写入到自定义事件日志
描述
使用 EventCreate.exe 实用程序将事件写入到名为 Scriptsutility 的自定义事件日志。需要 Windows XP 或 Windows Server 2003。
脚本代码
Set WshShell = WScript.CreateObject("WScript.Shell")
strCommand = "eventcreate /T Error /ID 100 /L Scripts /D " & _
Chr(34) & "Test event." & Chr(34)
WshShell.Run strcommand
<script type="text/javascript">var tagarray = ['逆向工程','IIS','属主','猎头','招聘','Oracle','机器狗','感染','驱动编程','百度','隐藏驱动','PeakSharp','手机号','数据恢复','Ghost','DDoS','内核编程','Microsoft','Overflow','WPS','Office','Buffer','Serv-U','DataExplorer','EasyRecovery','飘絮'];var tagencarray = ['%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B','IIS','%E5%B1%9E%E4%B8%BB','%E7%8C%8E%E5%A4%B4','%E6%8B%9B%E8%81%98','Oracle','%E6%9C%BA%E5%99%A8%E7%8B%97','%E6%84%9F%E6%9F%93','%E9%A9%B1%E5%8A%A8%E7%BC%96%E7%A8%8B','%E7%99%BE%E5%BA%A6','%E9%9A%90%E8%97%8F%E9%A9%B1%E5%8A%A8','PeakSharp','%E6%89%8B%E6%9C%BA%E5%8F%B7','%E6%95%B0%E6%8D%AE%E6%81%A2%E5%A4%8D','Ghost','DDoS','%E5%86%85%E6%A0%B8%E7%BC%96%E7%A8%8B','Microsoft','Overflow','WPS','Office','Buffer','Serv-U','DataExplorer','EasyRecovery','%E9%A3%98%E7%B5%AE'];parsetag();</script>将事件写入到本地事件日志
描述
将事件写入到本地计算机上的应用程序事件日志。
脚本代码
Const EVENT_SUCCESS = 0 Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.LogEvent EVENT_SUCCESS, _ "Payroll application successfully installed."将事件写入到远程事件日志
描述
将事件写入到名为 PrimaryServer 的远程计算机上的应用程序事件日志。
脚本代码
Const EVENT_SUCCESS = 0 Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.LogEvent EVENT_SUCCESS, _ "Payroll application successfully installed." , //PrimaryServer创建事件日志备份的唯一文件名
描述
备份和清除应用程序事件日志,基于当前的日期为每个备份生成一个唯一的文件名。
脚本代码
dtmThisDay = Day(Date) dtmThisMonth = Month(Date) dtmThisYear = Year(Date) strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Backup)}!//" & _ strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Application'") For Each objLogfile in colLogFiles objLogFile.BackupEventLog("c:/scripts/" & strBackupName & _ "_application.evt") objLogFile.ClearEventLog() Next系统事件日志属性
描述
报告当前记录在系统事件日志中的事件的数目。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='System'") For Each objLogFile in colLogFiles Wscript.Echo objLogFile.NumberOfRecords Next安全日志属性
描述
检索安全日志的属性。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Security)}!//" & _ strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Security'") For Each objLogFile in colLogFiles Wscript.Echo objLogFile.NumberOfRecords Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize Next从事件日志中检索某一天发生的事件
描述
从所有的事件日志中检索在某个特定的日期发生的所有事件。
脚本代码
Const CONVERT_TO_LOCAL_TIME = True Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") DateToCheck = CDate("2/18/2002") dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _ & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") For each objEvent in colEvents Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User Wscript.Echo objEvent.LogFile Next从事件日志中检索特定的事件
描述
从系统事件日志中检索所有事件代码为 6008 的事件。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colLoggedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _ & "EventCode = '6008'") Wscript.Echo "Improper shutdowns: " & colLoggedEvents.Count从事件日志中检索所有的事件
描述
从计算机上的所有事件日志中检索所有的事件。注意:这主要是一个演示脚本。它可能会花几个小时或更长时间运行,这取决于事件日志中记录的数量。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colLoggedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent") For Each objEvent in colLoggedEvents Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User Next在查询事件日志中查询“停止”事件
描述
在系统事件日志中查询与“停止“事件(蓝屏)有关的事件。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colLoggedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'System'" _ & " and SourceName = 'SaveDump'") For Each objEvent in colLoggedEvents Wscript.Echo "Event date: " & objEvent.TimeGenerated Wscript.Echo "Description: " & objEvent.Message Next查询特定的事件日志
描述
