2. 질의 응답
  3. 응용 프로그램의 이벤트 로그를 확인하는 WQL- 문

응용 프로그램의 이벤트 로그를 확인하는 WQL- 문

2016-08-31 3 views
0

특수 Windows 응용 프로그램 (Windows 7 Enterprise, 64Bit)의 이벤트 로그를 분석하고 싶습니다.응용 프로그램의 이벤트 로그를 확인하는 WQL- 문

몇 초 전에 기록되는 특별한 이벤트가 필요합니다. 행의 수는 (anzahl = colLoggedEvents.count) 0 또는 1, 아무것도해야

strComputer = "." ' Dieser Computer

' Retrieving Specific Events from an Event Log

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")

Const CONVERT_TO_LOCAL_TIME = True

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME

dim var_wql

var_wql = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '< ... >' AND SourceName = '< ... >' AND EventCode = '< ... >' AND (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"

Set colLoggedEvents = objWMIService.ExecQuery(var_wql)

...

: 여기

는 (이벤트의 잘못된 번호) 완전히 잘못된 결과를 생성 내 VBScript 코드입니다 그렇지 않으면 불가능합니다.

wql 문에 문제점이 있습니까? 과거 (지금부터)의 마지막 초를 확인하고 싶습니다.

감사합니다.

토미

출처

2016-08-31 Donny73Ger

답변

0

구문 오류. objWMIService 행을 이렇게 변경하면 저에게 적합합니다.

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & strComputer & "\root\cimv2")

최근 10 초 동안 생성 된 모든 이벤트 로그를 수집하고 로그 파일에 기록하도록 업데이트되었습니다.

On Error Resume Next 

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\.\root\cimv2") 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set WshShell = WScript.CreateObject("WScript.Shell") 
strSystemDrive = WshShell.ExpandEnvironmentStrings("%SystemDrive%") 
Const CONVERT_TO_LOCAL_TIME = True 
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") 
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") 
dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME 
dtmEndDate.SetVarDate now()       ' CONVERT_TO_LOCAL_TIME 
var_wql = "SELECT * FROM Win32_NTLogEvent WHERE (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')" 
Set LogFile = objFSO.CreateTextFile(strSystemDrive & "\Temp\EvtLog.txt", True) 

Set colLoggedEvents = objWMIService.ExecQuery(var_wql) 
For Each objEvent in colLoggedEvents 
    LogFile.WriteLine "Computer Name : " & objEvent.ComputerName 
    LogFile.WriteLine "Logfile   : " & objEvent.Logfile 
    LogFile.WriteLine "Type    : " & objEvent.Type 
    LogFile.WriteLine "User    : " & objEvent.User 
    LogFile.WriteLine "Category   : " & objEvent.Category 
    LogFile.WriteLine "Category String : " & objEvent.CategoryString 

    If IsArray(objEvent.Data) Then 
    For i = 0 To UBound(objEvent.Data) 
     strData = strData & objEvent.Data(i) & "," 
    Next 
    LogFile.WriteLine "Data    : " & strData 
    Else 
    LogFile.WriteLine "Data    : " & objEvent.Data 
    End If 

    LogFile.WriteLine "Event Code  : " & objEvent.EventCode 
    LogFile.WriteLine "Event Identifier : " & objEvent.EventIdentifier 
    LogFile.WriteLine "Message   : " & objEvent.Message 
    LogFile.WriteLine "Record Number : " & objEvent.RecordNumber 
    LogFile.WriteLine "Source Name  : " & objEvent.SourceName 
    LogFile.WriteLine "Time Generated : " & objEvent.TimeGenerated 
    LogFile.WriteLine "Time Written  : " & objEvent.TimeWritten 

    If IsArray(objEvent.InsertionStrings) Then 
    For i = 0 To UBound(objEvent.InsertionStrings) 
     strInsert = strInsert & objEvent.InsertionStrings(i) & "," 
    Next 
    LogFile.WriteLine "Insertion Strings: " & strInsert 
    Else 
    LogFile.WriteLine "Insertion Strings: " & objEvent.InsertionStrings 
    End If 

    LogFile.WriteLine "----------------------------------------------------------------------------------------------------------" 
Next

출력 샘플 (아니 모든 이벤트에 사용되는 모든 필드) -

---------------------------------------------------------------------------------------------------------- 
Computer Name : Randy-PC 
Logfile   : Application 
Type    : Information 
User    : 
Category   : 0 
Category String : 
Data    : 
Event Code  : 9019 
Event Identifier : 1073750843 
Message   : The Desktop Window Manager was unable to start because the desktop composition setting is disabled 
Record Number : 37395 
Source Name  : Desktop Window Manager 
Time Generated : 20160903031728.000000-000 
Time Written  : 20160903031728.000000-000 
Insertion Strings: 
----------------------------------------------------------------------------------------------------------

출처

2016-09-02 03:56:18

관련 문제

 관련 문제