匯出事件檢視器

Windows 底下有個事件檢視器,記錄著系統上所有的 log ,若想要將單獨的某一事件分離出來另存為一個檔案的話,是否能做到?

可以的,這時就需要 WMI (Windows Management Instrumentation) 但 WMI 並不能直接使用,你必須選擇一種支援WMI的腳本語言(VBScript, Microsoft JScript, Perl, ASP, .Net written in C#, Visual Basic .NET, or J#)寫個小程式去呼叫 WMI 裡的功能才行。

此網頁有完整的教學,教你怎樣獨立出某一個 log

' EventLogFSO.vbs
' Sample VBScript to write event log data to text file
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.7 - May 2006
' -----------------------------------------------------------'
Option Explicit
 
Dim objFSO, objFolder, objFile, objWMI, objItem, objShell
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
Dim intEventType, strLogType
 
' --------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\Event680.txt"
strFolder = "e:\logs"
strPath = strFolder & strFileName
 
' Set numbers
intNumberID = 680 ' Event ID Number
intEventType = 4
strLogType = "'Security'"
intRecordNum = 0
 
' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
' Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
WScript.Echo "Just created " & strFolder
End If
 
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder & strFileName
End If
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set objFolder = nothing
 
' ----------------------------------------------------
' Write the information to the file
Wscript.Echo " Press OK and Wait 30 seconds (ish)"
Set strFileOpen = objFso.CreateTextFile(strPath, True)
 
' ----------------------------------------------------------
' WMI Core Section
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile =" & strLogType)
 
' ----------------------------------------------------------
' Next section loops through ID properties

For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID Then
If objItem.EventType = intEventType Then
strFileOpen.WriteLine("Category: " & objItem.Category _
& " string " & objItem.CategoryString)
strFileOpen.WriteLine("ComputerName: " & objItem.ComputerName)
strFileOpen.WriteLine("Logfile: " & objItem.Logfile _
& " source " & objItem.SourceName)
strFileOpen.WriteLine("EventCode: " & objItem.EventCode)
strFileOpen.WriteLine("EventType: " & objItem.EventType)
strFileOpen.WriteLine("Type: " & objItem.Type)
strFileOpen.WriteLine("User: " & objItem.User)
strFileOpen.WriteLine("Message: " & objItem.Message)
strFileOpen.WriteLine (" ")
intRecordNum = intRecordNum +1
End If
End If
Next
 
' Confirms the script has completed and opens the file
Set objShell = CreateObject("WScript.Shell")
objShell.run ("Explorer" &" " & strPath & "\" )
 
WScript.Quit
 
' End of Guy's FSO sample VBScript

簡單說明一下其內容

strFileName = “\Event680.txt”
strFolder = “e:\logs”
intNumberID = 680 ‘ Event ID Number
intEventType = 4
strLogType = “‘Security'”

以上是幾個你要修改的參數,分別是檔名、資料夾位置、Event ID和 Event Type
Event Type
1 = Other 其它
2 = Warning 警告
3 = Information 資訊
4 = Security Success 稽核成功
5 = Security Failure 稽核失敗

LogType 選項基本有三種, Security (安全性)、 Application(應用程式)、System(系統)

另外,該篇文章提到叫我們下載安裝 WMI Monitor 其實不必下載安裝上面的這個 .vbs 檔也能運作,因為 WMI Services 在系統有內建 (Windows 2000、Windows XP 和 Windows Server 2003 以上都有)

然後我依照上面的範例修改成我要的內容

' EventLogFSO.vbs
' Sample VBScript to write event log data to text file
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.7 - May 2006
' -----------------------------------------------------------'
Option Explicit
 
Dim objFSO, objFolder, objFile, objWMI, objItem, objShell
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
Dim intEventType, strLogType
 
' --------------------------------------------------------
' Set the folder and file name
strComputer = "."
strFileName = "\Event521.txt"
strFolder = "c:\logs"
strPath = strFolder & strFileName
 
' Set numbers
intNumberID = 521 ' Event ID Number
intEventType = 2
strLogType = "'Application'"
intRecordNum = 0
 
' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
' Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
WScript.Echo "Just created " & strFolder
End If
 
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder & strFileName
End If
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set objFolder = nothing
 
' ----------------------------------------------------
' Write the information to the file
'Wscript.Echo " Press OK and Wait 30 seconds (ish)"
Set strFileOpen = objFso.CreateTextFile(strPath, True)
 
' ----------------------------------------------------------
' WMI Core Section
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile =" & strLogType)
' ----------------------------------------------------------
' Next section loops through ID properties

For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID Then
If objItem.EventType = intEventType Then
strFileOpen.WriteLine("TimeWritten:" & objItem.TimeWritten)
strFileOpen.WriteLine("Message: " & objItem.Message)
strFileOpen.WriteLine (" ")
intRecordNum = intRecordNum +1
End If
End If
Next
 
' Confirms the script has completed and opens the file
Set objShell = CreateObject("WScript.Shell")
 
WScript.Quit
 
' End of Guy's FSO sample VBScript

修改的內容主要是拿掉了一些我不需要的訊息顯示,並另外的加上了一個時間的訊息。

時間訊息
strFileOpen.WriteLine(“TimeWritten:” & objItem.TimeWritten)

執行方法很簡單,用滑鼠點擊該 .vbs 檔或下指令 cscript xx.vbs 即可
執行一次它就會匯出現有的log檔, 執行第二次時,則會蓋掉原有的內容

本篇發表於 Server。將永久鏈結加入書籤。

發表迴響

你的電子郵件位址並不會被公開。 必要欄位標記為 *