[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 583
  • Last Modified:

security logs from domain machines (visual basic scripting)

Hello,

I found the following vbs scripting code below that automatically saves (to .evt) and clears security event logs from the current computer you are on. Is there a way to tweak this vbs code to do the same thing for multiple machines within the same domain. I've had no luck at tweaking the code successfully.

Thanks in advance.
strComputer = "."        
Set objWMIService = GetObject("winmgmts:" _ 
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ 
        & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
     OutputFile = "C:\" & "Security "
     OutputFile = OutputFile & Day(Now) & "-" & month(now) & "-" & year(now)
     OutputFile = OutputFile & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
         objLogFile.ClearEventLog()
    Else
        Wscript.Echo "The Security event log could not be backed up."
    End If
Next

Open in new window

0
jslaught
Asked:
jslaught
  • 4
  • 4
1 Solution
 
sirbountyCommented:
Sure - you just need a source of computers...example with a text file:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Computers.txt")

Do While Not objFile.AtEndOfStream

strComputer = objFile.ReadLine

If strComputer <> "" Then
Set objWMIService = GetObject("winmgmts:" _ 
    & "{impersonationLevel=impersonate, (Backup, Security)}!\\" _ 
        & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile where LogFileName='Security'")
For Each objLogfile in colLogFiles
     OutputFile = "C:\" & "Security "
     OutputFile = OutputFile & Day(Now) & "-" & month(now) & "-" & year(now)
     OutputFile = OutputFile & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
         objLogFile.ClearEventLog()
    Else
        Wscript.Echo "The Security event log could not be backed up."
    End If
Next

End If

Loop

objFile.Close

Open in new window

0
 
jason987Commented:
If you are a domain administrator can't you just change the first line to a "computername" instead of "."?
0
 
jslaughtAuthor Commented:
I did as recommended by listing computer names on our domain into a text file before running the script. The code example provided by sirbounty above is producing the following vbs error message: "The remote server machine does not exist or is unavailable; 'GetObject'

The original code I provided above initially is successful but with pulling logs from one computer at a time. You also have to be logged onto that specific computer in order to successfully get the event logs.

Any other suggestions?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
sirbountyCommented:
A) we can incorporate code to test that the machine is on the network.  And then skip over those that aren't.  Or you certain this computer was reachable at the time it was launched?

B) It might be that the computer name was mistyped?  With this code, you only want to input the computer name(s) in the text file (no leading \\ or trailing characters).

You might try shifting the items in the list around and see if it works on other computer names.
Let me know how you make out.
0
 
jslaughtAuthor Commented:
A) I've been doing my own test by pinging the computers before I run the vbs script. On our network we have blade servers, workstations and blade workstations with different OSs on them as well ranging from XP, Windows Server 2003 to 64bit (Windows 7 & Server 2003). I'm getting the
"The remote server machine does not exist or is unavailable; 'GetObject' error messages on workstations and the "security event log could not be backed up" message on blade servers and blade workstations.

B) the computer name was no mistype. I've used other vbs that required a text file with just the computer names listed so I figured it was just the computer name needed.

C) I've shifted computer names around in the text file to see if anything would work. No luck.
0
 
sirbountyCommented:
Without modifying the logic much, I tested this against 3 devices (with the exception of clearing the log - I did remove that line), and it worked.
1 XP pc, 1 2k3 server, & 1 2k8 (sp2) server.
All 3 dropped the backup log file directly on the root of the C drive of the target device.
I don't have any blades to test again, but I can also try a win7 device.
My first impression is that it's security-related.  Are you a domain admin?  Do you have permission to write to these devices' C drive?

If not, perhaps try a temp folder off the root...of course, the folder must exist beforehand...

Here's the version I've successfully tested - give it a try...
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Computers.txt")

Do While Not objFile.AtEndOfStream

strComputer = objFile.ReadLine

If strComputer <> "" Then
  wscript.echo "Processing " & strComputer

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile where LogFileName='Security'")

For Each objLogfile in colLogFiles
     OutputFile = "C:\Temp\" & strComputer & "_Security-" & Day(Now) & "-" & month(now) & "-" & year(now) & ".evt"
    errBackupLog = objLogFile.BackupEventLog(OutputFile)
    If errBackupLog = 0 Or errBackupLog = 183 Then
' (removed)        objLogFile.ClearEventLog()
wscript.echo "Log would have been cleared..."
    Else
        Wscript.Echo "The Security event log could not be backed up." 
    End If
Next

End If

Loop

objFile.Close

Open in new window

0
 
jslaughtAuthor Commented:
Did the test on a few machines. Received the same error message: "The remote server machine does not exist or is unavailable; 'GetObject' error.

1. I am one of the domain admins for the network and have permissions to write to machine c: drives.
2. I do think it's network security related. I will have to investigate.
3. What should I do with this question since this won't be resolved immediately?
0
 
sirbountyCommented:
You have a few weeks before it's considered abandoned.  So long as you make an update every couple of weeks, I think it will stick around...

Try removing the BackupEventLog method - see if that is where it's hanging.
Alternatively, you can try placing an
  On Error Resume Next
at the start of the script and see if it will work on 'any' of the devices...
0
 
jslaughtAuthor Commented:
Not able to do the suggestions above due to my internal network being heavily protected by network firewalls. I have decided to do the above suggestions per workstation instead of doing the pull of event logs from one domain machine.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now