获取最近15分钟登录的EventLog [英] Getting EventLogs which are logged in last 15 minutes
问题描述
我需要一个脚本来获取最近15分钟的事件日志。这是我正在尝试的代码,但我不知道如何获得分钟。请指导我。
I need to have a scripte to get the eventlogs in last 15 minutes. Here is the code which i am trying, But i don't know how to get for the minutes. Please guide me.
选项明确
Option Explicit
Dim objFso,objFolder,objWMIService,objEvent'对象
Dim strFile,strComputer,strFolder,strFileName,strPath'字符串
Dim intEvent,intNumberID,intRecordNum,colLoggedEvents,colEvents
Dim dtmStartDate,dtmEndDate,DateToCheck,CurTime ,CurDate,TimetoCheck
Dim objFso, objFolder, objWMIService, objEvent ' Objects
Dim strFile, strComputer, strFolder, strFileName, strPath ' Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents, colEvents
Dim dtmStartDate, dtmEndDate, DateToCheck, CurTime, CurDate, TimetoCheck
'---------------------------------- ----------
'设置你的变量
intNumberID = 50022'事件ID号码
intEvent = 1
intRecordNum = 1
' --------------------------------------------
' Set your variables
intNumberID = 50022 ' Event ID Number
intEvent = 1
intRecordNum = 1
strComputer ="。"
$
strFileName =" \ Event522.txt"
strFolder =" E:\Scripts"
strPath = strFolder& strFileName
strComputer = "."
strFileName = "\Event50022.txt"
strFolder = "E:\Scripts"
strPath = strFolder & strFileName
设置dtmStartDate = CreateObject(" WbemScripting.SWbemDateTime")
设置dtmEndDate = CreateObject( " WbemScripting.SWbemDateTime")
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
Const CONVERT_TO_LOCAL_TIME = True
Const wbemCimTypeDatetime = 101
Const CONVERT_TO_LOCAL_TIME = True
Const wbemCimTypeDatetime = 101
TimetoCheck = Now
TimetoCheck = Now
dtmStartDate.SetVarDate TimetoCheck,CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate TimetoCheck - 15,CONVERT_TO_LOCAL_TIME
dtmStartDate.SetVarDate TimetoCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate TimetoCheck - 15, CONVERT_TO_LOCAL_TIME
'----------------------------------------
'创建保存文件的文件夹的部分。
设置objFso = CreateObject(" Scripting.FileSystemObject")
' ----------------------------------------
' Section to create folder to hold file.
Set objFso = CreateObject("Scripting.FileSystemObject")
如果objFSO.FolderExists(strFolder)那么
设置objFolder = objFSO.GetFolder(strFolder)
否则为
设置objFolder = objFSO.CreateFolder(strFolder)
Wscript.Echo" Folder created" &安培; strFolder
结束如果
设置strFile = objFso.CreateTextFile(strPath,True)
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
Wscript.Echo "Folder created " & strFolder
End If
Set strFile = objFso.CreateTextFile(strPath, True)
'-------- ------------------------------------
'下一节创建文件存储事件
'然后创建WMI连接到日志
'--------------------------------------------
' Next section creates the file to store Events
' Then creates WMI connector to the Logs
设置objWMIService = GetObject(" winmgmts:" _
&" {impersonationLevel = impersonate}!\\"& strComputer&" \root \ cimv2")
设置colEvents = objWMIService.ExecQuery _
$
(" Select * from Win32_NTLogEvent Where Logfile ='Operations Manager'and TimeWritten> ='" _
& ; dtmStartDate&"'和TimeWritten<'"& dtmEndDate&"'")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Operations Manager' and TimeWritten >= '" _
& dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
' Wscript.Echo"按OK并等待30秒(ish)"
'------------------------------ -----------
'下一节循环通过ID属性
intEvent = 1
对于colLoggedEvents中的每个objEvent
'Wscript.Echo " Press OK and Wait 30 seconds (ish)"
' -----------------------------------------
