Query AD for Event ID 6008
Need script which query AD for the 6008 for the list of server which will stored in notepad, the output should be place in another file in the below format.
---Computername--
6008 <time_date> <-------------- most recent first
6008 time_date
---Computername--
6008 <time_date> <-------------- most recent first
6008 time_date
have the script if this could be modifed for the requirement will be appreciated
Script is taken from the question(Thanks to Rob):
https://www.experts-exchange.com/questions/27018030/Query-AD-for-Event-ID-6008-for-Sub-OU-with-duration-of-30-Days.html
---Computername--
6008 <time_date> <-------------- most recent first
6008 time_date
---Computername--
6008 <time_date> <-------------- most recent first
6008 time_date
have the script if this could be modifed for the requirement will be appreciated
Script is taken from the question(Thanks to Rob):
https://www.experts-exchange.com/questions/27018030/Query-AD-for-Event-ID-6008-for-Sub-OU-with-duration-of-30-Days.html
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
strPath = Wscript.ScriptFullName
strCommand = "%comspec% /k cscript """ & strPath & """"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run(strCommand), 1, True
Wscript.Quit
End If
Const EventID = 6008
DateToCheck = DateAdd("d", -30, Now)
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateToCheck, True
Dim objRoot:Set objRoot = GetObject("LDAP://RootDSE")
Dim objDomain:Set objDomain = GetObject("LDAP://" & objRoot.Get("defaultNamingContext"))
Set objOUs = GetObject(objDomain.adsPath)
Dim objFSO:Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim objOutput:Set objOutput = objFso.CreateTextFile("6008Events.log")
EnumOUs(objDomain.ADsPath)
objOutput.Close
Set objOutput=Nothing
Set objOUs=Nothing
Set objDomain=Nothing
Set objRoot=Nothing
Set objFSO=Nothing
wscript.quit
Sub EnumOUs(adspath)
Dim objOUs, OU
Set objOUs = GetObject(adspath)
objOUs.Filter = Array("OrganizationalUnit")
Call EnumUsers(objOUs.ADsPath)
For Each OU In objOUs
wscript.echo "Processing " & Replace(OU.Name, "OU=", "")
objOutput.WriteLine Replace(Ucase(OU.Name), "OU=", "")
Call EnumOUs(OU.ADsPath)
Next
End Sub
Sub EnumUsers(adspath)
Dim objServers:Set objServers = GetObject(adspath)
objServers.Filter = Array("Computer")
objOutput.WriteLine
For Each objSvr In objServers
On Error Resume Next
If Ping(objSvr.CN) = True Then
WScript.Echo "Connecting to " & objSvr.CN
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & objSvr.CN & "\root\cimv2")
'wscript.echo "Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'"
Set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'")
If Err.Number = 0 Then
For Each objEvent In colEvents
If Err.Number = 0 Then
'If x > 3 Then Exit For
strDate=objEvent.TimeWritten
strYear=Left(strDate,4)
strMonth=Mid(strDate,5,2)
strDay=Mid(strDate,7,2)
strHour=Mid(strDate,9,2)
strMin=Mid(strDate,11,2)
strSec=Mid(strDate,13,2)
strDate=strMonth & "/" & strDay & "/" & strYear & " " & strHour & ":" & strMin & ":" & strSec
objOutput.WriteLine objSvr.CN & "," & EventID & "," & strDate
'End If
Else
objOutput.WriteLine objSvr.CN & ",Error " & Err.Number & "," & Err.Description
Err.Clear
End If
objOutput.WriteLine
Next
Else
objOutput.WriteLine objSvr.CN & ",WMI Connection Error"
WScript.Echo "Error connecting to " & objSvr.CN
Err.Clear
On Error Goto 0
End If
Else
objOutput.WriteLine objSvr.CN & ",Computer offline"
WScript.Echo objSvr.CN & " is offline"
End If
Next
End Sub
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End Function
Oh, you'll probably need to change
objDataList.Sort = "TimeWritten"
to
objDataList.Sort = "TimeWritten DESC"
Regards,
Rob.
objDataList.Sort = "TimeWritten"
to
objDataList.Sort = "TimeWritten DESC"
Regards,
Rob.
ASKER
hi Rob,
could you please change this script to get the server names from notepad stored in one of the server and query in AD , instead of searching for the all the servers in AD.
(as mentioned in the begining of the question).
Thanks
could you please change this script to get the server names from notepad stored in one of the server and query in AD , instead of searching for the all the servers in AD.
(as mentioned in the begining of the question).
Thanks
Hi, sorry, I missed that bit. I haven't tested it, but it should read from servers.txt
Regards,
Rob.
Regards,
Rob.
