Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1318
  • Last Modified:

WMI query cannot extract event message

Hi there

My WMI query renders the events in the local hosts but returns null for every event message from any remote server. Other fields, such as event code or computername have no problemes, only the event message (which can be rather long)

I attach my connecting string

Is there any workaround?

Thanks
Set wbemLocator = CreateObject("wbemscripting.swbemlocator")
    Set objWMIService = wbemLocator.ConnectServer(strComputer, , strUser, strPassword)

Open in new window

0
Pakhu1
Asked:
Pakhu1
  • 7
  • 6
1 Solution
 
Lukasz ChmielewskiCommented:
You have to provide a namespace
Set wbemLocator = CreateObject("wbemscripting.swbemlocator")
    Set objWMIService = wbemLocator.ConnectServer(strComputer, "root\CIMV2" , strUser, strPassword)
0
 
khaazCommented:
What appens if you try this directly from a command line

WMIC /NODE:192.168.0.1 /USER:domain\user /password:password PATH Win32ntlogevent Where (Type='Error' and Logfile='System') get message

Open in new window


Do you have anything displayed ?
0
 
Pakhu1Author Commented:
Roads_Roads: I provided the namespace and I keep getting null content messages. There is no difference


khaaz: I've got an "no valid class" error


Thanks

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
khaazCommented:
I've misspelled the class name
could you try with win32_ntlogevent
0
 
Pakhu1Author Commented:
Hi khaaz:


Sorry for the delay. I missed your comment.

Your idea works fine. Now, my problem is how I must redesign my code in order to get the information, instead of using a command line

Thanks
0
 
khaazCommented:
Hi Pakhu1,
 

   Now we know that the message attribute can be retrieved and you don't have any rights or access issues. You did copy/paste only thee connection string which seems to be good, what's your code ?

Khaaaz
0
 
Pakhu1Author Commented:
Hi there:

It looks like you are on the right track.

Find the code attached


Thank you
Set wbemLocator = CreateObject("wbemscripting.swbemlocator")
Set objWMIService = wbemLocator.ConnectServer(strComputer, "root\CIMV2", strUser, strPassword)

      
Set colRetrievedEvents = objWMIService.ExecQuery _
     ("SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & FechaIni & "' AND SourceName = '" & RST("Servicio") & "'", , 48)
        
            For Each objEvent In colRetrievedEvents

Open in new window

0
 
khaazCommented:
The code seems fine, what if you try with :
         ("SELECT TimeWritten,SourceName,Message FROM Win32_NTLogEvent Where TimeWritten >= '" & FechaIni & "' AND SourceName = '" & RST("Servicio") & "'", , 48) 

Open in new window


and then wscript.echo objevent.message or something like that ?

0
 
khaazCommented:
and did you try  without the 48 flag ? :

 ("SELECT * FROM Win32_NTLogEvent Where TimeWritten >= '" & FechaIni & "' AND SourceName = '" & RST("Servicio") & "'")

Open in new window

0
 
Pakhu1Author Commented:
Yes I tryed both ways and the resulta is exactly the same

The funny think is that the code works fine for a server in my building, but not for servers that are in the same area but some kilometers away.

Now I'm running the code with the new SELECT clause. It takes a while...
0
 
Pakhu1Author Commented:
Well,I get the same result:

for the remote servers I get all fields right (type, TimWriteen). Al of them but Message that is still null in all cases
0
 
khaazCommented:
The funny think is that the code works fine for a server in my building, but not for servers that are in the same area but some kilometers away.


So I think we should investigate that way, same OS and service pack version ?
could you try on a non working server to recompile ntevt.mof with :

C:\Windows\System32\wbem>mofcomp ntevt.mof

Open in new window

0
 
Pakhu1Author Commented:
Hi there


Sorry for he dealay. I was out of the offiice

Running this command I get the error 0x80041003 regarding WMI


Thanks
C:\Windows\System32\wbem>mofcomp ntevt.mof
Microsoft (R) MOF Compiler Version 6.1.7601.17514
Copyright (c) Microsoft Corp. 1997-2006. Reservados todos los derechos.
Analizando el archivo MOF: ntevt.mof
El archivo MOF se analizó correctamente
Almacenando información en el repositorio...
Error al procesar el elemento 1 definido en las líneas 8 - 11 en el archivo ntev
t.mof:
Número de error: 0x80041003, facilidad: WMI
Descripción: Acceso denegado
El compilador ha devuelto el error 0x80041003
C:\Windows\System32\wbem>cd..

Open in new window

0
 
khaazCommented:
this is an "access denied" like error, check the account that launched the command.
try with a right click "run as administrator" on the cmd shrotcut
it could just be an annoying UAC issue.

As hard as we try, it will work one day :)
Khaaaz
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now