Event Log Files

Started by spl, December 08, 2025, 06:29:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

spl

December 08, 2025, 06:29:42 AM
Below is a simple iteration of a computer Event log files with Names and {optional} number of records. Wondered if there was a method to track latest changes to any specific log, i.e. within last 10 minutes.
Code Select 
;Winbatch 2025A - Display NT Event Log Files
;Stan Littlefield, 12/8/2025
;========================================================================
IntControl(73,1,0,0,0)
gosub udfs
Computer = "."
class =  "Win32_NTEventLogFile"
LogCreate()
Exit
;========================================================================
:WBERRORHANDLER
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
;========================================================================
:udfs
#DefineSubRoutine geterror()
   wberroradditionalinfo = wberrorarray[6]
   lasterr = wberrorarray[0]
   handlerline = wberrorarray[1]
   textstring = wberrorarray[5]
   linenumber = wberrorarray[8]
   errmsg = "Error: ":lasterr:@LF:textstring:@LF:"Line (":linenumber:")":@LF:wberroradditionalinfo
   Return(errmsg)
#EndSubRoutine

#DefineSubRoutine LogCreate()
IntControl(73,1,0,0,0)
Locator = CreateObject("WbemScripting.SWbemLocator")
Service = Locator.ConnectServer(Computer,"root\CIMv2") 
query = "SELECT * FROM ":class
Results = Service.ExecQuery(query)
output = ""
ForEach r In Results
   if  r.NumberOfRecords >=0  ; or just >0 for only active logs
      evt = "Name: " : r.Name : @CRLF:  "Number Of Records " : r.NumberOfRecords:@CRLF
      output = output:evt
   endif
Next
Locator = 0
Message("Event Logs Files",output)
Return
:WBERRORHANDLER
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
#EndSubRoutine

Return
;========================================================================
Stan - formerly stanl [ex-Pundit]

td

#1
December 08, 2025, 09:03:45 AM
An old but useful example of targeting a specific event log:

Old Tech Database script

Interestingly, on a whim, I found this article using an AI LLM.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

spl

#2
December 08, 2025, 10:27:45 AM
Quote from: td on December 08, 2025, 09:03:45 AMAn old but useful example of targeting a specific event log:

Old Tech Database script

Interestingly, on a whim, I found this article using an AI LLM.

Yeah, I figured there was already something out there. I am looking into something very specific, like being able to iterate events from my Spybot event log within 10 minute intervals... sort of an event for the events.

[EDIT]
"Select * from __InstanceCreationEvent within 10 WHERE TargetInstance ISA 'Win32_NTLogEvent'"
Stan - formerly stanl [ex-Pundit]

spl

#3
Today at 10:20:01 AM
DOIT! Forgot I had explored this earlier with Win32_Process. Script below works but rather clumsy to get started.
Code Select 
;Stan Littlefield 12/9/2025 (using WB2025C)
;Test with WMI Win32_NTLogEvent
;using __InstanceCreationEvent
;===========================================================================
IntControl(73,1,0,0,0)
GoSub UDFS
Computer = "."
objLocator = ObjectCreate("WbemScripting.SWbemLocator")
objServices = objLocator.ConnectServer(Computer, "root\cimv2")
strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_NTLogEvent'"
objEventSource = objServices.ExecNotificationQuery(strQuery)
Display(3,"Win32_NTLogEvent Monitor", "Please wait for event description...")
n = 1
done = 3 ;increase this for more events or set a timeout option
While @True
   objEvent = objEventSource.NextEvent()
   ; Extract details from the event                     .
   EventCode = objEvent.TargetInstance.EventCode
   msg = objEvent.TargetInstance.Message
   detected = TimeYmdHms() ; there is a datetime TimeGenerated but difficult to display
   Message("New NTEvent Detected", "Time: " : detected : @CRLF : "EventCode: " : EventCode : @CRLF : "Event: " : msg)
   n +=1
   if n>done Then Break
Endwhile
Display(2,"End of Events Detected","Closing Script")
objServices = 0
objLocator = 0
Exit

:WBERRORHANDLER
objServices = 0
objLocator = 0
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
;===========================================================================
:UDFS

#DefineSubRoutine geterror()
   wberroradditionalinfo = wberrorarray[6]
   lasterr = wberrorarray[0]
   handlerline = wberrorarray[1]
   textstring = wberrorarray[5]
   linenumber = wberrorarray[8]
   errmsg = "Error: ":lasterr:@LF:textstring:@LF:"Line (":linenumber:")":@LF:wberroradditionalinfo
   Return(errmsg)
#EndSubRoutine

Return
Stan - formerly stanl [ex-Pundit]

td

#4
Today at 05:50:52 PM
I understood you were looking for an event driven solution. I was just surprised that a ubiquitous AI bot would hurl up a link to the WinBatch Tech Database article in response to the question.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade
Print
Go Up Pages1
User actions
SMF spam blocked by CleanTalk