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
strPath = Wscript.ScriptFullName
strCommand = "%comspec% /k cscript """ & strPath & """"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run(strCommand), 1, True
Wscript.Quit
End If
Const EventID = 6008
strInputFile = "\\server\share\servers.txt"
DateToCheck = DateAdd("d", -30, Now)
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateToCheck, True
Const adVarChar = 200
Const MaxCharacters = 255
Const adFldIsNullable = 32
Const adDouble = 5
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Set objInput = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInput.AtEndOfStream
strServer = objInput.ReadLine
objOutput.WriteLine
On Error Resume Next
If Ping(strServer) = True Then
WScript.Echo "Connecting to " & strServer
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2")
'wscript.echo "Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'"
Set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'")
If Err.Number = 0 Then
Set objDataList = CreateObject("ADOR.Recordset")
objDataList.Fields.Append "TimeWritten", adVarChar
objDataList.Fields.Append "FormattedDate", adVarChar
objDataList.Open
For Each objEvent In colEvents
If Err.Number = 0 Then
'If x > 3 Then Exit For
strDate=objEvent.TimeWritten
strYear=Left(strDate,4)
strMonth=Mid(strDate,5,2)
strDay=Mid(strDate,7,2)
strHour=Mid(strDate,9,2)
strMin=Mid(strDate,11,2)
strSec=Mid(strDate,13,2)
strDate=strMonth & "/" & strDay & "/" & strYear & " " & strHour & ":" & strMin & ":" & strSec
objDataList.AddNew
objDataList("TimeWritten") = objEvent.TimeWritten
objDataList("FormattedDate") = strDate
objDataList.Update
'End If
Else
objOutput.WriteLine strServer & vbTab & "Error " & Err.Number & "," & Err.Description
Err.Clear
End If
Next
objOutput.WriteLine strServer
objDataList.Sort = "TimeWritten DESC"
While Not objDataList.EOF
objOutput.WriteLine EventID & vbTab & objDataList("FormattedDate")
objDataList.MoveNext
Wend
objDataList.Close
objOutput.WriteLine
Else
objOutput.WriteLine strServer & vbTab & "WMI Connection Error"
WScript.Echo "Error connecting to " & strServer
Err.Clear
On Error Goto 0
End If
Else
objOutput.WriteLine strServer & vbTab & "Computer offline"
WScript.Echo strServer & " is offline"
End If
Wend
objInput.Close
objOutput.Close
Set objOutput=Nothing
Set objOUs=Nothing
Set objDomain=Nothing
Set objRoot=Nothing
Set objFSO=Nothing
wscript.quit
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Hi Rob,
it gave me a error below
Microsoft VBScript runtime error: Object required: 'objFSO'
Exit code :0
thanks
it gave me a error below
Microsoft VBScript runtime error: Object required: 'objFSO'
Exit code :0
thanks
That's odd. Are you runnung it from a VBS file? What's the line number of the error?
ASKER
Hi Rob ,
sorry for teh delay,
Error on line 20, but when i reran the script now it points to line (24, 2) with Object required: 'objOutput'
Thanks
sorry for teh delay,
Error on line 20, but when i reran the script now it points to line (24, 2) with Object required: 'objOutput'
Thanks
Oh, I took out the CreateTextFile line for some reason....
Rob.
Rob.
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
strPath = Wscript.ScriptFullName
strCommand = "%comspec% /k cscript """ & strPath & """"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run(strCommand), 1, True
Wscript.Quit
End If
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Const EventID = 6008
strInputFile = "\\server\share\servers.txt"
Set objOutput = objFSO.CreateTextFile("6008Events.log", True)
DateToCheck = DateAdd("d", -30, Now)
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateToCheck, True
Const adVarChar = 200
Const MaxCharacters = 255
Const adFldIsNullable = 32
Const adDouble = 5
Set objInput = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInput.AtEndOfStream
strServer = objInput.ReadLine
objOutput.WriteLine
On Error Resume Next
If Ping(strServer) = True Then
WScript.Echo "Connecting to " & strServer
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2")
'wscript.echo "Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'"
Set colEvents = objWMI.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'")
If Err.Number = 0 Then
Set objDataList = CreateObject("ADOR.Recordset")
objDataList.Fields.Append "TimeWritten", adVarChar
objDataList.Fields.Append "FormattedDate", adVarChar
objDataList.Open
For Each objEvent In colEvents
If Err.Number = 0 Then
'If x > 3 Then Exit For
strDate=objEvent.TimeWritten
strYear=Left(strDate,4)
strMonth=Mid(strDate,5,2)
strDay=Mid(strDate,7,2)
strHour=Mid(strDate,9,2)
strMin=Mid(strDate,11,2)
strSec=Mid(strDate,13,2)
strDate=strMonth & "/" & strDay & "/" & strYear & " " & strHour & ":" & strMin & ":" & strSec
objDataList.AddNew
objDataList("TimeWritten") = objEvent.TimeWritten
objDataList("FormattedDate") = strDate
objDataList.Update
'End If
Else
objOutput.WriteLine strServer & vbTab & "Error " & Err.Number & "," & Err.Description
