{"id":65433,"date":"2007-02-27T01:03:00","date_gmt":"2007-02-27T01:03:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2007\/02\/27\/how-can-i-monitor-event-log-messages-for-specific-words\/"},"modified":"2007-02-27T01:03:00","modified_gmt":"2007-02-27T01:03:00","slug":"how-can-i-monitor-event-log-messages-for-specific-words","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-monitor-event-log-messages-for-specific-words\/","title":{"rendered":"How Can I Monitor Event Log Messages for Specific Words?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! How can I monitor event log messages for a specific word or phrase?

— GH<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, GH. You know, now that the 2007 Scripting Games<\/B><\/A> are over (have we mentioned that the 2008 Games are just a year away?) it\u2019s time for the Scripting Guys to rejoin the real world. Before we answer your question, however, could you give us a second to thumb through this pile of newspapers and see if we missed anything in the last month or so? Let\u2019s see: boring; boring; no one cares; boring. <\/P>\n

Oh, wait, here\u2019s something: allegedly a NASA astronaut went off the deep end, as they say, and set out to kidnap a romantic rival. Which leads to an obvious question: have the Scripting Guys<\/I> ever gone off the deep end and tried to kidnap someone?<\/P>\n

Well, we\u2019re ashamed to admit it, but yes, we did. Shortly after Peter Costantini<\/B><\/A> accepted his new position as a Microsoft Program Manager the remaining Scripting Guys went a tad bit crazy; in fact, we kidnapped Peter, tied him up in the basement of Scripting Guys Headquarters, and delivered an ultimatum: either rejoin the team, or bake us a batch of cupcakes. (The cupcakes were Dean\u2019s idea.) We gave him 24 hours to make up his mind.<\/P>\n

So, yes, we did<\/I> go off the deep end \u2013 once. But we\u2019re back to normal now and, to prove it, we\u2019ll write you a script that monitors for specific words in an event log message. (Interestingly enough, that\u2019s the very same task Washington State Patrol officers use to test someone for drunk driving!)<\/P>\n

For example, suppose you have a script named Test.vbs. You\u2019d like to be notified any time an event written to the event log includes the term Test.vbs<\/I>. How can you do that? Here\u2019s how:<\/P>

strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & _\n        strComputer & “\\root\\cimv2”)<\/p>\n
Set colEvents = objWMIService.ExecNotificationQuery _    \n    (“Select * From __InstanceCreationEvent Where ” _\n        & “TargetInstance isa ‘Win32_NTLogEvent'”)<\/p>\n
Do\n    Set objEvent = colEvents.NextEvent\n    If InStr(LCase(objEvent.TargetInstance.Message), “test.vbs”) Then\n        Wscript.Echo Now\n        Wscript.Echo “Category: ” & objEvent.TargetInstance.Category\n        Wscript.Echo “Event Code: ” & objEvent.TargetInstance.EventCode\n        Wscript.Echo “Message: ” & objEvent.TargetInstance.Message\n        Wscript.Echo “Record Number: ” & objEvent.TargetInstance.RecordNumber\n        Wscript.Echo “Source Name: ” & objEvent.TargetInstance.SourceName\n        Wscript.Echo “Event Type: ” & objEvent.TargetInstance.Type\n        Wscript.Echo\n    End If\nLoop\n<\/PRE>\n
As you can see, we start out by connecting to the WMI service on the local computer (although this script can also monitor event logs on remote machines). Notice, however, that our WMI binding string includes the Security<\/B> privilege: Set objWMIService = GetObject(“winmgmts:{(Security)}<\/B>\\\\”. Is that important? You bet it is, provided that you want to monitor all<\/I> the event logs, including the Security event log. If that\u2019s the case then you have to include the Security privilege. If you\u2019re not interested in the Security event log, however, then the answer is no, this isn\u2019t important at all. <\/P>\n
After connecting to the WMI service we issue the following query, a query that asks WMI to notify us any time a new event gets written to any of our event logs:<\/P>
Set colEvents = objWMIService.ExecNotificationQuery _    \n    (“Select * From __InstanceCreationEvent Where ” _\n        & “TargetInstance ISA ‘Win32_NTLogEvent'”)\n<\/PRE>\n
What we\u2019re doing here is monitoring for new object instances (__InstanceCreationEvent<\/B>), but only if those new objects happen to be members of the Win32_NTLogEvent<\/B> class. You might have noticed that we don\u2019t include a \u201cpolling interval\u201d (e.g., WITHIN 10) in this query. Why not? Because polling intervals are used only when monitoring WMI classes that don\u2019t have a custom event provider. That\u2019s not the case with the event logs; the event logs do<\/I> have a custom event provider. Because of that we can get instant notification of any new events, without having to include code that instructs WMI to periodically go out and check for new events.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. Of course that doesn\u2019t make any sense; didn\u2019t you realize this is the Hey, Scripting Guy!<\/I> column?!? But seriously, folks, if you could use a little more information about WMI monitoring scripts \u2013 as well as a definition of terms like polling interval \u2013 then you might want to view the Scripting Guys webcast An Ounce of Prevention: An Introduction to WMI Events<\/B><\/A>.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
After issuing our query we set up a Do loop that\u2019s designed to run forever and ever. That, by the way, is one reason why you should run this script in a command window under the CScript script host; if you ever decide that you do<\/I> want to terminate the script you can do so simply by closing the command window in which the script is running.<\/P>\n
Inside that loop we use this block of code to instruct the script to sit around and wait until an event gets written to one of the event logs:<\/P>
Set objEvent = colEvents.NextEvent\n<\/PRE>\n
And what happens when an event does<\/I> get written to one of the event logs? Well, when that happens we use the following line of code to see if the event message includes the term test.vbs<\/I>: <\/P>
If InStr(LCase(objEvent.TargetInstance.Message), “test.vbs”) Then\n<\/PRE>\n
What are we doing here? Well, first of all we\u2019re grabbing the Message<\/B> property from the TargetInstance<\/B> object, an object that represents the record that was just written to the event log. We use the LCase<\/B> function to convert all the characters in that message to lowercase, then use the InStr<\/B> function to determine whether the value test.vbs<\/I> can be found anywhere in that message. If test.vbs<\/I> does not<\/I> appear anywhere in the message then we simply loop around and wait for the next event to occur.<\/P>\n
But let\u2019s assume that the event message does<\/I> include the text test.vbs<\/I>. In that case we simply use this block of code to echo back information about that event:<\/P>
Wscript.Echo Now\nWscript.Echo “Category: ” & objEvent.TargetInstance.Category\nWscript.Echo “Event Code: ” & objEvent.TargetInstance.EventCode\nWscript.Echo “Message: ” & objEvent.TargetInstance.Message\nWscript.Echo “Record Number: ” & objEvent.TargetInstance.RecordNumber\nWscript.Echo “Source Name: ” & objEvent.TargetInstance.SourceName\nWscript.Echo “Event Type: ” & objEvent.TargetInstance.Type\n<\/PRE>\n
Needless to say, this is pretty standard WMI scripting: we simply echo back the current date and time (using the Now<\/B> function), then echo back property values such as Category<\/B>, EventCode<\/B>, and Message<\/B>. If you aren\u2019t sure what those property values are used for, well, too bad for you, huh?<\/P>\n
No, hey, just kidding. What we meant to say was this: if you\u2019d like more information about event logs and the Win32_NTLogEvent class then you might want to take a look at this section<\/B><\/A> of the Microsoft Windows 2000 Scripting Guide<\/I>.<\/P>\n
Oh: and if you\u2019d like to test today\u2019s script here\u2019s some code that will write an event to the Application event log, an event that \u2013 fortuitously enough, includes the term test.vbs<\/I>:<\/P>
Const EVENT_SUCCESS = 0<\/p>\n
Set objShell = Wscript.CreateObject(“Wscript.Shell”)\nobjShell.LogEvent EVENT_SUCCESS, “Test.vbs started.”\n<\/PRE>\n
So what did<\/I> happen with Peter? Believe it or not, we turned him loose after about 15 minutes; it only took that long for us to remember why we let him go in the first place. To add insult to injury, though, not only did Peter win his freedom, but he somehow also talked the rest of us into baking him<\/I> cupcakes. But, then again, that\u2019s probably how Peter came to be such a powerful and important Program Manager while the rest of us are, well, Scripting Guys.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I monitor event log messages for a specific word or phrase?— GH Hey, GH. You know, now that the 2007 Scripting Games are over (have we mentioned that the 2008 Games are just a year away?) it\u2019s time for the Scripting Guys to rejoin the real world. Before we answer […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-65433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I monitor event log messages for a specific word or phrase?— GH Hey, GH. You know, now that the 2007 Scripting Games are over (have we mentioned that the 2008 Games are just a year away?) it\u2019s time for the Scripting Guys to rejoin the real world. Before we answer […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/65433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=65433"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/65433\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=65433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=65433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=65433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}