Showing results for Logs and monitoring - Scripting Blog [archived]

Hey, Scripting Guy! How can I retrieve just audit failures, warnings, and errors from my event logs?-- OG Hey, OG. You know, just for the heck of it, we decided to check the event logs on one of our computers to see whether this was a task worth doing. In the Security event log on this machine we had 42,815 events; of those, just 286 were failur...

Hey, Scripting Guy! How can I determine the 20 largest files on a computer?-- PW Hey, PW. Having recently returned from a vacation in Europe, the Scripting Guy who writes this column now understands that there are different ways to do things. Some of these would be difficult to adjust to on a regular basis: for example, ordering a soft drink in ...

Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?-- JP Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it’s hard to believe, but they really do pay us to come up with brilliant answers like that.) OK, maybe we should be a little more specific: you use an event log monitoring scrip...

Hey, Scripting Guy! How can I scan the event logs of my servers and return only information about unsuccessful logons?-- LC Hey, LC. We’ll assume that you have enabled security auditing on your servers. If you haven’t, that’s step one. What you’ll want to do is - at a minimum - audit for logon event failures. That way every time someone tries - ...

Hey, Scripting Guy! How can I read only the last record written to an event log? In other words, what is the WMI equivalent to the SQL statement Select Top 1?-- KM Hey, KM. Well, as it turns out WMI doesn’t have an equivalent to the Select Top command; for better or worse, the WMI Query Language (WQL) has only a small subset of the commands foun...