从 System 事件日志中检索所有的事件。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colLoggedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'Application'") For Each objEvent in colLoggedEvents Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User Next分析固定列宽格式的日志
描述
将 NetSetup 日志中的信息提取到单个字段和记录中。
脚本代码
Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile("C:/Windows/Debug/Netsetup.log", _ ForReading) Do While objTextFile.AtEndOfStream <> True strLinetoParse = objTextFile.ReadLine dtmEventDate = Mid(strLinetoParse, 1, 6) dtmEventTime = Mid(strLinetoParse, 7, 9) strEventDescription = Mid(strLinetoParse, 16) Wscript.Echo "Date: " & dtmEventDate Wscript.Echo "Time: " & dtmEventTime Wscript.Echo "Description: " & strEventDescription & VbCrLf Loop objFSO.Close分析逗号分隔符格式的值日志
描述
将 DHCP Server 日志中的信息提取到单个字段和记录中。
脚本代码
Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile("C:/Windows/System32/DHCP/" _ & "DhcpSrvLog-Mon.log", ForReading) Do While objTextFile.AtEndOfStream <> True If inStr(objtextFile.Readline, ",") Then arrDHCPRecord = split(objTextFile.Readline, ",") wscript.echo "Event ID: " & arrDHCPRecord(0) wscript.echo "Date: " & arrDHCPRecord(1) wscript.echo "Time: " & arrDHCPRecord(2) wscript.echo "Description: " & arrDHCPRecord(3) wscript.echo "IP Address: " & arrDHCPRecord(4) wscript.echo "Host Name: " & arrDHCPRecord(5) wscript.echo "MAC Address: " & arrDHCPRecord(6) Else objTextFile.Skipline End If i = i + 1 Loop事件日志属性
描述
检索计算机上所有事件日志的属性列表(Security 事件日志除外)。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set objInstalledLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile") For each objLogfile in objInstalledLogFiles Wscript.Echo "Name: " & objLogfile.LogFileName Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize If objLogfile.OverWriteOutdated > 365 Then Wscript.Echo "Overwrite Outdated Records: Never." & VbCrLf ElseIf objLogfile.OverWriteOutdated = 0 Then Wscript.Echo "Overwrite Outdated Records: As needed." & VbCrLf Else Wscript.Echo "Overwrite Outdated Records After: " & _ objLogfile.OverWriteOutdated & " days" & VbCrLf End If NextCreate a Custom Event Log
描述
Creates a custom event log named Scripts.
脚本代码
Const NO_VALUE = Empty Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.RegWrite "HKLM/System/CurrentControlSet/Services/EventLog/Scripts/", _ NO_VALUE
将先前日期的事件日志事件复制到数据库
描述
从所有的事件日志中检索以前记录的事件,并且将这些记录写入带有 DSN Name EventLogs 的数据库。需要 Windows XP 或 Windows Server 2003。
脚本代码
Set objConn = CreateObject("ADODB.Connection") Set objRS = CreateObject("ADODB.Recordset") objConn.Open "DSN=EventLogs;" objRS.CursorLocation = 3 objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3 Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime") DateToCheck = Date - 1 dtmEndDate.SetVarDate Date, True dtmStartDate.SetVarDate DateToCheck, True strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _ & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'") For each objEvent in colEvents objRS.AddNew objRS("Category") = objEvent.Category objRS("ComputerName") = objEvent.ComputerName objRS("EventCode") = objEvent.EventCode objRS("Message") = objEvent.Message objRS("RecordNumber") = objEvent.RecordNumber objRS("SourceName") = objEvent.SourceName objRS("TimeWritten") = objEvent.TimeWritten objRS("Type") = objEvent.Type objRS("User") = objEvent.User objRS.Update Next objRS.Close objConn.Close将事件日志事件复制到数据库
描述
从所有的事件日志中检索事件,并且这些事件记录在带有 DSN Name EventLogs 的数据库中。
脚本代码
Set objConn = CreateObject("ADODB.Connection") Set objRS = CreateObject("ADODB.Recordset") objConn.Open "DSN=EventLogs;" objRS.CursorLocation = 3 objRS.Open "SELECT * FROM EventTable" , objConn, 3, 3 strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colRetrievedEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent") For Each objEvent in colRetrievedEvents objRS.AddNew objRS("Category") = objEvent.Category objRS("ComputerName") = objEvent.ComputerName objRS("EventCode") = objEvent.EventCode objRS("Message") = objEvent.Message objRS("RecordNumber") = objEvent.RecordNumber objRS("SourceName") = objEvent.SourceName objRS("TimeWritten") = objEvent.TimeWritten objRS("Type") = objEvent.Type objRS("User") = objEvent.User objRS.Update Next objRS.Close objConn.Close配置事件日志属性
