How Can I Retrieve Information About the Latest Event Added to an Event Log?
Hey, Scripting Guy! How can I retrieve information about the latest event added to an event log?
— HG
Hey, HG. You know, it seems like only yesterday that someone was asking us how they could find the oldest event in an event log. And we remember how we told them that – oh, right: it was only yesterday, wasn’t it? Well, then we won’t waste any time reminiscing about the good old days. (Although yesterday was a pretty good day, all things considered.)
Instead, let’s get down to business. As we noted yesterday, each time an event is added to an event log it gets assigned a sequential record number: if you have 1000 records in an event log, the next event written to that log will be assigned record number 1001. That means that the event with the largest record number will also be the latest event written to the event log. To retrieve information about the latest event added to an event log all we have to do is determine which event has the largest record number.
But, as we also noted yesterday (boy, we worked hard yesterday, didn’t we?), you can’t write a WQL query that automatically goes out and retrieves the event with the largest record number; instead, we need to specify that record number in our query. And that’s a problem: how the heck are we supposed to know the largest record number currently in use in a given event log?
Did we say that was a problem? Sorry; turns out that’s not a problem at all. Let’s show you a script that retrieves date-time information about the most recent event added to an event log, and then we’ll let you in on the secret:
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:{(Security)}\\” & _
strComputer & “\root\cimv2”)
Set colLogFiles = objWMIService.ExecQuery _
(“Select * from Win32_NTEventLogFile where LogFileName=’System'”)
For Each objLogFile in colLogFiles
intTotal = objLogFile.NumberOfRecords
Next
Set colEvents = objWMIService.ExecQuery _
(“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _
“AND RecordNumber = ” & intTotal)
For Each objEvent in colEvents
Wscript.Echo “Time Written: ” & objEvent.TimeWritten
Next
Here’s how this all works. We begin by connecting to the WMI service on the local computer. We then use this query to return information about the System event log:
Set colLogFiles = objWMIService.ExecQuery _
(“Select * from Win32_NTEventLogFile where LogFileName=’System'”)
Notice that we’re using the Win32_NTEventLogFile class here; that’s because we want information about the properties of the event log itself rather than information about any of the individual events. In particular, we want to know the value of the NumberOfRecords property; as you might have guessed, this tells us the number of records in the event log. To get at that number we use this block of code to walk through our collection of event logs (because we specified the System event log there will be only one item in the collection) and store the value of the NumberOfRecords in a variable named intTotal:
For Each objLogFile in colLogFiles
intTotal = objLogFile.NumberOfRecords
Next
Why do we do that? Well, suppose we have 1001 records in the System event log. That means the last event written to the log will have record number 1001. That’s how we’re able to know the largest record number currently in use in a given event log: the last event written will have the same record number as the number of events in the log.
Think about the math for a second, and you’ll see how that works. If we have one event in the event log, that event will have a record number of 1. Suppose we add a second event. OK, now we have 2 events, and the second event will have a record number of 2. Because 2 tends to equal 2, this approach works.
The rest is pretty straightforward; following the same methodology used yesterday, we use these lines of code to return and echo the value of the TimeWritten property for the most recent event in the System event log:
Set colEvents = objWMIService.ExecQuery _
(“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _
“AND RecordNumber = ” & intTotal)
For Each objEvent in colEvents
Wscript.Echo “Time Written: ” & objEvent.TimeWritten
Next
The secret here lies in the WQL query, where we use our variable intTotal to retrieve the record with the largest record number: RecordNumber = ” & intTotal. That’s all we have to do to get back information about the last event to be written to the System event log.
Now, where were we? Oh, yes. It was the summer of 1907, and we had just received a telegram asking us how to retrieve the oldest event in an event log. Well, sir, we hunkered down and thought about that a spell, then we ….
Light
Dark
0 comments