dcsimg

Automating Event Log Monitoring

By ServerWatch Staff (Send Email)
Posted Dec 4, 2000


by Marcin Policht Scripted solution for monitoring NT Event Logs...

One of the more important, but at the same rate (let's be honest) extremely boring administrative tasks is monitoring system, application, and security related events registered in Event Logs throughout multiple NT servers. There are several really powerful products which automate this process, but they all come with a hefty price tag. In case you need simply to keep track of particular events (based on Event ID or some other unique feature) here is a free solution. The script below allows for pulling events from any of the three Windows NT event logs into an Excel spreadsheet. 

You will need to first download a STMAdmin.dll (a COM component allowing for Event Log access from a scripting environment) from http://cwashington.netreach.net/main_site/downloads/default.asp?topic=n-z (a great scripting site, by the way). Once you downloaded it, place it in the system32 folder on the workstation which you intend to use to collect the log information from your server. Finally, register it by running 
regsvr32.exe STMAdmin.dll.
from the command prompt.
Once the registration is successfully completed, you can execute the script below - keep in mind that you need to have Excel installed on the workstation as well. 

You can modify it using other methods exposed by STMAdmin to further automate processing of the event logs.

The script might have problems with large volumes of events, so I provided an initial notification, just in case number of events in the log exceeds 65000. The script searches the Security Log for event 644 (which indicates an account lockout) on the server called MyServer. 

Dim CRLF
CRLF = Chr(13) & Chr(10)

Dim Server 
'****************** Provide your server name in the next line ******************
Server = "MyServerName" 

Dim EventLog
Set EventLog = CreateObject("STMAdmin.EventLog") 
EventLog.Open "Security", MyServer

L_Welcome_MsgBox_Message_Text = "This script places Lockout Events from MyServer in an Excel spreadsheet. Cancel if number of records exceeds 65000"
L_Welcome_MsgBox_Message_Text = L_Welcome_MsgBox_Message_Text & CRLF & " Current Number of Records: " & EventLog.NoRecords
L_Welcome_MsgBox_Title_Text = "Security Log Processing"

Call Welcome()

If EventLog.NoRecords > 65535 then
WScript.Quit
End If

Dim objXL
Set objXL = WScript.CreateObject("Excel.Application")

objXL.Visible = TRUE

objXL.WorkBooks.Add

objXL.Columns(1).ColumnWidth = 20
objXL.Columns(2).ColumnWidth = 15

Dim rIndex, incr
rIndex = 1
incr = 1

Dim cIndex
For Each rec In EventLog.Records(8)
Dim strIndex, SPos
cIndex = 1
If rec.EventID = "644" then
objXL.Rows(rIndex).RowHeight = 12
strIndex = 1
For Each str In rec.Strings
If strIndex = 1 or strIndex = 2 then
objXL.Cells(rIndex, cIndex).Value = str
cIndex = cIndex + 1
End If
strIndex = strIndex + 1
Next
rIndex = rIndex + incr
incr = 1
End If 
Next

EventLog.Close() 

Sub Welcome()
Dim intDoIt

intDoIt = MsgBox(L_Welcome_MsgBox_Message_Text, _
vbOKCancel + vbInformation, _
L_Welcome_MsgBox_Title_Text )
If intDoIt = vbCancel Then
WScript.Quit
End If
End Sub

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.