{"id":69163,"date":"2005-08-16T20:19:00","date_gmt":"2005-08-16T20:19:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/08\/16\/how-can-i-monitor-the-event-logs-for-the-occurrence-of-a-specific-event\/"},"modified":"2005-08-16T20:19:00","modified_gmt":"2005-08-16T20:19:00","slug":"how-can-i-monitor-the-event-logs-for-the-occurrence-of-a-specific-event","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-monitor-the-event-logs-for-the-occurrence-of-a-specific-event\/","title":{"rendered":"How Can I Monitor the Event Logs for the Occurrence of a Specific Event?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?

— JP<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it\u2019s hard to believe, but they really do<\/I> pay us to come up with brilliant answers like that.)<\/P>\n

OK, maybe we should be a little more specific: you use an event log monitoring script similar to this one:<\/P>

strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:{(Security)}\\\\” & _\n        strComputer & “\\root\\cimv2”)<\/p>\n
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    \n    (“Select * from __InstanceCreationEvent Where ” _\n        & “TargetInstance ISA ‘Win32_NTLogEvent’ ” _\n            & “and TargetInstance.EventCode = ‘0’ “)<\/p>\n
Do\n    Set objLatestEvent = colMonitoredEvents.NextEvent\n    Wscript.Echo objLatestEvent.TargetInstance.User\n    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten\n    Wscript.Echo objLatestEvent.TargetInstance.Message\n    Wscript.Echo\nLoop\n<\/PRE>\n
We won\u2019t spend any time in this column discussing the ins and outs of monitoring WMI events; if you\u2019d like more information about event monitoring you might want to view our Scripting Week 2<\/B><\/A> webcast on the subject. Instead, we\u2019ll just mention that what we\u2019re going to do is create a script that \u201csubscribes\u201d to a WMI event log event. Each time an event with a specific EventCode<\/B> (in this case 0) is written to one of the event logs, our script will be notified and will report back values for the User<\/B>, TimeWritten<\/B>, and Message<\/B> properties. The script will then slip back into suspended animation and patiently wait for the next event 0 to occur.<\/P>\n
By the way, we chose event 0 because that\u2019s the event code for Windows Script Host events. That means you can use a script like this one to write an event 0 to the Application log and thus test your monitoring script to ensure that it works:<\/P>
Const EVENT_SUCCESS = 0<\/p>\n
Set objShell = Wscript.CreateObject(“Wscript.Shell”)\nobjShell.LogEvent EVENT_SUCCESS, “Event written to an event log using a script.”\n<\/PRE>\n
As for the monitoring script, we begin by connecting to the WMI service. You might notice that when connecting to the WMI service we include the {(Security)}<\/B> parameter. This allows us to subscribe to events written to all<\/I> the event logs, including the Security log. Without this parameter we would receive events written from all the event logs except<\/I> Security.<\/P>\n
Next we use the ExecNotificationQuery<\/B> method to register for event log events. Our query itself looks like this:<\/P>
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    \n    (“Select * from __InstanceCreationEvent Where ” _\n        & “TargetInstance ISA ‘Win32_NTLogEvent’ ” _\n            & “and TargetInstance.EventCode = ‘0’ ”\n<\/PRE>\n
What we\u2019re saying here is this: Show us all new instances of the __InstanceCreationEvent<\/B> class, provided that the new instance happens to be a new entry to the event log (Win32_NTLogEvent<\/B>) and<\/I> the new entry has an EventCode of 0. If we wanted to monitor for different events (say, an event with the EventCode 528) all we\u2019d have to do is modify our query accordingly:<\/P>
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _    \n    (“Select * from __InstanceCreationEvent Where ” _\n        & “TargetInstance ISA ‘Win32_NTLogEvent’ ” _\n            & “and TargetInstance.EventCode = ‘528’ ”\n<\/PRE>\n
After that we set up a Do Loop with no exit condition (e.g., no Do Until x = 1<\/I> kind of thing). This allows us to monitor events forever and ever: the script will continue to monitor until we reboot the computer or terminate the process under which the script runs. (Incidentally, you should run this script in a command window under CScript. If you run it under WScript, you\u2019ll have to click a bunch of message boxes any time an event 0 is written to the event log.)<\/P>\n
We then use this line of code to tell the script to sit there and wait for the next event to occur:<\/P>
Set objLatestEvent = colMonitoredEvents.NextEvent\n<\/PRE>\n
When a new event 0 is<\/I> written to one of the event logs an exact copy of that event will be made available to our script; this replica object is known as the TargetInstance<\/B>. At that point all we do is echo a few property values of this TargetInstance and then loop around and wait for the next event.<\/P>\n
In other words, to monitor the event logs for the occurrence of a specific event just use an event monitoring script. (If only we\u2019d said that in the first place\u2026.)<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?— JP Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it\u2019s hard to believe, but they really do pay us to come up with brilliant answers like that.) OK, maybe we should be a […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[97,42,98,3,4,5],"class_list":["post-69163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-event-logs","tag-events-and-monitoring","tag-logs-and-monitoring","tag-scripting-guy","tag-scripting-techniques","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I monitor the event logs for the occurrence of a specific event?— JP Hey, JP. Why, you use an event log monitoring script, of course. (Yes, it\u2019s hard to believe, but they really do pay us to come up with brilliant answers like that.) OK, maybe we should be a […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69163"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69163\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}