获取最近15分钟登录的EventLog [英] Getting EventLogs which are logged in last 15 minutes

查看:133
本文介绍了获取最近15分钟登录的EventLog的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要一个脚本来获取最近15分钟的事件日志。这是我正在尝试的代码,但我不知道如何获得分钟。请指导我。

I need to have a scripte to get the eventlogs in last 15 minutes. Here is the code which i am trying, But i don't know how to get for the minutes. Please guide me.



选项明确


Option Explicit

Dim objFso,objFolder,objWMIService,objEvent'对象

Dim strFile,strComputer,strFolder,strFileName,strPath'字符串

Dim intEvent,intNumberID,intRecordNum,colLoggedEvents,colEvents

Dim dtmStartDate,dtmEndDate,DateToCheck,CurTime ,CurDate,TimetoCheck

Dim objFso, objFolder, objWMIService, objEvent ' Objects
Dim strFile, strComputer, strFolder, strFileName, strPath ' Strings
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents, colEvents
Dim dtmStartDate, dtmEndDate, DateToCheck, CurTime, CurDate, TimetoCheck

'---------------------------------- ----------

'设置你的变量

intNumberID = 50022'事件ID号码

intEvent = 1

intRecordNum = 1

' --------------------------------------------
' Set your variables
intNumberID = 50022 ' Event ID Number
intEvent = 1
intRecordNum = 1

strComputer ="。"
$
strFileName =" \ Event522.txt"

strFolder =" E:\Scripts"

strPath = strFolder& strFileName

strComputer = "."
strFileName = "\Event50022.txt"
strFolder = "E:\Scripts"
strPath = strFolder & strFileName

 

设置dtmStartDate = CreateObject(" WbemScripting.SWbemDateTime")

设置dtmEndDate = CreateObject( " WbemScripting.SWbemDateTime")

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

Const CONVERT_TO_LOCAL_TIME = True

Const wbemCimTypeDatetime = 101

Const CONVERT_TO_LOCAL_TIME = True
Const wbemCimTypeDatetime = 101

TimetoCheck = Now

TimetoCheck = Now

dtmStartDate.SetVarDate TimetoCheck,CONVERT_TO_LOCAL_TIME

dtmEndDate.SetVarDate TimetoCheck - 15,CONVERT_TO_LOCAL_TIME

dtmStartDate.SetVarDate TimetoCheck, CONVERT_TO_LOCAL_TIME
dtmEndDate.SetVarDate TimetoCheck - 15, CONVERT_TO_LOCAL_TIME



'----------------------------------------

'创建保存文件的文件夹的部分。

设置objFso = CreateObject(" Scripting.FileSystemObject")


' ----------------------------------------
' Section to create folder to hold file.
Set objFso = CreateObject("Scripting.FileSystemObject")

如果objFSO.FolderExists(strFolder)那么

   设置objFolder = objFSO.GetFolder(strFolder)

否则为
  设置objFolder = objFSO.CreateFolder(strFolder)

   Wscript.Echo" Folder created" &安培; strFolder

结束如果

设置strFile = objFso.CreateTextFile(strPath,True)

If objFSO.FolderExists(strFolder) Then
    Set objFolder = objFSO.GetFolder(strFolder)
Else
   Set objFolder = objFSO.CreateFolder(strFolder)
   Wscript.Echo "Folder created " & strFolder
End If
Set strFile = objFso.CreateTextFile(strPath, True)

'-------- ------------------------------------

'下一节创建文件存储事件

'然后创建WMI连接到日志

'--------------------------------------------
' Next section creates the file to store Events
' Then creates WMI connector to the Logs



设置objWMIService = GetObject(" winmgmts:" _

   &" {impersonationLevel = impersonate}!\\"& strComputer&" \root \ cimv2")

设置colEvents = objWMIService.ExecQuery _
$
    (" Select * from Win32_NTLogEvent Where Logfile ='Operations Manager'and TimeWritten> ='" _


       & ; dtmStartDate&"'和TimeWritten<'"& dtmEndDate&"'")


Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'Operations Manager' and TimeWritten >= '" _
        & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")

 

' Wscript.Echo"按OK并等待30秒(ish)"

'------------------------------ -----------

'下一节循环通过ID属性

intEvent = 1

对于colLoggedEvents中的每个objEvent

'Wscript.Echo " Press OK and Wait 30 seconds (ish)"
' -----------------------------------------
' Next section loops through ID properties
intEvent = 1
For Each objEvent in colLoggedEvents

'Wscript.Echo objEvent.EventCode

'Wscript.Echo objEvent.EventCode

'Wscript.Echo intNumberID

'Wscript.Echo intNumberID

如果objEvent.EventCode = intNumberID然后

If objEvent.EventCode = intNumberID Then

'Wscript.Echo" In"