Err.Clear
End If
Next
objOutput.WriteLine strServer
objDataList.Sort = "TimeWritten DESC"
While Not objDataList.EOF
objOutput.WriteLine EventID & vbTab & objDataList("FormattedDate")
objDataList.MoveNext
Wend
objDataList.Close
objOutput.WriteLine
Else
objOutput.WriteLine strServer & vbTab & "WMI Connection Error"
WScript.Echo "Error connecting to " & strServer
Err.Clear
On Error Goto 0
End If
Else
objOutput.WriteLine strServer & vbTab & "Computer offline"
WScript.Echo strServer & " is offline"
End If
Wend
objInput.Close
objOutput.Close
Set objOutput=Nothing
Set objOUs=Nothing
Set objDomain=Nothing
Set objRoot=Nothing
Set objFSO=Nothing
wscript.quit
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Sorry for the late reply,
Set objInput = objFSO.OpenTextFile(strInp
this (at line 23,1) gives error Microsoft VBS script runtime error: File not found
Set objInput = objFSO.OpenTextFile(strInp
this (at line 23,1) gives error Microsoft VBS script runtime error: File not found
Hi, did you set the path for the file in this line correctly:
strInputFile = "\\server\share\servers.tx
Rob.
strInputFile = "\\server\share\servers.tx
Rob.
ASKER
Hi Rob,
I was able to run file locally(remote path didn't work) on th server, the script was running on only one server and did not make any progress.
all i have is the below error
"Error 3709,The connection cannot be used to perform this operation. It is either closed or invalid in this context."
I was able to run file locally(remote path didn't work) on th server, the script was running on only one server and did not make any progress.
all i have is the below error
"Error 3709,The connection cannot be used to perform this operation. It is either closed or invalid in this context."
Hi, sorry for my delay....does it say what line number that error is on? I haven't seen that error with code like this before....
Regards,
Rob.
Regards,
Rob.
ASKER
Hi,
This error was found in the output file, did not get this error while running the script.
While running the script command prompt is showing as
Connecting to "name of the server"
and the output file contains
"name of the server" Error 3709,The connection cannot be used to perform this operation. It is either closed or invalid in this context.
"name of the server"
any idea!
it won't progress to next server!!
This error was found in the output file, did not get this error while running the script.
While running the script command prompt is showing as
Connecting to "name of the server"
and the output file contains
"name of the server" Error 3709,The connection cannot be used to perform this operation. It is either closed or invalid in this context.
"name of the server"
any idea!
it won't progress to next server!!
Hi, this appears to be an issue with the ADOR.Recordset rather than WMI, so that explains the different error.
See if this works any better....I can't test it at the moment.
Regards,
Rob.
See if this works any better....I can't test it at the moment.
Regards,
Rob.
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
strPath = Wscript.ScriptFullName
strCommand = "%comspec% /k cscript """ & strPath & """"
Set objShell = CreateObject("Wscript.Shell")
objShell.Run(strCommand), 1, True
Wscript.Quit
End If
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
Const EventID = 6008
strInputFile = "\\server\share\servers.txt"
Set objOutput = objFSO.CreateTextFile("6008Events.log", True)
DateToCheck = DateAdd("d", -30, Now)
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateToCheck, True
Const adVarChar = 200
Const MaxCharacters = 255
Const adFldIsNullable = 32
Const adDouble = 5
Set objInput = objFSO.OpenTextFile(strInputFile, intForReading, False)
While Not objInput.AtEndOfStream
strServer = Trim(objInput.ReadLine)
objOutput.WriteLine
If strServer <> "" Then
On Error Resume Next
If Ping(strServer) = True Then
WScript.Echo "Connecting to " & strServer
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2")
strQuery = "Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=" & EventID & " And TimeWritten > '" & dtmStartDate & "'"
WScript.Echo "Running query: " & strQuery
Set colEvents = objWMI.ExecQuery(strQuery)
If Err.Number = 0 Then
Err.Clear
Set objDataList = Nothing
Set objDataList = CreateObject("ADOR.Recordset")
objDataList.Fields.Append "TimeWritten", adVarChar
objDataList.Fields.Append "FormattedDate", adVarChar
objDataList.Open
For Each objEvent In colEvents
If Err.Number = 0 Then
'If x > 3 Then Exit For
strDate=objEvent.TimeWritten
strYear=Left(strDate,4)
strMonth=Mid(strDate,5,2)
strDay=Mid(strDate,7,2)
strHour=Mid(strDate,9,2)
strMin=Mid(strDate,11,2)
strSec=Mid(strDate,13,2)
strDate=strMonth & "/" & strDay & "/" & strYear & " " & strHour & ":" & strMin & ":" & strSec
objDataList.AddNew
objDataList("TimeWritten") = objEvent.TimeWritten
objDataList("FormattedDate") = strDate
objDataList.Update
'End If
Else
