WQL-Statement 检查应用程序的事件日志

【问题标题】:WQL-Statement to check an application's event logWQL-Statement 检查应用程序的事件日志
【发布时间】:2017-01-07 14:23:21
【问题描述】:

我想分析一个特殊的 Windows 应用程序(Windows 7 Enterprise,64Bit)的事件日志。

我需要几秒钟前记录的特殊事件。

这是我的 VBScript 代码,它会产生完全错误的结果(错误的事件数量):

strComputer = "." '迪塞尔计算机

' 从事件日志中检索特定事件

设置 objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")

常量 CONVERT_TO_LOCAL_TIME = True

设置 dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") 设置 dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME

dim var_wql

var_wql = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '' AND SourceName = '' AND EventCode = '' AND (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten

设置 colLoggedEvents = objWMIService.ExecQuery(var_wql)

...

行数(anzahl = colLoggedEvents.count)必须为0或1,其他都不可能。

wql 语句有什么问题?我想检查过去的最后几秒(从现在开始)。

谢谢。

汤米

【问题讨论】:

    标签: events logging vbscript wql


    【解决方案1】:

    语法错误。如果我将 objWMIService 行更改为此,它适用于我。

    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & strComputer & "\root\cimv2")

    更新为抓取过去 10 秒内创建的所有事件日志并写入日志文件。

    On Error Resume Next

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\.\root\cimv2")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")
strSystemDrive = WshShell.ExpandEnvironmentStrings("%SystemDrive%")
Const CONVERT_TO_LOCAL_TIME = True  
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate dateadd("s", -10, now())    ' CONVERT_TO_LOCAL_TIME 
dtmEndDate.SetVarDate now()                         ' CONVERT_TO_LOCAL_TIME
var_wql = "SELECT *  FROM  Win32_NTLogEvent WHERE (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"
Set LogFile = objFSO.CreateTextFile(strSystemDrive & "\Temp\EvtLog.txt", True)

Set colLoggedEvents = objWMIService.ExecQuery(var_wql)
For Each objEvent in colLoggedEvents
  LogFile.WriteLine "Computer Name    : " & objEvent.ComputerName
  LogFile.WriteLine "Logfile          : " & objEvent.Logfile
  LogFile.WriteLine "Type             : " & objEvent.Type
  LogFile.WriteLine "User             : " & objEvent.User
  LogFile.WriteLine "Category         : " & objEvent.Category
  LogFile.WriteLine "Category String  : " & objEvent.CategoryString

  If IsArray(objEvent.Data) Then
    For i = 0 To UBound(objEvent.Data)
      strData = strData & objEvent.Data(i) & ","
    Next
    LogFile.WriteLine "Data             : " & strData
  Else
    LogFile.WriteLine "Data             : " & objEvent.Data
  End If

  LogFile.WriteLine "Event Code       : " & objEvent.EventCode
  LogFile.WriteLine "Event Identifier : " & objEvent.EventIdentifier
  LogFile.WriteLine "Message          : " & objEvent.Message
  LogFile.WriteLine "Record Number    : " & objEvent.RecordNumber
  LogFile.WriteLine "Source Name      : " & objEvent.SourceName
  LogFile.WriteLine "Time Generated   : " & objEvent.TimeGenerated
  LogFile.WriteLine "Time Written     : " & objEvent.TimeWritten

  If IsArray(objEvent.InsertionStrings) Then
    For i = 0 To UBound(objEvent.InsertionStrings)
      strInsert = strInsert & objEvent.InsertionStrings(i) & ","
    Next
    LogFile.WriteLine "Insertion Strings: " & strInsert
  Else
    LogFile.WriteLine "Insertion Strings: " & objEvent.InsertionStrings
  End If

  LogFile.WriteLine "----------------------------------------------------------------------------------------------------------"  
Next

    输出样本(并非每个事件都使用所有字段)-

    ----------------------------------------------------------------------------------------------------------
Computer Name    : Randy-PC
Logfile          : Application
Type             : Information
User             : 
Category         : 0
Category String  : 
Data             : 
Event Code       : 9019
Event Identifier : 1073750843
Message          : The Desktop Window Manager was unable to start because the desktop composition setting is disabled
Record Number    : 37395
Source Name      : Desktop Window Manager
Time Generated   : 20160903031728.000000-000
Time Written     : 20160903031728.000000-000
Insertion Strings: 
----------------------------------------------------------------------------------------------------------

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2014-04-20
      • 1970-01-01
      • 1970-01-01
      • 2021-10-25
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2010-09-22
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode