
 

Author Closing Comment

by:bryan oakley-wiggins
ID: 33512780
hi MaxSoullad

perfect..! thanks so much. That's blew a few cob-webs off...

@pony10us: appreciate your input.

Cheers
Bry
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question