security logs from domain machines (visual basic scripting)

Hello,

I found the following vbs scripting code below that automatically saves (to .evt) and clears security event logs from the current computer you are on. Is there a way to tweak this vbs code to do the same thing for multiple machines within the same domain. I've had no luck at tweaking the code successfully.

Thanks in advance.
strComputer = "."        
Set objWMIService = GetObject("winmgmts:" _ 
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ 
        & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
     OutputFile = "C:\" & "Security "
     OutputFile = OutputFile & Day(Now) & "-" & month(now) & "-" & year(now)
     OutputFile = OutputFile & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
         objLogFile.ClearEventLog()
    Else
        Wscript.Echo "The Security event log could not be backed up."
    End If
Next

Open in new window

jslaughtAsked:
Who is Participating?
 
sirbountyConnect With a Mentor Commented:
Without modifying the logic much, I tested this against 3 devices (with the exception of clearing the log - I did remove that line), and it worked.
1 XP pc, 1 2k3 server, & 1 2k8 (sp2) server.
All 3 dropped the backup log file directly on the root of the C drive of the target device.
I don't have any blades to test again, but I can also try a win7 device.
My first impression is that it's security-related.  Are you a domain admin?  Do you have permission to write to these devices' C drive?

If not, perhaps try a temp folder off the root...of course, the folder must exist beforehand...

Here's the version I've successfully tested - give it a try...
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Computers.txt")

Do While Not objFile.AtEndOfStream

strComputer = objFile.ReadLine

If strComputer <> "" Then
  wscript.echo "Processing " & strComputer

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile where LogFileName='Security'")

For Each objLogfile in colLogFiles
     OutputFile = "C:\Temp\" & strComputer & "_Security-" & Day(Now) & "-" & month(now) & "-" & year(now) & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
' (removed)        objLogFile.ClearEventLog()
wscript.echo "Log would have been cleared..."
    Else
        Wscript.Echo "The Security event log could not be backed up." 
    End If
Next

End If

Loop

objFile.Close

Open in new window

0
 
sirbountyCommented:
Sure - you just need a source of computers...example with a text file:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Computers.txt")

Do While Not objFile.AtEndOfStream

strComputer = objFile.ReadLine

If strComputer <> "" Then
Set objWMIService = GetObject("winmgmts:" _ 
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ 
        & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
     OutputFile = "C:\" & "Security "
     OutputFile = OutputFile & Day(Now) & "-" & month(now) & "-" & year(now)
     OutputFile = OutputFile & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
         objLogFile.ClearEventLog()
    Else
        Wscript.Echo "The Security event log could not be backed up."
    End If
Next

End If

Loop

objFile.Close

Open in new window

0
 
jason987Commented:
If you are a domain administrator can't you just change the first line to a "computername" instead of "."?
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jslaughtAuthor Commented:
I did as recommended by listing computer names on our domain into a text file before running the script. The code example provided by sirbounty above is producing the following vbs error message: "The remote server machine does not exist or is unavailable; 'GetObject'

The original code I provided above initially is successful but with pulling logs from one computer at a time. You also have to be logged onto that specific computer in order to successfully get the event logs.

Any other suggestions?
0
 
sirbountyCommented:
A) we can incorporate code to test that the machine is on the network.  And then skip over those that aren't.  Or you certain this computer was reachable at the time it was launched?

B) It might be that the computer name was mistyped?  With this code, you only want to input the computer name(s) in the text file (no leading \\ or trailing characters).

You might try shifting the items in the list around and see if it works on other computer names.
Let me know how you make out.
0
 
jslaughtAuthor Commented:
A) I've been doing my own test by pinging the computers before I run the vbs script. On our network we have blade servers, workstations and blade workstations with different OSs on them as well ranging from XP, Windows Server 2003 to 64bit (Windows 7 & Server 2003). I'm getting the
"The remote server machine does not exist or is unavailable; 'GetObject' error messages on workstations and the "security event log could not be backed up" message on blade servers and blade workstations.

B) the computer name was no mistype. I've used other vbs that required a text file with just the computer names listed so I figured it was just the computer name needed.

C) I've shifted computer names around in the text file to see if anything would work. No luck.
0
 
jslaughtAuthor Commented:
Did the test on a few machines. Received the same error message: "The remote server machine does not exist or is unavailable; 'GetObject' error.

1. I am one of the domain admins for the network and have permissions to write to machine c: drives.
2. I do think it's network security related. I will have to investigate.
3. What should I do with this question since this won't be resolved immediately?
0
 
sirbountyCommented:
You have a few weeks before it's considered abandoned.  So long as you make an update every couple of weeks, I think it will stick around...

Try removing the BackupEventLog method - see if that is where it's hanging.
Alternatively, you can try placing an
  On Error Resume Next
at the start of the script and see if it will work on 'any' of the devices...
0
 
jslaughtAuthor Commented:
Not able to do the suggestions above due to my internal network being heavily protected by network firewalls. I have decided to do the above suggestions per workstation instead of doing the pull of event logs from one domain machine.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.