{"id":68063,"date":"2006-01-31T10:04:00","date_gmt":"2006-01-31T10:04:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/01\/31\/how-can-i-retrieve-information-about-the-latest-event-added-to-an-event-log\/"},"modified":"2006-01-31T10:04:00","modified_gmt":"2006-01-31T10:04:00","slug":"how-can-i-retrieve-information-about-the-latest-event-added-to-an-event-log","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-retrieve-information-about-the-latest-event-added-to-an-event-log\/","title":{"rendered":"How Can I Retrieve Information About the Latest Event Added to an Event Log?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I retrieve information about the latest event added to an event log?

— HG<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, HG. You know, it seems like only yesterday<\/B><\/A> that someone was asking us how they could find the oldest<\/I> event in an event log. And we remember how we told them that – oh, right: it was<\/I> only yesterday, wasn\u2019t it? Well, then we won\u2019t waste any time reminiscing about the good old days. (Although yesterday was<\/I> a pretty good day, all things considered.) <\/P>\n

Instead, let\u2019s get down to business. As we noted yesterday, each time an event is added to an event log it gets assigned a sequential record number: if you have 1000 records in an event log, the next event written to that log will be assigned record number 1001. That means that the event with the largest record number will also be the latest event written to the event log. To retrieve information about the latest event added to an event log all we have to do is determine which event has the largest record number.<\/P>\n

But, as we also noted yesterday (boy, we worked hard<\/I> yesterday, didn\u2019t we?), you can\u2019t write a WQL query that automatically goes out and retrieves the event with the largest record number; instead, we need to specify that record number in our query. And that\u2019s a problem: how the heck are we supposed to know the largest record number currently in use in a given event log?<\/P>\n

Did we say that was a problem? Sorry; turns out that\u2019s not a problem at all. Let\u2019s show you a script that retrieves date-time information about the most recent event added to an event log, and then we\u2019ll let you in on the secret:<\/P>

strComputer = “.”\nSet objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & _\n        strComputer & “\\root\\cimv2”)<\/p>\n
Set colLogFiles = objWMIService.ExecQuery _\n    (“Select * from Win32_NTEventLogFile where LogFileName=’System'”)<\/p>\n
For Each objLogFile in colLogFiles\n    intTotal = objLogFile.NumberOfRecords\nNext<\/p>\n
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _\n        “AND RecordNumber = ” & intTotal)<\/p>\n
For Each objEvent in colEvents\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\nNext\n<\/PRE>\n
Here\u2019s how this all works. We begin by connecting to the WMI service on the local computer. We then use this query to return information about the System event log:<\/P>
Set colLogFiles = objWMIService.ExecQuery _\n    (“Select * from Win32_NTEventLogFile where LogFileName=’System'”)\n<\/PRE>\n
Notice that we\u2019re using the Win32_NTEventLogFile<\/B> class here; that\u2019s because we want information about the properties of the event log itself rather than information about any of the individual events. In particular, we want to know the value of the NumberOfRecords<\/B> property; as you might have guessed, this tells us the number of records in the event log. To get at that number we use this block of code to walk through our collection of event logs (because we specified the System event log there will be only one item in the collection) and store the value of the NumberOfRecords in a variable named intTotal:<\/P>
For Each objLogFile in colLogFiles\n    intTotal = objLogFile.NumberOfRecords\nNext\n<\/PRE>\n
Why do we do that? Well, suppose we have 1001 records in the System event log. That means the last event written to the log will have record number 1001. That\u2019s<\/I> how we\u2019re able to know the largest record number currently in use in a given event log: the last event written will have the same record number as the number of events in the log.<\/P>\n
Think about the math for a second, and you\u2019ll see how that works. If we have one event in the event log, that event will have a record number of 1. Suppose we add a second event. OK, now we have 2 events, and the second event will have a record number of 2. Because 2 tends to equal 2, this approach works. <\/P>\n
The rest is pretty straightforward; following the same methodology used yesterday, we use these lines of code to return and echo the value of the TimeWritten<\/B> property for the most recent event in the System event log:<\/P>
Set colEvents = objWMIService.ExecQuery _\n    (“Select * from Win32_NTLogEvent Where Logfile = ‘System’ ” & _\n        “AND RecordNumber = ” & intTotal)<\/p>\n
For Each objEvent in colEvents\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\nNext\n<\/PRE>\n
The secret here<\/I> lies in the WQL query, where we use our variable intTotal to retrieve the record with the largest record number: RecordNumber = ” & intTotal<\/B>. That\u2019s all we have to do to get back information about the last event to be written to the System event log. <\/P>\n
Now, where were we? Oh, yes. It was the summer of 1907, and we had just received a telegram asking us how to retrieve the oldest event in an event log. Well, sir, we hunkered down and thought about that a spell, then we \u2026.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I retrieve information about the latest event added to an event log?— HG Hey, HG. You know, it seems like only yesterday that someone was asking us how they could find the oldest event in an event log. And we remember how we told them that – oh, right: it […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-68063","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I retrieve information about the latest event added to an event log?— HG Hey, HG. You know, it seems like only yesterday that someone was asking us how they could find the oldest event in an event log. And we remember how we told them that – oh, right: it […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68063"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68063\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}