您的位置: 首页  >  技术问答  >  WQL-Statement来检查应用程序的事件日志

WQL-Statement来检查应用程序的事件日志

分类: 技术问答 2022-09-19 13:25:42
问题描述:

我想分析一个特殊的Windows应用程序(Windows 7企业版,64位)的事件日志。WQL-Statement来检查应用程序的事件日志

我需要一个特殊事件,它在几秒钟前被记录。

这是我的VBScript代码,其产生的完全错误的结果(错误数量的事件):

strComputer = "." ' Dieser Computer

' Retrieving Specific Events from an Event Log

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")

Const CONVERT_TO_LOCAL_TIME = True

Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate now() ' CONVERT_TO_LOCAL_TIME

dim var_wql

var_wql = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = '< ... >' AND SourceName = '< ... >' AND EventCode = '< ... >' AND (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')"

Set colLoggedEvents = objWMIService.ExecQuery(var_wql)

...

(anzahl = colLoggedEvents.count)的行数必须是0或1,任何否则是不可能的。

wql语句有什么问题?我想检查过去的最后几秒钟(从现在开始)。

谢谢。

Tommy

语法错误。如果我将objWMIService行更改为此,它适用于我。

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" & strComputer & "\root\cimv2")

已更新为获取在过去10秒内创建的所有事件日志并写入日志文件。

On Error Resume Next 

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\.\root\cimv2") 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set WshShell = WScript.CreateObject("WScript.Shell") 
strSystemDrive = WshShell.ExpandEnvironmentStrings("%SystemDrive%") 
Const CONVERT_TO_LOCAL_TIME = True 
Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") 
Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") 
dtmStartDate.SetVarDate dateadd("s", -10, now()) ' CONVERT_TO_LOCAL_TIME 
dtmEndDate.SetVarDate now()       ' CONVERT_TO_LOCAL_TIME 
var_wql = "SELECT * FROM Win32_NTLogEvent WHERE (TimeWritten >= '" & dtmStartDate & "') AND (TimeWritten < '" & dtmEndDate & "')" 
Set LogFile = objFSO.CreateTextFile(strSystemDrive & "\Temp\EvtLog.txt", True) 

Set colLoggedEvents = objWMIService.ExecQuery(var_wql) 
For Each objEvent in colLoggedEvents 
    LogFile.WriteLine "Computer Name : " & objEvent.ComputerName 
    LogFile.WriteLine "Logfile   : " & objEvent.Logfile 
    LogFile.WriteLine "Type    : " & objEvent.Type 
    LogFile.WriteLine "User    : " & objEvent.User 
    LogFile.WriteLine "Category   : " & objEvent.Category 
    LogFile.WriteLine "Category String : " & objEvent.CategoryString 

    If IsArray(objEvent.Data) Then 
    For i = 0 To UBound(objEvent.Data) 
     strData = strData & objEvent.Data(i) & "," 
    Next 
    LogFile.WriteLine "Data    : " & strData 
    Else 
    LogFile.WriteLine "Data    : " & objEvent.Data 
    End If 

    LogFile.WriteLine "Event Code  : " & objEvent.EventCode 
    LogFile.WriteLine "Event Identifier : " & objEvent.EventIdentifier 
    LogFile.WriteLine "Message   : " & objEvent.Message 
    LogFile.WriteLine "Record Number : " & objEvent.RecordNumber 
    LogFile.WriteLine "Source Name  : " & objEvent.SourceName 
    LogFile.WriteLine "Time Generated : " & objEvent.TimeGenerated 
    LogFile.WriteLine "Time Written  : " & objEvent.TimeWritten 

    If IsArray(objEvent.InsertionStrings) Then 
    For i = 0 To UBound(objEvent.InsertionStrings) 
     strInsert = strInsert & objEvent.InsertionStrings(i) & "," 
    Next 
    LogFile.WriteLine "Insertion Strings: " & strInsert 
    Else 
    LogFile.WriteLine "Insertion Strings: " & objEvent.InsertionStrings 
    End If 

    LogFile.WriteLine "----------------------------------------------------------------------------------------------------------" 
Next

输出样品(不用于每个事件的所有字段) -

---------------------------------------------------------------------------------------------------------- 
Computer Name : Randy-PC 
Logfile   : Application 
Type    : Information 
User    : 
Category   : 0 
Category String : 
Data    : 
Event Code  : 9019 
Event Identifier : 1073750843 
Message   : The Desktop Window Manager was unable to start because the desktop composition setting is disabled 
Record Number : 37395 
Source Name  : Desktop Window Manager 
Time Generated : 20160903031728.000000-000 
Time Written  : 20160903031728.000000-000 
Insertion Strings: 
----------------------------------------------------------------------------------------------------------

相关推荐