Solved

Read log file using VBScript

Posted on 2015-02-21
9
406 Views
Last Modified: 2015-02-22
I would like a VBScript that keeps a log file and that also reads the same log file. I would like it to first see if a file called "logs.txt" is present, if not then create it. I'd like to execute "wevtutil el" and for each event log it see's from that command, write the log names to logs.txt.
Next time the script is run, logs.txt will exist, so another routine can read those log names from logs.txt, and for each one, it can run this command:
   wevtutil qe "log_name_here"
and naturally insert the proper log name in the above quotes.
I would also like to keep a tally of when each command has been run and completed if that makes sense?
Logs.txt example:
Log:System, 333,333
Log:Application 333, 333
Log:Security, 333, 332

Open in new window


You can see [wevtutil qe "security"] ran, but did not finish. Is that feasible, does that make sense?
-rich
0
Comment
Question by:Rich Rumble
  • 5
  • 4
9 Comments
 
LVL 51

Expert Comment

by:Bill Prew
ID: 40623725
Where do you want the output from the "wevtutil qe" command, that will generate a massive amount of info when done for all logs.

~bp
0
 
LVL 51

Expert Comment

by:Bill Prew
ID: 40623730
Also, would a BAT solution work,might be simpler and easier than a VBSone.

~bp
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 40623750
The current directory, and if you know how to get a batch file to read, and then increment a count on how many times a program has run, then by all means :) The size is of no consequence in this case, and is accounted for.
I wish I could program, I can see it in my head, but it doesn't work for me when I set out to make it.
Again the way I envision it is the log file list is added to a text file, a number is incemented when the wevtutil command is run (each time), and then a second number is incemented when it finishes the command (each time). I figure at the begining and the end of a foreach I guess.
Log:System, 333,333
Log:Application 333, 333
Log:Security, 333, 332<---- didn't finish, maybe it was rebooted before the command finished...
-rich
0
 
LVL 51

Expert Comment

by:Bill Prew
ID: 40623756
Okay, here's a first pass at a BAT approach.  Save in a folder as a BAT, and adjust the name of the log file near the top.  Make sure the log doesn't exist yet.  Run it once to create the log file, and then a few more times to extract the event file entries.  See what you think.

@echo off
setlocal EnableDelayedExpansion

REM Define location of LOG file
set LogFile=EE28621867.log
set LogTemp=%LogFile%.tmp

REM If it doesn't exist yet, create it, otherwise process it
if exist "%LogFile%" (
  call :ProcessLog
) else (
  call :CreateLog
)

REM Quit script
exit /b

REM Initialize the log file from a list of the available event logs
:CreateLog
  (
    for /f "tokens=*" %%A in ('wevtutil el') do (
      echo %%~A,0,0
    )
  ) > "%LogFile%"

  exit /b

REM Process each event file from log file, and list events
:ProcessLog
  (
    for /f "usebackq tokens=1-3 delims=," %%A in ("%LogFile%") do (
      set /a CountTry=%%B + 1
      set CountGood=%%C

      REM Get events and see if command completes successfully
      wevtutil qe "%%~A" > "%%~A.txt" 2>NUL && (
        set /a CountGood=CountGood + 1
      )
      echo %%~A,!CountTry!,!CountGood!
    )
  ) > "%LogTemp%"

  REM Update log file with new counts
  if exist "%LogTemp%" (
    copy /y "%LogTemp%" "%LogFile%" > NUL
    del "%LogTemp%"
  )

  exit /b

Open in new window

~bp
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 38

Author Comment

by:Rich Rumble
ID: 40624171
This is close, it seems to break (The system cannot find the path specified) on log's that list FWD slashes in the names (win7), but the ones that don't have a "/" worked great! The main reason I was going for VBScript was I did want to eventually get the script to read the logs for the highest "EventRecordID" and make the next query use that as well so I don't keep overwriting.
The query for that looks like: wevtutil qe "Microsoft-Windows-Sysmon/Operational" /q:"*[System[Provider[@Name='Microsoft-Windows-Sysmon'] and EventRecordID > xyz ]]"
where "XYZ" is the highest record-ID for that particular log file (not all logs have that record ID). But that's another question and not this one.
Thanks for the effort so far!
-rich
0
 
LVL 51

Expert Comment

by:Bill Prew
ID: 40624369
This will address the "/" in file names.  After that I've got a few ideas, but would love to understand better your vision and use case for this script.  Why are you archiving all Windows events?  Why not just expand the size of the actual event files in Windows? etc...