'Wscript.Echo "In"

  strFile.WriteLine(" Record No:")& intEvent

 'strFile.WriteLine(" Category:"& objEvent.Category)

  strFile.WriteLine(" Computer Name:&& amp; ; objEvent.ComputerName)

  strFile.WriteLine(" Event Code:"& objEvent.EventCode)

  strFile.WriteLine(" Message: "& objEvent.Message)

 'strFile.WriteLine(" Record Number:"& objEvent.RecordNumber)

  strFile.WriteLine( "Source Name:"& objEvent.SourceName)

  strFile.WriteLine(" Time Written:"& objEvent.TimeWritten)

  strFile.WriteLine(" Event Type:"& objEvent.Type)

  strFile.WriteLine(" User:"& objEvent.User)

  strFile.WriteLine("")

intRecordNum = intRecordNum +1

结束如果

IntEvent = intEvent +1

下一页

Wscript.Echo" Check" &安培; strPath& "为" & intRecordNum& "事件"

 strFile.WriteLine ("Record No: ")& intEvent
 ' strFile.WriteLine ("Category: " & objEvent.Category)
 strFile.WriteLine ("Computer Name: " & objEvent.ComputerName)
 strFile.WriteLine ("Event Code: " & objEvent.EventCode)
 strFile.WriteLine ("Message: " & objEvent.Message)
 ' strFile.WriteLine ("Record Number: " & objEvent.RecordNumber)
 strFile.WriteLine ("Source Name: " & objEvent.SourceName)
 strFile.WriteLine ("Time Written: " & objEvent.TimeWritten)
 strFile.WriteLine ("Event Type: " & objEvent.Type)
 strFile.WriteLine ("User: " & objEvent.User)
 strFile.WriteLine (" ")
intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next
Wscript.Echo "Check " & strPath & " for " &intRecordNum & " events"

WScript.Quit

WScript.Quit

推荐答案

我发现的第一件事是第52行和第62行之间的错误。

The first thing I found is an error between line 52 and line 62.

  设置   colEvents   =  objWMIService.ExecQuery   _ ....



但你使用 :

对于 每个 <跨度>  objEvent <跨度>  <跨度>在 <跨度>  colLoggedEvents&NBSP;&NBSP;&NBSP;您第一次在
中更改了先前行colEvents colLoggedEvents ...

 Set colEvents = objWMIService.ExecQuery _ ....

But You use :
ForEach objEventin colLoggedEvents    You change your preceeding line colEvents too colLoggedEvents in the first time...

第二:使用WBEMTEST.EXE访问和开发您的查询,这样您就可以了解如何定义对象。

使用"查询"按钮,开始执行以下查询:

选择*来自Win32_NTLogEvent,其中logFile ='Operations Manager' 只是这应该给你一些别的东西然后一个Dissmiss。 选择一个对象(如果列表为空,则使用logFile ='Application'或'System'

点击Show MOF,你会看到该对象的所有字段

验证  TimeWritten =" 20110303185645.000000-000";

如果你看到我的-000它可能意味着GMT时间,那么你的15分钟计算不使用当地时间,如果你不在格林威治那就不会这样做......

我建议,如果TimeWritten格式为-000,请使用:

dtmEndDate   =  中期 (  dtmEndDate <跨度>,  <跨度> 1 <跨度>,  <跨度> 8 <跨度> ) &安培;  <跨度>小时 <跨度>(  <跨度>现在 <跨度> ) &安培;  阿米努叔 <跨度>(  <跨度>现在 <跨度> ) - <跨度> 15 <跨度> &安培;&ensp ; <跨度>第二 <跨度>(  <跨度>现在 <跨度> ) &安培;  <跨度> " .000000-000"。

I suggest, if the TimeWritten format is -000, use this:
dtmEndDate = Mid( dtmEndDate, 1, 8 ) & Hour( Now ) & Minute( Now )-15 & Second( Now ) & ".000000-000".

当你做时间计算总是记住这一天是一天。所以一分钟是0.00069444444444444444一天,15分钟是0.010416666666666667。通过这种方式,您可以使用这些数字进行数学运算(在脚本中保留您的预设
,定义OneMinute = 1/24/60)。通过这种方式,您将有更好的搜索方式。

由于您搜索的是过去15分钟,因此您的查询可以更容易一点写在那里:

("从* Win32_NTLogEvent中选择*其中Logfile ='运营经理'和TimeWritten> ='" & 计算时间& ;"'"  )

通过这种方式,您可以从脚本中的时间定义中获取最近15分钟的所有事件。

 

我希望它会对你有所帮助。

I hope it will help you.





这篇关于获取最近15分钟登录的EventLog的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