objOutput.WriteLine strServer & vbTab & "Error " & Err.Number & "," & Err.Description
Err.Clear
End If
Next
objOutput.WriteLine strServer
objDataList.Sort = "TimeWritten DESC"
If Not objDataList.BOF Then objDataList.MoveFirst
While Not objDataList.EOF
objOutput.WriteLine EventID & vbTab & objDataList("FormattedDate")
objDataList.MoveNext
Wend
objDataList.Close
objOutput.WriteLine
Else
objOutput.WriteLine strServer & vbTab & "WMI Connection Error"
WScript.Echo "Error connecting to " & strServer
Err.Clear
On Error Goto 0
End If
Else
objOutput.WriteLine strServer & vbTab & "Computer offline"
WScript.Echo strServer & " is offline"
End If
End If
Wend
objInput.Close
objOutput.Close
Set objOutput=Nothing
Set objOUs=Nothing
Set objDomain=Nothing
Set objRoot=Nothing
Set objFSO=Nothing
wscript.quit
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Hi Rob,
have ran the Script, its shows the below line, but no progress
Connecting to "Server_name"
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And Event
Code=6008 And TimeWritten > '20110427094249.000000+060
have ran the Script, its shows the below line, but no progress
Connecting to "Server_name"
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And Event
Code=6008 And TimeWritten > '20110427094249.000000+060
Have you tried changing the topmost server name in the text file? Just to see if it's a particular problem with that server?
I'll test again tomorrow.
Rob.
I'll test again tomorrow.
Rob.
ASKER
have checked with few servers, but all same issue.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay, i will check this today and put comment
thanks
thanks
Hi, any luck testing this?
Rob.
Rob.
ASKER
hi, Sorry did not get time to check, was so busy with work.
will check and let you know by tomorrow.
Thanks
Rajkiggal
will check and let you know by tomorrow.
Thanks
Rajkiggal
ASKER
Still its not working
I'm getting error: (null): 0x80041001 at line 45,5 in above script.
I'm getting error: (null): 0x80041001 at line 45,5 in above script.
OK, that appears to not be returning any events from the event log. Could you post the text from the message box you get that says
"Running query: Select ...."
Thanks,
Rob.
"Running query: Select ...."
Thanks,
Rob.
ASKER
not exactly, but i'm getting the events from the event log, but the date/time is in the diffrent format
have run the script for 10 servers, here is the output
Connecting to Server_1
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_2
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_3
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_4
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_5
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_6
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
C:\6008.vbs(45, 5) (null): 0x80041001
have run the script for 10 servers, here is the output
Connecting to Server_1
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_2
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_3
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_4
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_5
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
Connecting to Server_6
Running query: Select * from Win32_NTLogEvent Where Logfile = 'System' And EventCode=6008 And TimeWritten > '20110517134056.000000+060
C:\6008.vbs(45, 5) (null): 0x80041001
So are you getting the events from the first five servers, and just not the sixth?
Is that date format for the TimeWritten property different for that server? I've never heard of that....
Can you run just this code to output one of the TimeWritten values from the System log on that server? Post the exact TimeWritten string here and I'll match it with the code.
Regards,
Rob.
Is that date format for the TimeWritten property different for that server? I've never heard of that....
Can you run just this code to output one of the TimeWritten values from the System log on that server? Post the exact TimeWritten string here and I'll match it with the code.
Regards,
Rob.
strServer = "Server_6"
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\cimv2")
strQuery = "Select * from Win32_NTLogEvent Where Logfile = 'System'"
Set colEvents = objWMI.ExecQuery(strQuery)
For Each objEvent In colEvents
MsgBox = objEvent.TimeWritten
Exit For
Next
MsgBox "Done"ASKER
Hi Rob,
I will check tomorrow and update you.
I will check tomorrow and update you.
ASKER
Hi Rob,
That's fine problem was with server where the system event log was corrupted and it was unreadable.
Have claered the error on the server and now its working fine.
That's fine problem was with server where the system event log was corrupted and it was unreadable.
Have claered the error on the server and now its working fine.
ASKER
Excellent Rob,
Thanks for the efforts, this made job easier
Thanks again.
Thanks for the efforts, this made job easier
Thanks again.
Great! Good to hear. Thanks for the grade.
Rob.
Rob.
Regards,
Rob.
Open in new window