' Next section loops through ID properties
intEvent = 1
For Each objEvent in colLoggedEvents
'Wscript.Echo objEvent.EventCode
'Wscript.Echo objEvent.EventCode
'Wscript.Echo intNumberID
'Wscript.Echo intNumberID
如果objEvent.EventCode = intNumberID然后
If objEvent.EventCode = intNumberID Then
'Wscript.Echo" In"
'Wscript.Echo "In"
strFile.WriteLine(" Record No:")& intEvent
'strFile.WriteLine(" Category:"& objEvent.Category)
strFile.WriteLine(" Computer Name:&& amp; ; objEvent.ComputerName)
strFile.WriteLine(" Event Code:"& objEvent.EventCode)
strFile.WriteLine(" Message: "& objEvent.Message)
'strFile.WriteLine(" Record Number:"& objEvent.RecordNumber)
strFile.WriteLine( "Source Name:"& objEvent.SourceName)
strFile.WriteLine(" Time Written:"& objEvent.TimeWritten)
strFile.WriteLine(" Event Type:"& objEvent.Type)
strFile.WriteLine(" User:"& objEvent.User)
strFile.WriteLine("")
intRecordNum = intRecordNum +1
结束如果
IntEvent = intEvent +1
下一页
Wscript.Echo" Check" &安培; strPath& "为" & intRecordNum& "事件"
strFile.WriteLine ("Record No: ")& intEvent
' strFile.WriteLine ("Category: " & objEvent.Category)
strFile.WriteLine ("Computer Name: " & objEvent.ComputerName)
strFile.WriteLine ("Event Code: " & objEvent.EventCode)
strFile.WriteLine ("Message: " & objEvent.Message)
' strFile.WriteLine ("Record Number: " & objEvent.RecordNumber)
strFile.WriteLine ("Source Name: " & objEvent.SourceName)
strFile.WriteLine ("Time Written: " & objEvent.TimeWritten)
strFile.WriteLine ("Event Type: " & objEvent.Type)
strFile.WriteLine ("User: " & objEvent.User)
strFile.WriteLine (" ")
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next
Wscript.Echo "Check " & strPath & " for " &intRecordNum & " events"
WScript.Quit
WScript.Quit
推荐答案
我发现的第一件事是第52行和第62行之间的错误。
The first thing I found is an error between line 52 and line 62.
设置 colEvents = objWMIService.ExecQuery _ ....
但你使用 :
对于 每个跨度> <跨度> objEvent 跨度> <跨度> 跨度> <跨度>在跨度> <跨度> colLoggedEvents&NBSP;&NBSP;&NBSP;您第一次在
中更改了先前行colEvents colLoggedEvents ...
Set colEvents = objWMIService.ExecQuery _ ....
But You use :
For Each objEvent in colLoggedEvents You change your preceeding line colEvents too colLoggedEvents in the
first time...
第二:使用WBEMTEST.EXE访问和开发您的查询,这样您就可以了解如何定义对象。
使用"查询"按钮,开始执行以下查询:
选择*来自Win32_NTLogEvent,其中logFile ='Operations Manager' 只是这应该给你一些别的东西然后一个Dissmiss。 选择一个对象(如果列表为空,则使用logFile ='Application'或'System'
点击Show MOF,你会看到该对象的所有字段
验证 TimeWritten =" 20110303185645.000000-000";
如果你看到我的-000它可能意味着GMT时间,那么你的15分钟计算不使用当地时间,如果你不在格林威治那就不会这样做......
我建议,如果TimeWritten格式为-000,请使用:
dtmEndDate = 中期 ( dtmEndDate 跨度> <跨度>, 跨度> <跨度> 1 跨度> <跨度>, 跨度> <跨度> 8 跨度> <跨度> ) &安培; 跨度> <跨度>小时跨度> <跨度>( 跨度> <跨度>现在跨度> <跨度> ) &安培; 跨度> 阿米努叔跨度> <跨度>( 跨度> <跨度>现在跨度> <跨度> ) - 跨度> <跨度> 15 跨度> <跨度> &安培;&ensp ; 跨度> <跨度>第二跨度> <跨度>( 跨度> <跨度>现在跨度> <跨度> ) &安培; 跨度> <跨度> " .000000-000"。
I suggest, if the TimeWritten format is -000, use this:
dtmEndDate = Mid( dtmEndDate, 1, 8 ) & Hour( Now ) & Minute( Now )-15 & Second( Now ) & ".000000-000".
当你做时间计算总是记住这一天是一天。所以一分钟是0.00069444444444444444一天,15分钟是0.010416666666666667。通过这种方式,您可以使用这些数字进行数学运算(在脚本中保留您的预设
,定义OneMinute = 1/24/60)。通过这种方式,您将有更好的搜索方式。
由于您搜索的是过去15分钟,因此您的查询可以更容易一点写在那里:
("从* Win32_NTLogEvent中选择*其中Logfile ='运营经理'和TimeWritten> ='" & 计算时间& ;"'" )
通过这种方式,您可以从脚本中的时间定义中获取最近15分钟的所有事件。
我希望它会对你有所帮助。
I hope it will help you.
这篇关于获取最近15分钟登录的EventLog的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!