Showing results for event logs - Scripting Blog [archived]

Hey, Scripting Guy! How can I retrieve just audit failures, warnings, and errors from my event logs?-- OG Hey, OG. You know, just for the heck of it, we decided to check the event logs on one of our computers to see whether this was a task worth doing. In the Security event log on this machine we had 42,815 events; of those, just 286 were failur...

Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?-- JP Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it’s hard to believe, but they really do pay us to come up with brilliant answers like that.) OK, maybe we should be a little more specific: you use an event log monitoring scrip...

Hey, Scripting Guy! How can I scan the event logs of my servers and return only information about unsuccessful logons?-- LC Hey, LC. We’ll assume that you have enabled security auditing on your servers. If you haven’t, that’s step one. What you’ll want to do is - at a minimum - audit for logon event failures. That way every time someone tries - ...

Hey, Scripting Guy! How can I read only the last record written to an event log? In other words, what is the WMI equivalent to the SQL statement Select Top 1?-- KM Hey, KM. Well, as it turns out WMI doesn’t have an equivalent to the Select Top command; for better or worse, the WMI Query Language (WQL) has only a small subset of the commands foun...

Hey, Scripting Guy! Is there a way to retrieve just Failure Audit events from the Security event log?-- KA Hey, KA. Interesting, isn’t it: any time the subject is failure, people turn to the Scripting Guys. What makes you think we know anything about failure? Ok, you’re right: silly question. As far as your question goes, it’s very easy to retri...