在上一篇的基礎下,我們繼續修改匯出的訊息成為我們要的格式。
' 作者:夢見草 製作日期:2011/08/01
' 網址: http://blog.ns01.us/2011/318
' -----------------------------------------------------------'
Option Explicit
Dim objFSO, objFolder, objFile, objWMI, objItem, objShell
Dim strComputer, strFileName, strFileOpen, strFolder, strPath
Dim intEvent, intNumberID, intRecordNum, colLoggedEvents
Dim intEventType, strLogType
' --------------------------------------------------------
' 設定匯出 資料夾位置 和 檔名
strComputer = "."
strFileName = "\pop.txt"
strFolder = "C:\MDlogs"
strPath = strFolder & strFileName
' 設定要抓取 事件檢視器裡的 Event ID
intNumberID = 521 ' Event ID Number
intEventType = 2
strLogType = "'Application'"
intRecordNum = 0
' -----------------------------------------------------
' Section to create folder and hold file.
' Create the File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Check that the strFolder folder exists
If objFSO.FolderExists(strFolder) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFolder = objFSO.CreateFolder(strFolder)
WScript.Echo "Just created " & strFolder
End If
If objFSO.FileExists(strFolder & strFileName) Then
Set objFolder = objFSO.GetFolder(strFolder)
Else
Set objFile = objFSO.CreateTextFile(strFolder & strFileName)
Wscript.Echo "Just created " & strFolder & strFileName
End If
' --------------------------------------------------
' Two tiny but vital commands (Try script without)
set objFile = nothing
set objFolder = nothing
' ----------------------------------------------------
' Write the information to the file
Set strFileOpen = objFso.CreateTextFile(strPath, True)
' ----------------------------------------------------------
' WMI Core Section
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile =" & strLogType)
'-------------------------------------------------------------------------------------------------
'ConvertWMIDateTime 功能:可轉換 WMI 的日期格式
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
'-------------------------------------------------------------------------------------------------
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'-------------------------------------------------------------------------------------------------
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
'-------------------------------------------------------------------------------------------------
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'-------------------------------------------------------------------------------------------------
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
'-------------------------------------------------------------------------------------------------
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'-----------------------------------------------------------------------------------
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
'-----------------------------------------------------------------------------------
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString, 4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'-------------------------------------------------------------------------------------------------
'IsoDateTimeString 可轉換成 ISO 標準格式,用法 IsoDateTimeString(ConvertWMIDateTime)
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
'-------------------------------------------------------------------------------------------------
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'-----------------------------------------------------------------------------------
' Next section loops through ID properties
For Each objItem in colLoggedEvents
If objItem.EventCode = intNumberID Then
If objItem.EventType = intEventType Then
strFileOpen.WriteLine IsoDateTimeString(ConvertWMIDateTime(objItem.TimeWritten)) & " " & "Msg:" & objItem.Message
intRecordNum = intRecordNum +1
End If
End If
Next
此 vb script 設計目地是用來匯出 MDaemon 單一事件的 log,將其匯出的訊息修改成像 linux log 一樣的精簡,方便 linux 系統裡面的 fail2ban 來分析。
簡單的講一下此程式的內容,底下的數值都是可以修改的
‘ 設定匯出 資料夾位置 和 檔名
strComputer = “.”
