Searching the Windows Eventlog for specific events with WMI

On occasion as a systems administrator you have to find the proverbial needle in the haystack with respect to the events in the event logs. You know what I mean, the one event you care about and need to know when it occured as part of your troubleshooting… then throw in that you need to do it in many servers. That’s a mess!

Sure, you can use event viewer and pull out some superadmin skills to filter the events to only see the ones you want– but your still only looking at one server at a time! Yes, you could export the events from multiple servers to a CSV file and then compile them into one excel spreadsheet– but that would take hours to do.

What if I told you there was a way to do it with VBScript? How much would you expect to pay? Three easy payments of 19.99?? … WAIT, don’t answer because it’s FREE!

The script below calls a function it defines called GetLogInfo to gather the requested event information to standard the standard output (the console). The function uses the Win32_NTLogEvent class from— you guessed it, our life long friend WMI! It accepts four inputs, in order; a string that is the name of the server, the Event ID that you are looking for, the specific application log you want to search, and the date in YYYYMMDD format. (Hint: if you have custom event logs on your server, or it is a DNS server or a Domain Controller, you can specify the name of the log instead of Application, System, or Security to get at the log information.)

Here is the script I wrote:

GetLogInfo “ServerName”,”1309″, “application”, “20081218″

Function GetLogInfo( StrComputer1, EventID, EventLogType, YYYYMMDD)

    Dim objWMIService, colItems, objItem
    Dim TempStr

    On Error Resume Next
    ‘ error control block
    Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}//”_
    & strComputer1 & “\root\cimv2″)
    Set colItems = objWMIService.ExecQuery (“Select * from Win32_NTLogEvent Where EventCode=” &_
    EventID & ” and logfile=’” & EventlogType & “‘”)
    For Each objItem in colItems
        TempStr = “”
        If mid(objItem.timegenerated,1,8) = YYYYMMDD Then
            TempStr = objItem.message
        End if
    Next
    On Error GoTo 0
End Function