asked on

Read log file using VBScript

I would like a VBScript that keeps a log file and that also reads the same log file. I would like it to first see if a file called "logs.txt" is present, if not then create it. I'd like to execute "wevtutil el" and for each event log it see's from that command, write the log names to logs.txt.
Next time the script is run, logs.txt will exist, so another routine can read those log names from logs.txt, and for each one, it can run this command:
wevtutil qe "log_name_here"
and naturally insert the proper log name in the above quotes.
I would also like to keep a tally of when each command has been run and completed if that makes sense?
Logs.txt example:

Log:System, 333,333
Log:Application 333, 333
Log:Security, 333, 332

Open in new window

You can see [wevtutil qe "security"] ran, but did not finish. Is that feasible, does that make sense?
-rich

Bill Prew

Where do you want the output from the "wevtutil qe" command, that will generate a massive amount of info when done for all logs.

~bp

Bill Prew

Also, would a BAT solution work,might be simpler and easier than a VBSone.

~bp

Rich Rumble

ASKER

The current directory, and if you know how to get a batch file to read, and then increment a count on how many times a program has run, then by all means :) The size is of no consequence in this case, and is accounted for.
I wish I could program, I can see it in my head, but it doesn't work for me when I set out to make it.
Again the way I envision it is the log file list is added to a text file, a number is incemented when the wevtutil command is run (each time), and then a second number is incemented when it finishes the command (each time). I figure at the begining and the end of a foreach I guess.
Log:System, 333,333
Log:Application 333, 333
Log:Security, 333, 332<---- didn't finish, maybe it was rebooted before the command finished...
-rich

Bill Prew

Okay, here's a first pass at a BAT approach. Save in a folder as a BAT, and adjust the name of the log file near the top. Make sure the log doesn't exist yet. Run it once to create the log file, and then a few more times to extract the event file entries. See what you think.

@echo off
setlocal EnableDelayedExpansion

REM Define location of LOG file
set LogFile=EE28621867.log
set LogTemp=%LogFile%.tmp

REM If it doesn't exist yet, create it, otherwise process it
if exist "%LogFile%" (
  call :ProcessLog
) else (
  call :CreateLog
)

REM Quit script
exit /b

REM Initialize the log file from a list of the available event logs
:CreateLog
  (
    for /f "tokens=*" %%A in ('wevtutil el') do (
      echo %%~A,0,0
    )
  ) > "%LogFile%"

  exit /b

REM Process each event file from log file, and list events
:ProcessLog
  (
    for /f "usebackq tokens=1-3 delims=," %%A in ("%LogFile%") do (
      set /a CountTry=%%B + 1
      set CountGood=%%C

      REM Get events and see if command completes successfully
      wevtutil qe "%%~A" > "%%~A.txt" 2>NUL && (
        set /a CountGood=CountGood + 1
      )
      echo %%~A,!CountTry!,!CountGood!
    )
  ) > "%LogTemp%"

  REM Update log file with new counts
  if exist "%LogTemp%" (
    copy /y "%LogTemp%" "%LogFile%" > NUL
    del "%LogTemp%"
  )

  exit /b

Open in new window

~bp

Rich Rumble

ASKER

This is close, it seems to break (The system cannot find the path specified) on log's that list FWD slashes in the names (win7), but the ones that don't have a "/" worked great! The main reason I was going for VBScript was I did want to eventually get the script to read the logs for the highest "EventRecordID" and make the next query use that as well so I don't keep overwriting.
The query for that looks like: wevtutil qe "Microsoft-Windows-Sysmon/Operational" /q:"*[System[Provider[@Name='Microsoft-Windows-Sysmon'] and EventRecordID > xyz ]]"
where "XYZ" is the highest record-ID for that particular log file (not all logs have that record ID). But that's another question and not this one.
Thanks for the effort so far!
-rich

Bill Prew

This will address the "/" in file names. After that I've got a few ideas, but would love to understand better your vision and use case for this script. Why are you archiving all Windows events? Why not just expand the size of the actual event files in Windows? etc...

@echo off
setlocal EnableDelayedExpansion

REM Define location of LOG file
set LogFile=EE28621867.log
set LogTemp=%LogFile%.tmp
if exist "%LogTemp%" del "%LogTemp%"

REM If it doesn't exist yet, create it, otherwise process it
if exist "%LogFile%" (
  call :ProcessLog
) else (
  call :CreateLog
)

REM Quit script
exit /b

REM Initialize the log file from a list of the available event logs
:CreateLog
  for /f "tokens=*" %%A in ('wevtutil el') do (
    echo %%~A,0,0>>"%LogFile%"
  )

  exit /b

REM Process each event file from log file, and list events
:ProcessLog
  for /f "usebackq tokens=1-3 delims=," %%A in ("%LogFile%") do (
    set /a CountTry=%%B + 1
    set CountGood=%%C

    REM Replace "/" with "_" in archive file name
    set EventName=%%~A
    set EventFile=!EventName:/=_!.txt

    REM Get events and see if command completes successfully
    wevtutil qe "%%~A" > "!EventFile!" 2>NUL && (
      set /a CountGood=CountGood + 1
    )
    echo %%~A,!CountTry!,!CountGood!>>"%LogTemp%"
  )

  REM Update log file with new counts
  if exist "%LogTemp%" (
    copy /y "%LogTemp%" "%LogFile%" > NUL
    del "%LogTemp%"
  )

  exit /b

Open in new window

~bp

Rich Rumble

ASKER

This one isn't working as well, it's not creating the EE28621867.log but rather outputting to the screen:

Microsoft-Windows-osk/Diagnostic,0,
Microsoft-Windows-stobject/Diagnostic,0,
OAlerts,0,
ODiag,0,
OSession,0,
Security,0,
Setup,0,
System,0,
TabletPC_InputPanel_Channel,0,

The ultimate goal of the script is to centrally log the event logs without having to rely on PowerShell (it's hit and miss in our env, often uninstalled), and without adding 3rd party software, a process that will take much longer than we have. We are looking for native commands and ways of doing this task. WMI can get to a few of the standard log files, System/Application/Security, but cannot access many of the other ones we have an interest in collecting. That's why we're using wevtutil, since it is on all the hosts we care about doing this with. We also have Sysmon deployed to all hosts, that and our AV log's to an event log, both of which are outside WMI/COM purview. Wevtutil reads and queries these perfectly, and we'd like to automate the process with a scheduled task. We are using Vbscript in this manner for our inventory, and we thought we'd be able to add another subroutine that does the event log query. The vbscript handles checking if the file destination is available etc... so when the inventory runs and can't get to that resource, it keeps a local copy, same vision for these event logs. We'll run makecab.exe to archive the local evt-logs that have been uploaded, and any logs that have not been transferred will remain full size until they can contact the network resource. We're rolling our own event-log archive basically, and can't rely on PS or 3rd parties at this time.
-rich

ASKER CERTIFIED SOLUTION

Bill Prew

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Rich Rumble

ASKER

That is a mighty fine solution! part 2? https://www.experts-exchange.com/questions/28622222/Read-xml-file-and-execute-command.html Thanks!
-rich

Rich Rumble

ASKER

Nice work!