strFileName = “\pop.txt”
strFolder = “C:\MDlogs”
strPath = strFolder & strFileName
‘ 設定要抓取 事件檢視器裡的 Event ID
intNumberID = 521 ‘ Event ID Number
intEventType = 2
strLogType = “‘Application'”
intRecordNum = 0
另外這次花比較多的時間就是在研究怎樣將 WMI 的日期格式轉換成標準的日期格式,好方便其它程式分析,所幸網路上早有人有寫好的範例了,我不用再重新寫過。
程式碼說明
'-------------------------------------------------------------------------------------------------
'ConvertWMIDateTime 功能:可轉換 WMI 的日期格式
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
'-------------------------------------------------------------------------------------------------
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'-------------------------------------------------------------------------------------------------
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
'-------------------------------------------------------------------------------------------------
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'-------------------------------------------------------------------------------------------------
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
'-------------------------------------------------------------------------------------------------
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'-----------------------------------------------------------------------------------
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
'-----------------------------------------------------------------------------------
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString, 4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
以上的這段內容,最主要的功能就是將原本的 WMI 日期格式 20110730231040.000000+480
轉換成這樣的格式 2010/4/12 下午 09:39:19 雖然它已經很容易閲讀了,但是 fail2ban 就是不吃這樣的日期格式(因為它的4月份沒有寫成 04 ),所以我們還得有底下的程式碼幫忙
'-------------------------------------------------------------------------------------------------
'IsoDateTimeString 可轉換成 ISO 標準格式,用法 IsoDateTimeString(ConvertWMIDateTime)
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
'-------------------------------------------------------------------------------------------------
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
以上的程式碼的功能就是把日期格式轉換成標準的 ISO 日期格式也就是說 ConvertWMIDateTime 運算出來的日期格式,我們還要餵給 IsoDateTimeString 這個功能去運算。
所以最後、最重要的輸出就是這一行
Wscript.Echo IsoDateTimeString(ConvertWMIDateTime(objItem.TimeWritten)) & ” ” & “Msg:” & objItem.Message
objItem.TimeWritten 的日期格式是這樣 20020710113047.000000420
經過 ConvertWMIDateTime 的運算後會是這樣 2002/7/10 上午 11:30:47
再經過 IsoDateTimeString 的運算後會是這樣 2002-07-10 11:30:47
Wscript.Echo 是只在螢幕上顯示,不寫入檔案
strFileOpen.WriteLine 則會寫入指定的檔案
最後,這個程式所吐出來的訊息如下
2011-03-07 23:17:27 Msg:**** ALERT **** 1.15.229.228 gave false logon/password to POP server; user: abc@hot.com.com [EvSecurity]
然後我們要餵給 fail2ban 的 filter 最關鍵的一行就是底下這行了
failregex = Msg:\*\*\*\* ALERT \*\*\*\*
[note]
參考資料: Script to Export Pervious Day Events Logs to CSV(輸出成標準日期格式)、Tech Notes、Converting WMI Dates to a Standard Date-Time Format、ConvertWMIDateTime、Extract Data from windows Event Log、 抓取最後15分的 log、
[/note]
參考程式碼:
Option Explicit
Const ForReading = 1
Const ForWriting = 2
Const ForAppending = 8
Dim objDictionary, objFSO, wshShell, wshNetwork
Dim scriptBaseName, scriptPath, scriptLogPath
Dim ipAddress, macAddress, item, messageType, message
On Error Resume Next
Set objDictionary = NewDictionary
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set wshShell = CreateObject("Wscript.Shell")
Set wshNetwork = CreateObject("Wscript.Network")
scriptBaseName = objFSO.GetBaseName(Wscript.ScriptFullName)
scriptPath = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
scriptLogPath = scriptPath & "\" & IsoDateString(Now)
If Err.Number <> 0 Then
Wscript.Quit
End If
On Error Goto 0
'----------------------------------------------------------------------------------------------------------------------------
'Main Processing Section
'----------------------------------------------------------------------------------------------------------------------------
On Error Resume Next
PromptScriptStart
ProcessScript
If Err.Number <> 0 Then
MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
Wscript.Quit
End If
PromptScriptEnd
On Error Goto 0
'----------------------------------------------------------------------------------------------------------------------------
'Functions Processing Section
'----------------------------------------------------------------------------------------------------------------------------
'Name : ProcessScript -> Primary Function that controls all other script processing.
'Parameters : None ->
'Return : None ->
'----------------------------------------------------------------------------------------------------------------------------
Function ProcessScript
Dim hostName, logName, startDateTime, endDateTime
Dim events, eventNumbers, i
hostName = wshNetwork.ComputerName
logName = "Security"
eventNumbers = Array("672")
startDateTime = DateAdd("n", -120, Now)
'-------------------------------------------------------------------------------------------------------------------------
'Query the event log for the eventID's within the specified event log name and date range.