@echo off
setlocal EnableDelayedExpansion

REM Define location of LOG file
set LogFile=EE28621867.log
set LogTemp=%LogFile%.tmp
if exist "%LogTemp%" del "%LogTemp%"

REM If it doesn't exist yet, create it, otherwise process it
if exist "%LogFile%" (
  call :ProcessLog
) else (
  call :CreateLog
)

REM Quit script
exit /b

REM Initialize the log file from a list of the available event logs
:CreateLog
  for /f "tokens=*" %%A in ('wevtutil el') do (
    echo %%~A,0,0>>"%LogFile%"
  )

  exit /b

REM Process each event file from log file, and list events
:ProcessLog
  for /f "usebackq tokens=1-3 delims=," %%A in ("%LogFile%") do (
    set /a CountTry=%%B + 1
    set CountGood=%%C

    REM Replace "/" with "_" in archive file name
    set EventName=%%~A
    set EventFile=!EventName:/=_!.txt

    REM Get events and see if command completes successfully
    wevtutil qe "%%~A" > "!EventFile!" 2>NUL && (
      set /a CountGood=CountGood + 1
    )
    echo %%~A,!CountTry!,!CountGood!>>"%LogTemp%"
  )

  REM Update log file with new counts
  if exist "%LogTemp%" (
    copy /y "%LogTemp%" "%LogFile%" > NUL
    del "%LogTemp%"
  )

  exit /b

Open in new window

~bp
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 40624519
This one isn't working as well, it's not creating the EE28621867.log but rather outputting to the screen:
Microsoft-Windows-osk/Diagnostic,0,
Microsoft-Windows-stobject/Diagnostic,0,
OAlerts,0,
ODiag,0,
OSession,0,
Security,0,
Setup,0,
System,0,
TabletPC_InputPanel_Channel,0,
The ultimate goal of the script is to centrally log the event logs without having to rely on PowerShell (it's hit and miss in our env, often uninstalled), and without adding 3rd party software, a process that will take much longer than we have. We are looking for native commands and ways of doing this task. WMI can get to a few of the standard log files, System/Application/Security, but cannot access many of the other ones we have an interest in collecting. That's why we're using wevtutil, since it is on all the hosts we care about doing this with. We also have Sysmon deployed to all hosts, that and our AV log's to an event log, both of which are outside WMI/COM purview. Wevtutil reads and queries these perfectly, and we'd like to automate the process with a scheduled task. We are using Vbscript in this manner for our inventory, and we thought we'd be able to add another subroutine that does the event log query. The vbscript handles checking if the file destination is available etc... so when the inventory runs and can't get to that resource, it keeps a local copy, same vision for these event logs. We'll run makecab.exe to archive the local evt-logs that have been uploaded, and any logs that have not been transferred will remain full size until they can contact the network resource. We're rolling our own event-log archive basically, and can't rely on PS or 3rd parties at this time.
-rich
0
 
LVL 51

Accepted Solution

by:
Bill Prew earned 500 total points
ID: 40624822
Okay, this should fix that.

@echo off
setlocal EnableDelayedExpansion

REM Define location of LOG file
set LogFile=EE28621867.log
set LogTemp=%LogFile%.tmp
if exist "%LogTemp%" del "%LogTemp%"

REM If it doesn't exist yet, create it, otherwise process it
if exist "%LogFile%" (
  call :ProcessLog
) else (
  call :CreateLog
)

REM Quit script
exit /b

REM Initialize the log file from a list of the available event logs
:CreateLog
  for /f "tokens=*" %%A in ('wevtutil el') do (
    echo %%~A,0,0 >>"%LogFile%"
  )

  exit /b

REM Process each event file from log file, and list events
:ProcessLog
  for /f "usebackq tokens=1-3 delims=," %%A in ("%LogFile%") do (
    set /a CountTry=%%B + 1
    set CountGood=%%C

    REM Replace "/" with "_" in archive file name
    set EventName=%%~A
    set EventFile=!EventName:/=_!.txt

    REM Get events and see if command completes successfully
    wevtutil qe "%%~A" > "!EventFile!" 2>NUL && (
      set /a CountGood=CountGood + 1
    )
    echo %%~A,!CountTry!,!CountGood! >>"%LogTemp%"
  )

  REM Update log file with new counts
  if exist "%LogTemp%" (
    copy /y "%LogTemp%" "%LogFile%" > NUL
    del "%LogTemp%"
  )

  exit /b

Open in new window

~bp
0
 
LVL 38

Author Comment

by:Rich Rumble
ID: 40624912
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article will show, step by step, how to integrate R code into a R Sweave document
This is about my first experience with programming Arduino.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now