Solved

auto query windows security log for specific event id

Posted on 2010-08-24
4
690 Views
Last Modified: 2012-05-10
hi

I have been running with powershell for a fair while now, so my vbscript is a little rusty..!
I am wanting to schedule a job to run on a legacy exchange 2003 server and export 1009 events from the security log.

I am auditing the legacy infrastructure to ensure recently migrated users are not accessing their old mailboxes by mistake - these will of course be closed shortly but for a week or so I would like to audit.

I am running dumpeventlog.vbs but I would like something that I can auto-schedule to specifically export 1009 events from the security log only...

I am not able to install anything in the legacy environment and powershell is a no-go.

Any help pointers much appreciated...

Cheers
Bry
0
Comment
Question by:BryanOakley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:BryanOakley
ID: 33510580
sorry, I meant from the appluication log as this is where exchange logons audits are written to :-)
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33511785
you could take a look at using WMI:    http://www.computerperformance.co.uk/vbscript/wmi_event_log.htm
0
 
LVL 5

Accepted Solution

by:
MaxSoullard earned 500 total points
ID: 33512054
try this vb

Just instantiate the strTxtFile variable with the path for a result file. I recoment with a CSV extension
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Application' and " & "EventCode = '1009'")

strResult = "Category,Computer Name,Event Code,Message,Record Number,Source Name,Time Written,Event Time,User" & VbCrLf
For Each objEvent in colLoggedEvents
strResult = strResult & objEvent.Category & "," & objEvent.ComputerName & "," & objEvent.EventCode & "," & Replace(objEvent.Message,VbCrLf,"") & "," & objEvent.RecordNumber & "," & objEvent.SourceName & "," & objEvent.TimeWritten & "," & objEvent.Type  & "," & objEvent.User & VbCrLf

Next


Const ForReading = 1
Const ForWriting = 2

strTxtFile = "RESULTS TEXT FILE PATH"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strTxtFile, ForWriting,true)
objFile.Write(strResult)
objFile.Close

Open in new window

0
 

Author Closing Comment

by:BryanOakley
ID: 33512780
hi MaxSoullad

perfect..! thanks so much. That's blew a few cob-webs off...

@pony10us: appreciate your input.

Cheers
Bry
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question