'-------------------------------------------------------------------------------------------------------------------------
If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
Exit Function
End If
'-------------------------------------------------------------------------------------------------------------------------
'Log the scripts results to the scripts
'-------------------------------------------------------------------------------------------------------------------------
For i = 0 To UBound(events)
LogMessage events(i)
Next
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : QueryEventLog -> Primary Function that controls all other script processing.
'Parameters : results -> Input/Output : Variable assigned to an array of results from querying the event log.
' : hostName -> String containing the hostName of the system to query the event log on.
' : logName -> String containing the name of the Event Log to query on the system.
' : eventNumbers -> Array containing the EventID's (eventCode) to search for within the event log.
' : startDateTime -> Date\Time containing the date to finish searching at.
' : minutes -> Integer containing the number of minutes to subtract from the startDate to begin the search.
'Return : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
'----------------------------------------------------------------------------------------------------------------------------
Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
Dim wmiDateTime, wmi, query, eventItems, eventItem
Dim timeWritten, eventDate, eventTime, description
Dim eventsDict, eventInfo, errorCount, i
QueryEventLog = False
errorCount = 0
If Not IsArray(eventNumbers) Then
eventNumbers = Array(eventNumbers)
End If
'-------------------------------------------------------------------------------------------------------------------------
'Construct part of the WMI Query to account for searching multiple eventID's
'-------------------------------------------------------------------------------------------------------------------------
query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
For i = 0 To UBound(eventNumbers)
query = query & SQ(eventNumbers(i)) & " Or EventCode = "
Next
On Error Resume Next
Set eventsDict = NewDictionary
If Err.Number <> 0 Then
LogError "Creating Dictionary Object"
Exit Function
End If
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
If Err.Number <> 0 Then
LogError "Creating WMI Object to connect to " & DQ(hostName)
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
'----------------------------------------------------------------------------------------------------------------------
Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
If Err.Number <> 0 Then
LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Build the WQL query and execute it.
'----------------------------------------------------------------------------------------------------------------------
wmiDateTime.SetVarDate startDateTime, True
query = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
Set eventItems = wmi.ExecQuery(query)
If Err.Number <> 0 Then
LogError "Executing WMI Query " & DQ(query)
Exit Function
End If
'----------------------------------------------------------------------------------------------------------------------
'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
'----------------------------------------------------------------------------------------------------------------------
For Each eventItem In eventItems
Do
timeWritten = ""
eventDate = ""
eventTime = ""
eventInfo = ""
timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
eventDate = FormatDateTime(timeWritten, vbShortDate)
eventTime = FormatDateTime(timeWritten, vbLongTime)
eventInfo = eventDate & ","
eventInfo = eventInfo & eventTime & ","
eventInfo = eventInfo & eventItem.SourceName & ","
eventInfo = eventInfo & eventItem.Type & ","
eventInfo = eventInfo & eventItem.Category & ","
eventInfo = eventInfo & eventItem.EventCode & ","
eventInfo = eventInfo & eventItem.User & ","
eventInfo = eventInfo & eventItem.ComputerName & ","
description = eventItem.Message
'------------------------------------------------------------------------------------------------------------------------
'Ensure the event description is not blank.
'------------------------------------------------------------------------------------------------------------------------
If IsNull(description) Then
description = "The event description cannot be found."
End If
description = Replace(description, vbCrLf, " ")
eventInfo = eventInfo & description
'------------------------------------------------------------------------------------------------------------------------
'Check if any errors occurred enumerating the event Information
'------------------------------------------------------------------------------------------------------------------------
If Err.Number <> 0 Then
LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
errorCount = errorCount + 1
Err.Clear
Exit Do
End If
'------------------------------------------------------------------------------------------------------------------------
'Remove all Tabs and spaces.
