How Can I Monitor the Event Logs for the Occurrence of a Specific Event?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?

— JP

SpacerHey, Scripting Guy! AnswerScript Center

Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it’s hard to believe, but they really do pay us to come up with brilliant answers like that.)


OK, maybe we should be a little more specific: you use an event log monitoring script similar to this one:

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:{(Security)}\\” & _
strComputer & “\root\cimv2”)

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(“Select * from __InstanceCreationEvent Where ” _
& “TargetInstance ISA ‘Win32_NTLogEvent’ ” _
& “and TargetInstance.EventCode = ‘0’ “)

Do
Set objLatestEvent = colMonitoredEvents.NextEvent
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
Wscript.Echo
Loop


We won’t spend any time in this column discussing the ins and outs of monitoring WMI events; if you’d like more information about event monitoring you might want to view our Scripting Week 2 webcast on the subject. Instead, we’ll just mention that what we’re going to do is create a script that “subscribes” to a WMI event log event. Each time an event with a specific EventCode (in this case 0) is written to one of the event logs, our script will be notified and will report back values for the User, TimeWritten, and Message properties. The script will then slip back into suspended animation and patiently wait for the next event 0 to occur.


By the way, we chose event 0 because that’s the event code for Windows Script Host events. That means you can use a script like this one to write an event 0 to the Application log and thus test your monitoring script to ensure that it works:

Const EVENT_SUCCESS = 0

Set objShell = Wscript.CreateObject(“Wscript.Shell”)
objShell.LogEvent EVENT_SUCCESS, “Event written to an event log using a script.”


As for the monitoring script, we begin by connecting to the WMI service. You might notice that when connecting to the WMI service we include the {(Security)} parameter. This allows us to subscribe to events written to all the event logs, including the Security log. Without this parameter we would receive events written from all the event logs except Security.


Next we use the ExecNotificationQuery method to register for event log events. Our query itself looks like this:

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(“Select * from __InstanceCreationEvent Where ” _
& “TargetInstance ISA ‘Win32_NTLogEvent’ ” _
& “and TargetInstance.EventCode = ‘0’ ”

What we’re saying here is this: Show us all new instances of the __InstanceCreationEvent class, provided that the new instance happens to be a new entry to the event log (Win32_NTLogEvent) and the new entry has an EventCode of 0. If we wanted to monitor for different events (say, an event with the EventCode 528) all we’d have to do is modify our query accordingly:

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
(“Select * from __InstanceCreationEvent Where ” _
& “TargetInstance ISA ‘Win32_NTLogEvent’ ” _
& “and TargetInstance.EventCode = ‘528’ ”

After that we set up a Do Loop with no exit condition (e.g., no Do Until x = 1 kind of thing). This allows us to monitor events forever and ever: the script will continue to monitor until we reboot the computer or terminate the process under which the script runs. (Incidentally, you should run this script in a command window under CScript. If you run it under WScript, you’ll have to click a bunch of message boxes any time an event 0 is written to the event log.)


We then use this line of code to tell the script to sit there and wait for the next event to occur:

Set objLatestEvent = colMonitoredEvents.NextEvent

When a new event 0 is written to one of the event logs an exact copy of that event will be made available to our script; this replica object is known as the TargetInstance. At that point all we do is echo a few property values of this TargetInstance and then loop around and wait for the next event.


In other words, to monitor the event logs for the occurrence of a specific event just use an event monitoring script. (If only we’d said that in the first place….)