How Can I Monitor the Event Logs for the Occurrence of a Specific Event?

How Can I Monitor the Event Logs for the Occurrence of a Specific Event?

  • Comments 2
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?

-- JP

SpacerHey, Scripting Guy! AnswerScript Center

Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it’s hard to believe, but they really do pay us to come up with brilliant answers like that.)

OK, maybe we should be a little more specific: you use an event log monitoring script similar to this one:

strComputer = "."

Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
        strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __InstanceCreationEvent Where " _
        & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '0' ")

Do
    Set objLatestEvent = colMonitoredEvents.NextEvent
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    Wscript.Echo
Loop

We won’t spend any time in this column discussing the ins and outs of monitoring WMI events; if you’d like more information about event monitoring you might want to view our Scripting Week 2 webcast on the subject. Instead, we’ll just mention that what we’re going to do is create a script that “subscribes” to a WMI event log event. Each time an event with a specific EventCode (in this case 0) is written to one of the event logs, our script will be notified and will report back values for the User, TimeWritten, and Message properties. The script will then slip back into suspended animation and patiently wait for the next event 0 to occur.

By the way, we chose event 0 because that’s the event code for Windows Script Host events. That means you can use a script like this one to write an event 0 to the Application log and thus test your monitoring script to ensure that it works:

Const EVENT_SUCCESS = 0

Set objShell = Wscript.CreateObject("Wscript.Shell")
objShell.LogEvent EVENT_SUCCESS, "Event written to an event log using a script."

As for the monitoring script, we begin by connecting to the WMI service. You might notice that when connecting to the WMI service we include the {(Security)} parameter. This allows us to subscribe to events written to all the event logs, including the Security log. Without this parameter we would receive events written from all the event logs except Security.

Next we use the ExecNotificationQuery method to register for event log events. Our query itself looks like this:

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __InstanceCreationEvent Where " _
        & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '0' "

What we’re saying here is this: Show us all new instances of the __InstanceCreationEvent class, provided that the new instance happens to be a new entry to the event log (Win32_NTLogEvent) and the new entry has an EventCode of 0. If we wanted to monitor for different events (say, an event with the EventCode 528) all we’d have to do is modify our query accordingly:

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    
    ("Select * from __InstanceCreationEvent Where " _
        & "TargetInstance ISA 'Win32_NTLogEvent' " _
            & "and TargetInstance.EventCode = '528' "

After that we set up a Do Loop with no exit condition (e.g., no Do Until x = 1 kind of thing). This allows us to monitor events forever and ever: the script will continue to monitor until we reboot the computer or terminate the process under which the script runs. (Incidentally, you should run this script in a command window under CScript. If you run it under WScript, you’ll have to click a bunch of message boxes any time an event 0 is written to the event log.)

We then use this line of code to tell the script to sit there and wait for the next event to occur:

Set objLatestEvent = colMonitoredEvents.NextEvent

When a new event 0 is written to one of the event logs an exact copy of that event will be made available to our script; this replica object is known as the TargetInstance. At that point all we do is echo a few property values of this TargetInstance and then loop around and wait for the next event.

In other words, to monitor the event logs for the occurrence of a specific event just use an event monitoring script. (If only we’d said that in the first place….)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Here is a fixed copy of the sample script.

    strComputer = "."

    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _

           strComputer & "\root\cimv2")

    Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    

       ("Select * from __InstanceCreationEvent Where " _

           & "TargetInstance ISA 'Win32_NTLogEvent' " _

               & "and TargetInstance.EventCode=0")

    Do While True

       Set objLatestEvent = colMonitoredEvents.NextEvent()

       Wscript.Echo objLatestEvent.TargetInstance.User

       Wscript.Echo objLatestEvent.TargetInstance.TimeWritten

       Wscript.Echo objLatestEvent.TargetInstance.Message

       Wscript.Echo

    Loop

  • Microsoft Events - United States

    The Event you are searching for does not exist. If you are searching with an Event Number that you received with an invitation, then it is possible that this event is no longer available for registration.