'------------------------------------------------------------------------------------------------------------------------
eventInfo = Trim(Replace(eventInfo, vbTab, " "))
Do While InStr(1, eventInfo, " ", vbTextCompare) <> 0
eventInfo = Replace(eventInfo, " ", " ")
Loop
'------------------------------------------------------------------------------------------------------------------------
'Add the Event Information to the Dictionary object if it doesn't exist.
'------------------------------------------------------------------------------------------------------------------------
If Not eventsDict.Exists(eventInfo) Then
eventsDict(eventsDict.Count) = eventInfo
End If
Loop Until True
Next
On Error Goto 0
If errorCount <> 0 Then
Exit Function
End If
results = eventsDict.Items
QueryEventLog = True
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
'----------------------------------------------------------------------------------------------------------------------------
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'-------------------------------------------------------------------------------------------------------------------------
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
'-------------------------------------------------------------------------------------------------------------------------
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'-------------------------------------------------------------------------------------------------------------------------
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
'-------------------------------------------------------------------------------------------------------------------------
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'-------------------------------------------------------------------------------------------------------------------------
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
'-------------------------------------------------------------------------------------------------------------------------
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString, 4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : NewDictionary -> Creates a new dictionary object.
'Parameters : None ->
'Return : NewDictionary -> Returns a dictionary object.
'----------------------------------------------------------------------------------------------------------------------------
Function NewDictionary
Dim dict
Set dict = CreateObject("scripting.Dictionary")
dict.CompareMode = vbTextCompare
Set NewDictionary = dict
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : SQ -> Places single quotes around a string
'Parameters : stringValue -> String containing the value to place single quotes around
'Return : SQ -> Returns a single quoted string
'----------------------------------------------------------------------------------------------------------------------------
Function SQ(ByVal stringValue)
If VarType(stringValue) = vbString Then
SQ = "'" & stringValue & "'"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : DQ -> Place double quotes around a string and replace double quotes
' : -> within the string with pairs of double quotes.
'Parameters : stringValue -> String value to be double quoted
'Return : DQ -> Double quoted string.
'----------------------------------------------------------------------------------------------------------------------------
Function DQ (ByVal stringValue)
If stringValue <> "" Then
DQ = """" & Replace (stringValue, """", """""") & """"
Else
DQ = """"""
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : LogMessage -> Writes a message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing the message to include in the log message.
'Return : None ->
'----------------------------------------------------------------------------------------------------------------------------
Function LogMessage(message)
If Not LogToCentralFile(scriptLogPath & ".log", IsoDateTimeString(Now) & "," & message) Then
Exit Function
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : LogError -> Writes an error message to a log file.
'Parameters : logPath -> String containing the full folder path and file name of the Log file without with file extension.
' : message -> String containing a description of the event that caused the error to occur.
'Return : None ->
'----------------------------------------------------------------------------------------------------------------------------
Function LogError(message)
If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
Exit Function
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : BuildError -> Builds a string of information relating to the error object.
'Parameters: message -> String containnig the message that relates to the process that caused the error.
'Return : BuildError -> Returns a string relating to error object.
'----------------------------------------------------------------------------------------------------------------------------
Function BuildError(message)
BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : LogToCentralFile -> Attempts to Appends information to a central file.
'Parameters : logSpec -> Folder path, file name and extension of the central log file to append to.
' : message -> String to include in the central log file
'Return : LogToCentralFile -> Returns True if Successfull otherwise False.
'----------------------------------------------------------------------------------------------------------------------------
Function LogToCentralFile(logSpec, message)
Dim attempts, objLogFile
LogToCentralFile = False
'-------------------------------------------------------------------------------------------------------------------------
'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
'-------------------------------------------------------------------------------------------------------------------------
attempts = 0
Do
On Error Resume Next
Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
If Err.Number = 0 Then
objLogFile.WriteLine message
objLogFile.Close
LogToCentralFile = True
Exit Function
End If
On Error Goto 0
Randomize
Wscript.sleep 1000 + Rnd * 100
attempts = attempts + 1
Loop Until attempts >= 10
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : PromptScriptStart -> Prompt when script starts.
