I've been working on code to figure out how many days of events are in an each event log on a given system. I started out by using two articles from Microsoft's Hey, Scripting Guy!:
How Can I Find the Date of the Oldest Event in an Event Log?
How Can I Retrieve Information About the Latest Event Added to an Event Log?
The Oldest Event seemed to work:
1: strComputer = "."
2: Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")
3:
4: Wscript.Echo "System"
5: Set colEvents = objWMIService.ExecQuery _
6: ("Select * from Win32_NTLogEvent Where Logfile = 'System' " & _
7: "AND RecordNumber = 1")
8:
9: For Each objEvent in colEvents
10: Wscript.Echo "Time Written: " & objEvent.TimeWritten
11: Next
This seems to work. I duplicated lines 4 through 11, for the event logs Application and Security, all seemed okay. (Yeah I know redundant code, but sometimes it is just easiest.)
C:\Data2>cscript EventLogOldest.vbs Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. |
All of this testing was on Windows XP SP3. I then tried it on Windows 2003 SP2:
C:\data2>cscript EventLogOldest.vbs Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. |
Hmm, what's going on here. Well, via another script, I figured out that the first event log record isn't always 1. Well it is, but the oldest event log entry in a given log isn't always record 1. See, as a system runs, it will remove old entries as the event log fills up. Thus the oldest record number slowly increments as the old records fall off and new records are added.
The following script, iterates through each event record on a server. It Looks at the record number and log file name and records the oldest and newest record for each log file. It then dumps out the desired information.
1: 'EventLogRecNumbers.vbs
2: strComputer = "."
3: Dim HighEvent
4: Dim LowEvent
5: Dim HighEventDate
6: Dim LowEventDate
7: Set HighEvent = CreateObject("Scripting.Dictionary")
8: Set LowEvent = CreateObject("Scripting.Dictionary")
9: Set HighEventDate = CreateObject("Scripting.Dictionary")
10: Set LowEventDate = CreateObject("Scripting.Dictionary")
11: ' Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
12: Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}\\" & strComputer & "\root\cimv2")
13: Set colItems = objWMIService.ExecQuery( _
14: "SELECT * FROM Win32_NTLogEvent ",,48)
15:
16: For Each objItem in colItems
17: currlogfile = objItem.Logfile
18: currlogrecord = clng(objItem.RecordNumber)
19: If not HighEvent.Exists(currlogfile) then
20: HighEvent.Add currlogfile, currlogrecord
21: HighEventDate.Add currlogfile,objItem.TimeWritten
22: else if currlogrecord > HighEvent.item(currlogfile) then
23: HighEvent.Item(currlogfile) = currlogrecord
24: HighEventDate.Item(currlogfile) = objItem.TimeWritten
25: End If
26: End If
27: If not LowEvent.Exists(currlogfile) then
28: LowEvent.Add currlogfile, currlogrecord
29: LowEventDate.Add currlogfile,objItem.TimeWritten
30: else if currlogrecord < LowEvent.item(currlogfile) then
31: LowEvent.Item(currlogfile) = currlogrecord
32: LowEventDate.Item(currlogfile) = objItem.TimeWritten
33: End If
34: End If
35: Next
36:
37: For Each ELog in HighEvent.Keys
38: Wscript.Echo "EventLog: " & ELog
39: Wscript.Echo " High Record: " & HighEvent.Item(ELog)
40: Wscript.Echo " Low Record: " & LowEvent.Item(ELog)
41: Wscript.Echo " Newest Date: " & WMIDateStringToDate(HighEventDate.Item(ELog))
42: Wscript.Echo " Oldest Date: " & WMIDateStringToDate(LowEventDate.Item(ELog))
43: Wscript.Echo " Days: " & DateDiff("d",WMIDateStringToDate(LowEventDate.Item(ELog)),WMIDateStringToDate(HighEventDate.Item(ELog)))
44: Next
45:
46: Function WMIDateStringToDate(dtmInstallDate)
47: WMIDateStringToDate = CDate(Mid(dtmInstallDate, 5, 2) & "/" & _
48: Mid(dtmInstallDate, 7, 2) & "/" & Left(dtmInstallDate, 4) _
49: & " " & Mid (dtmInstallDate, 9, 2) & ":" & _
50: Mid(dtmInstallDate, 11, 2) & ":" & Mid(dtmInstallDate, _
51: 13, 2))
52: End Function
This works both on my fairly new XP SP3 system, as well as a Windows 2003 SP2 system. The draw back, is that because the script iterates through every event entry in the logs, it takes a while to come up with the answer. It isn't the most efficient, and I welcome alternative ways of performing this tasks. A plus is that it shows all event logs, not just the common Application, System and Security.
C:\>cscript EventLogRecNumbers.vbs Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. |