« Robin Williams on the Election | Main | Apple Macintosh 25 years old »

Number of days of events in Windows Event Logs

I've been working on code to figure out how many days of events are in an each event log on a given system.  I started out by using two articles from Microsoft's Hey, Scripting Guy!:

How Can I Find the Date of the Oldest Event in an Event Log?

How Can I Retrieve Information About the Latest Event Added to an Event Log?

 

The Oldest Event seemed to work:

   1: strComputer = "."

   2: Set objWMIService = GetObject("winmgmts:{(Security)}\\" & strComputer & "\root\cimv2")

   3:  

   4: Wscript.Echo "System"

   5: Set colEvents = objWMIService.ExecQuery _

   6:     ("Select * from Win32_NTLogEvent Where Logfile = 'System' " & _

   7:         "AND RecordNumber = 1")

   8:  

   9: For Each objEvent in colEvents

  10:     Wscript.Echo "Time Written: " & objEvent.TimeWritten

  11: Next


This seems to work.  I duplicated lines 4 through 11, for the event logs Application and Security, all seemed okay. (Yeah I know redundant code, but sometimes it is just easiest.)



C:\Data2>cscript EventLogOldest.vbs
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

System
Time Written: 20081125044952.000000-300
Security
Time Written: 20081125044947.000000-300
Application
Time Written: 20081125045015.000000-300


All of this testing was on Windows XP SP3.  I then tried it on Windows 2003 SP2:



C:\data2>cscript EventLogOldest.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

System
Security
Application


Hmm, what's going on here.  Well, via another script, I figured out that the first event log record isn't always 1.  Well it is, but the oldest event log entry in a given log isn't always record 1.  See, as a system runs, it will remove old entries as the event log fills up.  Thus the oldest record number slowly increments as the old records fall off and new records are added.

The following script, iterates through each event record on a server.  It Looks at the record number and log file name and records the oldest and newest record for each log file.  It then dumps out the desired information.

   1: 'EventLogRecNumbers.vbs

   2: strComputer = "."

   3: Dim HighEvent

   4: Dim LowEvent

   5: Dim HighEventDate

   6: Dim LowEventDate

   7: Set HighEvent = CreateObject("Scripting.Dictionary")

   8: Set LowEvent = CreateObject("Scripting.Dictionary")

   9: Set HighEventDate = CreateObject("Scripting.Dictionary")

  10: Set LowEventDate = CreateObject("Scripting.Dictionary")

  11: ' Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

  12: Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}\\" & strComputer & "\root\cimv2")

  13: Set colItems = objWMIService.ExecQuery( _

  14:     "SELECT * FROM Win32_NTLogEvent ",,48)

  15:  

  16: For Each objItem in colItems

  17:     currlogfile = objItem.Logfile

  18:     currlogrecord = clng(objItem.RecordNumber)

  19:     If not HighEvent.Exists(currlogfile) then

  20:         HighEvent.Add currlogfile, currlogrecord

  21:         HighEventDate.Add currlogfile,objItem.TimeWritten

  22:     else if currlogrecord > HighEvent.item(currlogfile) then

  23:             HighEvent.Item(currlogfile) = currlogrecord

  24:             HighEventDate.Item(currlogfile) = objItem.TimeWritten

  25:         End If

  26:     End If

  27:     If not LowEvent.Exists(currlogfile) then

  28:         LowEvent.Add currlogfile, currlogrecord

  29:         LowEventDate.Add currlogfile,objItem.TimeWritten

  30:     else if currlogrecord < LowEvent.item(currlogfile) then

  31:             LowEvent.Item(currlogfile) = currlogrecord

  32:             LowEventDate.Item(currlogfile) = objItem.TimeWritten

  33:         End If

  34:     End If

  35: Next

  36:  

  37: For Each ELog in HighEvent.Keys

  38:     Wscript.Echo "EventLog: " & ELog

  39:     Wscript.Echo "     High Record: " & HighEvent.Item(ELog)

  40:     Wscript.Echo "     Low Record:  " & LowEvent.Item(ELog)

  41:     Wscript.Echo "     Newest Date: " & WMIDateStringToDate(HighEventDate.Item(ELog))

  42:     Wscript.Echo "     Oldest Date: " & WMIDateStringToDate(LowEventDate.Item(ELog))

  43:     Wscript.Echo "     Days:        " & DateDiff("d",WMIDateStringToDate(LowEventDate.Item(ELog)),WMIDateStringToDate(HighEventDate.Item(ELog)))

  44: Next

  45:  

  46: Function WMIDateStringToDate(dtmInstallDate)

  47:     WMIDateStringToDate = CDate(Mid(dtmInstallDate, 5, 2) & "/" & _

  48:         Mid(dtmInstallDate, 7, 2) & "/" & Left(dtmInstallDate, 4) _

  49:             & " " & Mid (dtmInstallDate, 9, 2) & ":" & _

  50:                 Mid(dtmInstallDate, 11, 2) & ":" & Mid(dtmInstallDate, _

  51:                     13, 2))

  52: End Function


 

This works both on my fairly new XP SP3 system, as well as a Windows 2003 SP2 system.  The draw back, is that because the script iterates through every event entry in the logs, it takes a while to come up with the answer.  It isn't the most efficient, and I welcome alternative ways of performing this tasks.  A plus is that it shows all event logs, not just the common Application, System and Security.



C:\>cscript EventLogRecNumbers.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

EventLog: Application
High Record: 1232635
Low Record: 1210462
Newest Date: 12/19/2008 11:24:04 PM
Oldest Date: 12/11/2008 10:02:05 PM
Days: 8
EventLog: Directory Service
High Record: 8142
Low Record: 5336
Newest Date: 12/19/2008 1:51:13 PM
Oldest Date: 2/23/2007 3:15:56 AM
Days: 665
EventLog: DNS Server
High Record: 486
Low Record: 1
Newest Date: 11/10/2008 1:37:02 PM
Oldest Date: 1/18/2004 5:50:52 PM
Days: 1758
EventLog: File Replication Service
High Record: 334
Low Record: 1
Newest Date: 11/10/2008 1:37:41 PM
Oldest Date: 1/18/2004 5:30:46 PM
Days: 1758
EventLog: Security
High Record: 22647817
Low Record: 22455586
Newest Date: 12/19/2008 11:25:49 PM
Oldest Date: 11/27/2008 7:04:18 AM
Days: 22
EventLog: System
High Record: 203041
Low Record: 92196
Newest Date: 12/19/2008 11:23:49 PM
Oldest Date: 10/10/2006 5:28:22 AM
Days: 801


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

This page contains a single entry from the blog posted on December 20, 2008 12:04 AM.

The previous post in this blog was Robin Williams on the Election.

The next post in this blog is Apple Macintosh 25 years old.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 4.1