{"id":68973,"date":"2005-09-13T20:52:00","date_gmt":"2005-09-13T20:52:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/09\/13\/how-can-i-retrieve-just-audit-failures-warnings-and-errors-from-my-event-logs\/"},"modified":"2005-09-13T20:52:00","modified_gmt":"2005-09-13T20:52:00","slug":"how-can-i-retrieve-just-audit-failures-warnings-and-errors-from-my-event-logs","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-retrieve-just-audit-failures-warnings-and-errors-from-my-event-logs\/","title":{"rendered":"How Can I Retrieve Just Audit Failures, Warnings, and Errors from My Event Logs?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I retrieve just audit failures, warnings, and errors from my event logs?

— OG<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, OG. You know, just for the heck of it, we decided to check the event logs on one of our computers to see whether this was a task worth doing. In the Security event log on this machine we had 42,815 events; of those, just 286 were failure events. If we assume that the failure events are the events we really care about then we have two choices here: we can either wade through 42,815 events, trying to pick out the relatively few failure events, or we can write a script that returns only<\/I> failure events. Even for the Scripting Guys that wasn\u2019t a very tough decision to make.<\/P>\n

Here\u2019s a script that returns just audit failures, warnings, and errors from all your event logs:<\/P>

strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:” _\n    & “{(Security)}\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * From Win32_NTLogEvent Where EventType <> 4 AND EventType <> 8”)<\/p>\n
For Each objEvent in colLoggedEvents\n    Wscript.Echo “Category: ” & objEvent.Category\n    Wscript.Echo “Event Code: ” & objEvent.EventCode\n    Wscript.Echo “Message: ” & objEvent.Message\n    Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n    Wscript.Echo “Source Name: ” & objEvent.SourceName\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\n    Wscript.Echo “Event Type: ” & objEvent.EventType\nNext\n<\/PRE>\n
Having shown you the script we should point out that this one runs only on Windows XP and Windows Server 2003. But don\u2019t panic: we\u2019ll show you a modified version in a minute or two that will work on Windows 2000.<\/P>\n
Hey, no need to thank us; that\u2019s what we\u2019re here for. <\/P>\n
To begin with, we need to bind to the WMI service on the computer in question (in this sample script, that\u2019s the local computer). You might notice that, when making this connection, we included the (Security)<\/B> privilege in the moniker string:<\/P>
Set objWMIService = GetObject(“winmgmts:” _\n    & “{(Security)}\\\\” & strComputer & “\\root\\cimv2”)\n<\/PRE>\n
Is that important? Well, one of the things we want to retrieve is audit failures. Audit failures are recorded in the Security event log; if you don\u2019t include the (Security) privilege you will not<\/I> be able to retrieve events from the Security event log. Yes, we know you\u2019re an administrator on the machine. Doesn\u2019t matter: the (Security) privilege is still required in order to retrieve items from the Security event log.<\/P>\n
In other words, yes, it\u2019s important.<\/P>\n
Next we issue the following WQL query, which limits the records retrieved to audit failures, warnings, and errors:<\/P>
Set colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * From Win32_NTLogEvent Where EventType <> 4 AND EventType <> 8”)\n<\/PRE>\n
What do you mean it\u2019s not obvious how the query does this? It – oh, right: it\u2019s not<\/I> very obvious, is it? Well, as it turns out, the EventType<\/B> property indicates the type of record being written to the event log; furthermore, EventType will always be one of the following values:<\/P>\n\n<\/THEAD>\n\n\n\n\n\n\n\n
\n
Value<\/B><\/P><\/TD>\n
\n
Meaning<\/B><\/P><\/TD><\/TR>\n
\n
1<\/P><\/TD>\n
\n
Error<\/P><\/TD><\/TR>\n
\n
2<\/P><\/TD>\n
\n
Warning<\/P><\/TD><\/TR>\n
\n
4<\/P><\/TD>\n
\n
Information<\/P><\/TD><\/TR>\n
\n
8<\/P><\/TD>\n
\n
Security audit success<\/P><\/TD><\/TR>\n
\n
16<\/P><\/TD>\n
\n
Security audit failure<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
In our query, we asked for all the events where the EventType did not equal 4 (information events) and<\/I> where the EventType does not equal 8 (security audit success). That filters out information and security audit success events; for example, an information event equals 4, which causes it to be excluded from the returned data. In turn, that leaves just three event types to be retrieved: audit failures, warnings, and errors. Coincidentally, those just happen to be the three event types you\u2019re interested in.<\/P>\n
The rest of the script is nothing more than a For Each loop that echoes back pertinent information for each event. As we are wont to say: problem solved.<\/P>\n
Well, unless you\u2019re running on Windows 2000, that is. That\u2019s because the EventType property isn\u2019t found on Windows 2000; instead, the Win32_NTLogEvent class uses the Type<\/B> property. On Windows 2000, Type will be one of the following string values:<\/P>\n\n<\/THEAD>\n\n\n\n\n\n\n\n
\n
Value<\/B><\/P><\/TD>\n
\n
Meaning<\/B><\/P><\/TD><\/TR>\n
\n
error<\/P><\/TD>\n
\n
Error<\/P><\/TD><\/TR>\n
\n
warning<\/P><\/TD>\n
\n
Warning<\/P><\/TD><\/TR>\n
\n
information<\/P><\/TD>\n
\n
Information<\/P><\/TD><\/TR>\n
\n
audit success<\/P><\/TD>\n
\n
Security audit success<\/P><\/TD><\/TR>\n
\n
audit failure<\/P><\/TD>\n
\n
Security audit failure<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
To get our script to work on Windows 2000, we need to filter on the Type property, eliminating records of type information<\/B> and type audit success<\/B>. Our revised WQL query looks like this:<\/P>
Set colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * From Win32_NTLogEvent Where Type <> ‘information’ AND Type <> ‘audit success'”)\n<\/PRE>\n
And the revised script looks something like this:<\/P>
strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:” _\n    & “{(Security)}\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colLoggedEvents = objWMIService.ExecQuery _\n    (“Select * From Win32_NTLogEvent Where Type <> ‘information’ AND Type <> ‘audit success'”)<\/p>\n
For Each objEvent in colLoggedEvents\n    Wscript.Echo “Category: ” & objEvent.Category\n    Wscript.Echo “Event Code: ” & objEvent.EventCode\n    Wscript.Echo “Message: ” & objEvent.Message\n    Wscript.Echo “Record Number: ” & objEvent.RecordNumber\n    Wscript.Echo “Source Name: ” & objEvent.SourceName\n    Wscript.Echo “Time Written: ” & objEvent.TimeWritten\n    Wscript.Echo “Event Type: ” & objEvent.Type\nNext\n<\/PRE>\n
There you go.<\/P>\n
Incidentally, the fact that we had 42,815 events doesn\u2019t mean we don\u2019t back up and clear our event logs on a regular basis. Instead, we let these records accumulate so that we\u2019d \u2026 have a better example to use for today\u2019s column. Now that the column is finished, we\u2019ll probably back up and clear the event log, just like you\u2019re supposed to.<\/P>\n
No, not today, mind you. But soon, very soon \u2026.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I retrieve just audit failures, warnings, and errors from my event logs?— OG Hey, OG. You know, just for the heck of it, we decided to check the event logs on one of our computers to see whether this was a task worth doing. In the Security event log on […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,98,3,5],"class_list":["post-68973","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-logs-and-monitoring","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I retrieve just audit failures, warnings, and errors from my event logs?— OG Hey, OG. You know, just for the heck of it, we decided to check the event logs on one of our computers to see whether this was a task worth doing. In the Security event log on […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68973"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68973\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}