Automating Event Log Monitoring
Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy
Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive Advantageby Marcin Policht Scripted solution for monitoring NT Event Logs...
One of the more important, but at the same rate (let's be honest) extremely boring administrative tasks is monitoring system,
application, and security related events registered in Event Logs throughout multiple NT servers. There are several really powerful products which automate this process, but they all come with a hefty price tag. In case you need simply to keep track of
particular events (based on Event ID or some other unique feature) here is a free solution. The script below allows for pulling events from any of the three Windows NT event logs into an Excel
You will need to first download a STMAdmin.dll (a COM component allowing for Event Log access from a scripting environment) from http://cwashington.netreach.net/main_site/downloads/default.asp?topic=n-z (a great scripting site, by the way). Once you downloaded it, place it in the system32 folder on the workstation which you intend to use to collect the log information from your server. Finally, register it by running
from the command prompt.
Once the registration is successfully completed, you can execute the script below - keep in mind that you need to have Excel installed on the workstation as well.
You can modify it using other methods exposed by STMAdmin to further automate processing of the event logs.
The script might have problems with large volumes of events, so I provided an initial notification, just in case number of events in the log exceeds 65000. The script searches the Security Log for event 644 (which indicates an account lockout) on the server called MyServer.
CRLF = Chr(13) & Chr(10)
'****************** Provide your server name in the next line ******************
Server = "MyServerName"
Set EventLog = CreateObject("STMAdmin.EventLog")
EventLog.Open "Security", MyServer
L_Welcome_MsgBox_Message_Text = "This script places Lockout Events from MyServer in an Excel spreadsheet. Cancel if number of records exceeds 65000"
L_Welcome_MsgBox_Message_Text = L_Welcome_MsgBox_Message_Text & CRLF & " Current Number of Records: " & EventLog.NoRecords
L_Welcome_MsgBox_Title_Text = "Security Log Processing"
If EventLog.NoRecords > 65535 then
Set objXL = WScript.CreateObject("Excel.Application")
objXL.Visible = TRUE
objXL.Columns(1).ColumnWidth = 20
objXL.Columns(2).ColumnWidth = 15
Dim rIndex, incr
rIndex = 1
incr = 1
For Each rec In EventLog.Records(8)
Dim strIndex, SPos
cIndex = 1
If rec.EventID = "644" then
objXL.Rows(rIndex).RowHeight = 12
strIndex = 1
For Each str In rec.Strings
If strIndex = 1 or strIndex = 2 then
objXL.Cells(rIndex, cIndex).Value = str
cIndex = cIndex + 1
strIndex = strIndex + 1
rIndex = rIndex + incr
incr = 1
intDoIt = MsgBox(L_Welcome_MsgBox_Message_Text, _
vbOKCancel + vbInformation, _
If intDoIt = vbCancel Then
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...