Event Log Files

Started by spl, December 08, 2025, 06:29:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

spl

December 08, 2025, 06:29:42 AM
Below is a simple iteration of a computer Event log files with Names and {optional} number of records. Wondered if there was a method to track latest changes to any specific log, i.e. within last 10 minutes.
Code Select 
;Winbatch 2025A - Display NT Event Log Files
;Stan Littlefield, 12/8/2025
;========================================================================
IntControl(73,1,0,0,0)
gosub udfs
Computer = "."
class =  "Win32_NTEventLogFile"
LogCreate()
Exit
;========================================================================
:WBERRORHANDLER
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
;========================================================================
:udfs
#DefineSubRoutine geterror()
   wberroradditionalinfo = wberrorarray[6]
   lasterr = wberrorarray[0]
   handlerline = wberrorarray[1]
   textstring = wberrorarray[5]
   linenumber = wberrorarray[8]
   errmsg = "Error: ":lasterr:@LF:textstring:@LF:"Line (":linenumber:")":@LF:wberroradditionalinfo
   Return(errmsg)
#EndSubRoutine

#DefineSubRoutine LogCreate()
IntControl(73,1,0,0,0)
Locator = CreateObject("WbemScripting.SWbemLocator")
Service = Locator.ConnectServer(Computer,"root\CIMv2") 
query = "SELECT * FROM ":class
Results = Service.ExecQuery(query)
output = ""
ForEach r In Results
   if  r.NumberOfRecords >=0  ; or just >0 for only active logs
      evt = "Name: " : r.Name : @CRLF:  "Number Of Records " : r.NumberOfRecords:@CRLF
      output = output:evt
   endif
Next
Locator = 0
Message("Event Logs Files",output)
Return
:WBERRORHANDLER
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
#EndSubRoutine

Return
;========================================================================
Stan - formerly stanl [ex-Pundit]

td

#1
December 08, 2025, 09:03:45 AM
An old but useful example of targeting a specific event log:

Old Tech Database script

Interestingly, on a whim, I found this article using an AI LLM.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

spl

#2
December 08, 2025, 10:27:45 AM
Quote from: td on December 08, 2025, 09:03:45 AMAn old but useful example of targeting a specific event log:

Old Tech Database script

Interestingly, on a whim, I found this article using an AI LLM.

Yeah, I figured there was already something out there. I am looking into something very specific, like being able to iterate events from my Spybot event log within 10 minute intervals... sort of an event for the events.

[EDIT]
"Select * from __InstanceCreationEvent within 10 WHERE TargetInstance ISA 'Win32_NTLogEvent'"
Stan - formerly stanl [ex-Pundit]

spl

#3
December 09, 2025, 10:20:01 AM
DOIT! Forgot I had explored this earlier with Win32_Process. Script below works but rather clumsy to get started.
Code Select 
;Stan Littlefield 12/9/2025 (using WB2025C)
;Test with WMI Win32_NTLogEvent
;using __InstanceCreationEvent
;===========================================================================
IntControl(73,1,0,0,0)
GoSub UDFS
Computer = "."
objLocator = ObjectCreate("WbemScripting.SWbemLocator")
objServices = objLocator.ConnectServer(Computer, "root\cimv2")
strQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 20 WHERE TargetInstance ISA 'Win32_NTLogEvent'"
objEventSource = objServices.ExecNotificationQuery(strQuery)
Display(3,"Win32_NTLogEvent Monitor", "Please wait for event description...")
n = 1
done = 3 ;increase this for more events or set a timeout option
While @True
   objEvent = objEventSource.NextEvent()
   ; Extract details from the event                     .
   EventCode = objEvent.TargetInstance.EventCode
   msg = objEvent.TargetInstance.Message
   detected = TimeYmdHms() ; there is a datetime TimeGenerated but difficult to display
   Message("New NTEvent Detected", "Time: " : detected : @CRLF : "EventCode: " : EventCode : @CRLF : "Event: " : msg)
   n +=1
   if n>done Then Break
Endwhile
Display(2,"End of Events Detected","Closing Script")
objServices = 0
objLocator = 0
Exit

:WBERRORHANDLER
objServices = 0
objLocator = 0
geterror()
Terminate(@TRUE,"Error Encountered",errmsg)
;===========================================================================
:UDFS

#DefineSubRoutine geterror()
   wberroradditionalinfo = wberrorarray[6]
   lasterr = wberrorarray[0]
   handlerline = wberrorarray[1]
   textstring = wberrorarray[5]
   linenumber = wberrorarray[8]
   errmsg = "Error: ":lasterr:@LF:textstring:@LF:"Line (":linenumber:")":@LF:wberroradditionalinfo
   Return(errmsg)
#EndSubRoutine

Return
Stan - formerly stanl [ex-Pundit]

td

#4
December 09, 2025, 05:50:52 PM
I understood you were looking for an event driven solution. I was just surprised that a ubiquitous AI bot would hurl up a link to the WinBatch Tech Database article in response to the question.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

spl

#5
December 10, 2025, 03:56:47 AM
Quote from: td on December 09, 2025, 05:50:52 PMI understood you were looking for an event driven solution. I was just surprised that a ubiquitous AI bot would hurl up a link to the WinBatch Tech Database article in response to the question.

Yeah, I think I posted a while back how co-pilot picked appeared to replicate a script I posted here the next day. I assume AI has parsed the tech db.

I'm more interested in an event watcher, which I think WB is capable of. There is a .NET class System.Diagnostics.Eventing.Reader.EventLogWatcher which can apply to all event logs, not just the classics like Application or System. The watcher would be a companion to a long-running script that might be doing web-scraping or API queries.


Stan - formerly stanl [ex-Pundit]

td

#6
December 10, 2025, 07:48:59 AM
 WMI is capable of observing anything that uses the Windows event protocol. It is not exclusive to the Windows formal event logs. It can even handle some events that do not. There are examples of using WMI to observe file system changes, for example.

Forum harvesting is understandable. The AI crawlers show up almost constantly in the forum's logs. But the reason I found a regurgitated Tech DB link so interesting is that the articles are not static, and crawlers are not common in the Tech DB logs. Also, Tech DB pages are dynamically generated.  I guess the tech bros are getting desperate for training data, so they take the time to program their crawlers to activate links on somewhat obscure websites.

I recently read an interview with an MIT professor on this subject. He introduced the concept of matrix descent and how hungry AI LLMs are because they have exhausted the training data. AI training is now selective retraining. To borrow from the interview, it makes using AI a lot like talking to a 37-year-old male Reddit poster.

For fun, I could set up a script to monitor events entered in the Tech DB log to track AI crawler activity.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

spl

#7
December 10, 2025, 10:39:34 PM
Quote from: td on December 10, 2025, 07:48:59 AMFor fun, I could set up a script to monitor events entered in the Tech DB log to track AI crawler activity.

That does sound like fun. I don't believe the logs like below are WMI enabled, but there are hundreds of them.
Code Select 
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Defender/Operational  

[EDIT]
and keeping with those logs, I attached current output from my Win10 Surface Pro, including those with no records. No wonder things slow down
Stan - formerly stanl [ex-Pundit]
Print
Go Up Pages1
User actions
SMF spam blocked by CleanTalk