Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

auto query windows security log for specific event id

Posted on 2010-08-24
4
Medium Priority
?
693 Views
Last Modified: 2012-05-10
hi

I have been running with powershell for a fair while now, so my vbscript is a little rusty..!
I am wanting to schedule a job to run on a legacy exchange 2003 server and export 1009 events from the security log.

I am auditing the legacy infrastructure to ensure recently migrated users are not accessing their old mailboxes by mistake - these will of course be closed shortly but for a week or so I would like to audit.

I am running dumpeventlog.vbs but I would like something that I can auto-schedule to specifically export 1009 events from the security log only...

I am not able to install anything in the legacy environment and powershell is a no-go.

Any help pointers much appreciated...

Cheers
Bry
0
Comment
Question by:bryan oakley-wiggins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:bryan oakley-wiggins
ID: 33510580
sorry, I meant from the appluication log as this is where exchange logons audits are written to :-)
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33511785
you could take a look at using WMI:    http://www.computerperformance.co.uk/vbscript/wmi_event_log.htm
0
 
LVL 5

Accepted Solution

by:
MaxSoullard earned 2000 total points
ID: 33512054
try this vb

Just instantiate the strTxtFile variable with the path for a result file. I recoment with a CSV extension
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Application' and " & "EventCode = '1009'")

strResult = "Category,Computer Name,Event Code,Message,Record Number,Source Name,Time Written,Event Time,User" & VbCrLf
For Each objEvent in colLoggedEvents
strResult = strResult & objEvent.Category & "," & objEvent.ComputerName & "," & objEvent.EventCode & "," & Replace(objEvent.Message,VbCrLf,"") & "," & objEvent.RecordNumber & "," & objEvent.SourceName & "," & objEvent.TimeWritten & "," & objEvent.Type  & "," & objEvent.User & VbCrLf

Next


Const ForReading = 1
Const ForWriting = 2

strTxtFile = "RESULTS TEXT FILE PATH"

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strTxtFile, ForWriting,true)
objFile.Write(strResult)
objFile.Close

Open in new window

0
 

Author Closing Comment

by:bryan oakley-wiggins
ID: 33512780
hi MaxSoullad

perfect..! thanks so much. That's blew a few cob-webs off...

@pony10us: appreciate your input.

Cheers
Bry
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
This is a fine trick which I've found useful many times, when you just don't want to accidentally run a batch script or the commands needs administrator rights.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question