'Parameters : None
'Return : None
'----------------------------------------------------------------------------------------------------------------------------
Function PromptScriptStart
MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : PromptScriptEnd -> Prompt when script has completed.
'Parameters : None
'Return : None
'----------------------------------------------------------------------------------------------------------------------------
Function PromptScriptEnd
MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
End Function
'----------------------------------------------------------------------------------------------------------------------------
strComputer = "."
Set wbemServices = Getobject("winmgmts:\\" & strComputer)
Set wbemObjectSet = wbemServices.InstancesOf("Win32_NTLogEvent")
' ----------------------------------------------------------
'Name : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
'Parameters : wmiDateTimeString -> String containing a WMI Date Time String.
'Return : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
'-------------------------------------------------------------------------------------------------
Function ConvertWMIDateTime(wmiDateTimeString)
Dim integerValues, i
'-------------------------------------------------------------------------------------------------
'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
'-------------------------------------------------------------------------------------------------
If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
ConvertWMIDateTime = ""
Exit Function
End If
'-------------------------------------------------------------------------------------------------
'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
'-------------------------------------------------------------------------------------------------
integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
For i = 1 To Len(integerValues)
If Not IsNumeric(Mid(integerValues, i, 1)) Then
ConvertWMIDateTime = ""
Exit Function
End If
Next
'-----------------------------------------------------------------------------------
'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
'-----------------------------------------------------------------------------------
ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2) & "/" & _
Mid(wmiDateTimeString, 7, 2) & "/" & Left(wmiDateTimeString, 4) & " " & _
Mid(wmiDateTimeString, 9, 2) & ":" & _
Mid(wmiDateTimeString, 11, 2) & ":" & _
Mid(wmiDateTimeString, 13, 2))
End Function
'Name : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateTimeString(dateValue)
IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoDateString -> Generate an ISO date string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoDateString(dateValue)
If IsDate(dateValue) Then
IsoDateString = Right ("000" & Year (dateValue), 4) & "-" & _
Right ( "0" & Month (dateValue), 2) & "-" & _
Right ( "0" & Day (dateValue), 2)
Else
IsoDateString = "0000-00-00"
End If
End Function
'----------------------------------------------------------------------------------------------------------------------------
'Name : IsoTimeString -> Generate an ISO time string from a date/time value.
'Parameters : dateValue -> Input date/time value.
'Return : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
'----------------------------------------------------------------------------------------------------------------------------
Function IsoTimeString(dateValue)
If IsDate(dateValue) Then
IsoTimeString = Right ("0" & Hour (dateValue), 2) & ":" & _
Right ("0" & Minute (dateValue), 2) & ":" & _
Right ("0" & Second (dateValue), 2)
Else
IsoTimeString = "00:00:00"
End If
End Function
'-----------------------------------------------------------------------------------
For Each wbemObject In wbemObjectSet
WScript.Echo "Log File: " & wbemObject.LogFile & vbCrLf & _
"Record Number: " & wbemObject.RecordNumber & vbCrLf & _
"Type: " & wbemObject.Type & vbCrLf & _
"Time Generated: " & IsoDateTimeString(ConvertWMIDateTime(wbemObject.TimeGenerated)) & vbCrLf & _
"Source: " & wbemObject.SourceName & vbCrLf & _
"Category: " & wbemObject.Category & vbCrLf & _
"Category String: " & wbemObject.CategoryString & vbCrLf & _
"Event: " & wbemObject.EventCode & vbCrLf & _
"User: " & wbemObject.User & vbCrLf & _
"Computer: " & wbemObject.ComputerName & vbCrLf & _
"Message: " & wbemObject.Message & vbCrLf
Next
↑匯出事件檢視器裡所有的內容,並轉換日期格式為 ISO 標準格式