WMI 101: Event Logging

Ken Spencer shows you two simple Windows Management Instrumentation (WMI) scripts that let you manage your event logs.

Ken Spencer

May 15, 2001

4 Min Read
ITPro Today logo in a gray background | ITPro Today


IIS Scripting Solutions

This month, I show you two simple Windows Management Instrumentation (WMI) scripts. These scripts are based on scripts in the WMI software development kit (SDK). You can download the WMI SDK from http://msdn.microsoft.com/downloads/sdks/wmi/default.asp. WMI scripts often come in handy for managing IIS, and because IIS runs on Windows 2000 or Windows NT 4.0, you can manage not only IIS but also the server on which it runs.

One feature of the Windows OS that has been around since NT 3.1 is the event log. Event logs provide a place for recording OS, security, and application events. Event-log management is important because you must manage the size of and periodically clear the logs. A simple WMI script can help you manage logs.

Using the WMI Sample Scripts
The script listeventsbycode.vbs, which Listing 1 shows, uses WMI to extract specific events from the event logs. This sample script doesn't look for an event in a particular event log but rather looks up the event ID in all logs. The script displays the results to the user.

To use this script, simply execute it and pass it the event ID that you want to retrieve as a parameter. For example, to search for event ID 0, type

listeventsbycode2   0

at the command prompt. To search for event ID 414, type

listeventsbycode2  414

at the command prompt. The iEventCode variable, which callout A in Listing 1 shows, sets the EventCode property in the script.

When the script executes, it displays a separate dialog box that shows each event you searched for that the script found in the logs.

The code backcleareventlog.vbs, which Listing 2 shows, accomplishes two tasks. First, it backs up the Application and System event logs to the Temp folder. You can open the logs later with Event Viewer. Second, the script clears those event logs. Messages appear to keep you up-to-date on the script's progress.

To use backcleareventlog.vbs, you need to modify a couple of settings. First, if you want to back up and clear any logs other than Application and System, you need to change the entry in the Select statement to point to those logs. For example, the first line in the script executes the Select statement, which specifies which event logs to process. To change this statement to process the three standard logs, modify it to look like this:

set LogFileSet = _ GetObject("winmgmts: _{impersonationLevel= _impersonate, (Backup)}"). _ExecQuery("select * from _Win32_NTEventLogFile where " & _"LogfileName='Application' OR _LogfileName='System' OR _LogfileName='Security'")

Now backcleareventlog.vbs will process the Security log in addition to the other two logs.

Second, you might want to change the folder in which the script stores the backup files. To change this folder, change C:Temp in the line at callout A in Listing 2 to point to the folder you want to use. Finally, you probably want the script to run with no UI, which is usually the case when you run a script automatically or start a script and walk away while the script does its magic. To make backcleareventlog.vbs work without a UI, remove the two lines that begin with WScript. To stop these lines from executing, place a comment character in front of each line. The standard VBScipt comment character is a single quote ('). Comment characters make the text following the comment character nonexecutable.

WMI Makes Log Management Easy
Managing event logs and other Windows features can be cumbersome when you use only the GUI tools. WMI provides a handy, automated way to access many Windows features. You can use WMI and other types of scripting (e.g., VBScript, Perl) to perform many more tasks with event logs and other OS features.

As you can see from these examples, you can quickly automate tasks such as backing up or querying an event log. You can also accomplish tasks such as stopping servers and listing services. In particular, the script in Listing 1 also shows how to pass parameters to a script, which is handy when you need to change the values the script uses each time it runs, such as the event ID I used in this article's example. (For information about the Win32_NTLogEvent WMI class I used in these two samples, see the table at http://msdn.microsoft.com/library/psdk/wmisdk/clasops_4ag5.htm. For more information about scripting, see the Microsoft Windows Script Technologies Web site at http://msdn.microsoft.com/scripting and the Windows Scripting Solutions Web site at http://www.winscriptingsolutions.com.)

In this column, I explore various scripts that automate tasks that IIS administrators often face. In the next issue, I show you how to automatically retrieve the names of all Web sites on one or more servers on a LAN or WAN.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like