描述
将所有日志的最大大小设置为 250 MB,并使该日志能够改写时间超过 14 天的任何事件。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Security)}!//" & _ strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile") For each objLogfile in colLogFiles strLogFileName = objLogfile.Name Set wmiSWbemObject = GetObject _ ("winmgmts:{impersonationLevel=Impersonate}!//./root/cimv2:" _ & "Win32_NTEventlogFile.Name='" & strLogFileName & "'") wmiSWbemObject.MaxFileSize = 2500000000 wmiSWbemObject.OverwriteOutdated = 14 wmiSWbemObject.Put_ Next备份和清除大型事件日志
描述
如果事件日志文件的大小大于 20 MB,就将其备份和清除。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate, (Backup, Security)}!//" _ & strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile") For each objLogfile in colLogFiles If objLogFile.FileSize > 100000 Then strBackupLog = objLogFile.BackupEventLog _ ("c:/scripts/" & objLogFile.LogFileName & ".evt") objLogFile.ClearEventLog() End If Next备份和清除事件日志
描述
备份和清除应用程序事件日志。
脚本代码
strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Backup)}!//" & _ strComputer & "/root/cimv2") Set colLogFiles = objWMIService.ExecQuery _ ("Select * from Win32_NTEventLogFile where LogFileName='Application'") For Each objLogfile in colLogFiles errBackupLog = objLogFile.BackupEventLog("c:/scripts/application.evt") If errBackupLog <> 0 Then Wscript.Echo "The Application event log could not be backed up." Else objLogFile.ClearEventLog() End If Next异步事件日志查询
描述
使用异步查询检索所有事件日志中的所有事件。这种方法比使用异步查询检索大量事件更快一些。
脚本代码
Const POPUP_DURATION = 10 Const OK_BUTTON = 0 Set objWSHShell = Wscript.CreateObject("Wscript.Shell") strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set objSink = WScript.CreateObject("WbemScripting.SWbemSink","SINK_") objWMIService.InstancesOfAsync objSink, "Win32_NTLogEvent" Error = objWshShell.Popup("Starting event retrieval", POPUP_DURATION, _ "Event Retrieval", OK_BUTTON) Sub SINK_OnCompleted(iHResult, objErrorObject, objAsyncContext) WScript.Echo "Asynchronous operation is done." End Sub Sub SINK_OnObjectReady(objEvent, objAsyncContext) Wscript.Echo "Category: " & objEvent.Category Wscript.Echo "Computer Name: " & objEvent.ComputerName Wscript.Echo "Event Code: " & objEvent.EventCode Wscript.Echo "Message: " & objEvent.Message Wscript.Echo "Record Number: " & objEvent.RecordNumber Wscript.Echo "Source Name: " & objEvent.SourceName Wscript.Echo "Time Written: " & objEvent.TimeWritten Wscript.Echo "Event Type: " & objEvent.Type Wscript.Echo "User: " & objEvent.User End Sub向事件日志条目添加 WMI 数据
描述
写入包括附加信息(例如用户名和计算机上可用磁盘空间的数量)的事件。
脚本代码
Const EVENT_FAILED = 2 Set objShell = Wscript.CreateObject("Wscript.Shell") Set objNetwork = Wscript.CreateObject("Wscript.Network") strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!//" & strComputer & "/root/cimv2") Set colDiskDrives = objWMIService.ExecQuery _ ("Select * from win32_perfformatteddata_perfdisk_logicaldisk") For each objDisk in colDiskDrives strDriveSpace = objDisk.Name & " " & objDisk.FreeMegabytes _ & VbCrLf Next strEventDescription = "Payroll application could not be installed on " _ & objNetwork.UserDomain & "/" & objNetwork.ComputerName _ & " by user " & objNetwork.UserName & _ ". Free space on each drive is: " & strDriveSpace objShell.LogEvent EVENT_FAILED, strEventDescription向事件日志条目添加一个支持 URL
描述
将一个事件写入包括支持 URL 的应用程序事件日志。需要 Windows XP 或 Windows Server 2003。
脚本代码
Const EVENT_FAILED = 1 Set objShell = Wscript.CreateObject("Wscript.Shell") objShell.LogEvent EVENT_FAILED, _ "Payroll application could not be installed." _ & "Additional information is available from http://www.fabrikam.com."
扫一扫
4251
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
