Retrieving Event Log Properties

  • Article

Microsoft® Windows® 2000 Scripting Guide

Knowing the properties of your event logs can be useful in planning management activities such as backing up and clearing the logs. For example, knowing both the maximum allowable size and the current size of an event log tells you how much space is available in the log. In turn, this helps you decide whether the log needs to be backed up and cleared.

In addition, tracking the number of records in each log is a simple metric that can often trigger alarms regarding potential problems. For example, suppose routine checks of the number of records in an event log show that a specific computer typically records 100 events a day. Today, however, this routine check shows that the computer has recorded 500 events. This might indicate a serious problem that warrants further investigation.

The WMI class Win32_NTEventLogFile can be used to retrieve the properties of any event log on a computer. Some of the most important event log properties you can retrieve by using WMI are shown in Table 12.1.

Table 12.1 Event Log Properties Available Through WMI

Property

Description

FileSize

Current size of the event log, in bytes.

LogFileName

"Friendly" name for the event log (for example, System).

To return the actual path and file name of the event log (for example, C:\Windows\System32\Config\Sysevent.evt), use the Name property instead.

MaxfileSize

Maximum allowable size (in bytes) for the event log.

Although event logs can be sized as large as 4 gigabytes, in practice they should be limited to no more than 300 megabytes. Event logs larger than that can be difficult to analyze because of the number of events contained within the log and because event logs are not optimized for data retrieval.

Name

Full path and file name for the event log.

NumberOfRecords

Number of records in the event log.

OverwriteOutdated

Number of days after which a record can be overwritten should an event log reach its maximum size. Values are:

0 - Any record can be overwritten if necessary. If necessary, all existing events in the event log can be overwritten to make room for new events.

1-365 - Events older than the specified number of days can be overwritten as needed. If the event log does not contain any records older than the value specified, no new events will be recorded until the log has been cleared.

4294967295 - No records can be overwritten. If the log reaches its maximum size, no new events will be recorded until the log has been cleared.

OverwritePolicy

Current overwrite policy for the event log. Values are the following:

WhenNeeded - Any record can be overwritten to make room for new records.

OutDated - Records older than a specified number of days can be overwritten to make room for new records.

Never - Old records are never overwritten.

The Event Log properties and methods available through WMI map to the event log properties as seen in Event Viewer. This relationship is shown in Figure 12.1.

Figure 12.1 Win32_NTEventLogFile Properties and Methods

sas_log_01c

Scripting Steps

There are several ways to retrieve the properties of event logs. For example, you might want to:

  • Retrieve the properties of multiple event logs.

  • Retrieve the properties of a single event log.

  • Retrieve the properties of the Security event log.

Retrieving the properties of multiple event logs

Listing 12.1 contains a script that retrieves the properties of multiple event logs on a single computer. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."

  3. Use the ExecQuery method to query the Win32_NTEventLogFile class.

    This returns a collection consisting of all the event logs on the computer, except the Security event log. The additional step required to return information from the Security event log is discussed later in this chapter.

  4. For each event log in the collection, echo the event log properties LogFileName, MaxFileSize, and OverWriteOutdated.

    If you configure an event log so that it never overwrites events, you actually set the OverWriteOutdated property to 4294967295. If the value 4294967295 is returned, the script displays the string "Overwrite Outdated Records: Never." If the value 0 is returned, this means the log has been configured to overwrite records as needed. To make this clear, the script displays the message "Overwrite Outdated Records: As Needed."

Listing 12.1 Retrieving the Properties of Multiple Event Logs

   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objInstalledLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile")
For Each objLogfile in objInstalledLogFiles
 Wscript.Echo "Name: " & objLogfile.LogFileName
 Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
 If objLogfile.OverWriteOutdated > 365 Then
 Wscript.Echo "Overwrite Outdated Records: Never." & VbCrLf
 ElseIf objLogfile.OverWriteOutdated = 0 Then
 Wscript.Echo "Overwrite Outdated Records: As needed." & VbCrLf
 Else
 Wscript.Echo "Overwrite Outdated Records After: " & _
 objLogfile.OverWriteOutdated & " days" & VbCrLf
 End If
Next

Retrieving a property of a single event log

Listing 12.2 contains a script that retrieves the number of records in the System event log. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."

  3. Use the ExecQuery method to query the Win32_NTEventLogFile class.

    To limit the data returned to the System event log, include a Where clause specifying the LogFileName "System". This returns a collection of event logs with a single item: the System event log.

  4. For the only event log in the collection, echo the value of the NumberOfRecords property.

Listing 12.2 Retrieving a Property in a Single Event Log

   
1
2
3
4
5
6
7
8

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='System'")
For Each objLogFile in colLogFiles
 Wscript.Echo objLogFile.NumberOfRecords
Next

Retrieving the properties of the Security event log

Scripts that retrieve information about the event logs on a computer do not retrieve information about the Security event log unless those scripts include the Security privilege. The ability to manipulate the Security event log is provided by the Manage auditing and security logs user right, which must be explicitly assigned. To manipulate the Security event log, you must include this privilege as part of the GetObject moniker, even if you are an administrator and have been assigned this right by default.

Note that the Security privilege does not grant you the ability to manage auditing and security logs. You must already possess this right (typically assigned through Group Policy), or the script will fail. To access information from or about the Security event log, you must possess the Manage auditing and security logs user right, and the script must include the Security privilege.

The results of querying event logs without including the Security privilege are shown inTable 12.2.

Table 12.2 Querying Event Logs Without Including the Security Privilege

If You Attempt to Access -

You Will Retrieve -

All the event logs on a computer

Data for all the event logs except the Security event log

Security event log plus a second event log

Data for only the second event log

Only the Security event log

No data

No special user rights are required to access any of the other event logs on a computer.

Listing 12.3 contains a script that retrieves the number of records in and the maximum file size of the Security event log. To carry out this task, the script must perform the following steps:

  1. Create a variable to specify the computer name.

  2. Use a GetObject call to connect to the WMI namespace root\cimv2, and set the impersonation level to "impersonate."

    Because special user rights are required to access the Security event log, the Security privilege must be included as part of the moniker.

  3. Use the ExecQuery method to query the Win32_NTEventLogFile class.

    To limit the data returned to the Security event log, include a Where clause specifying the LogFileName as "Security." This returns a collection of event logs with a single item: the Security event log.

  4. For the only item in the collection, echo the values for NumberOfRecords and MaxFileSize.

Listing 12.3 Retrieving the Properties of the Security Event Log

   
1
2
3
4
5
6
7
8
9
10

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
 & "{impersonationLevel=impersonate,(Security)}!\\" & _
 strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
For Each objLogFile in colLogFiles
 Wscript.Echo objLogFile.NumberOfRecords
 Wscript.Echo "Maximum Size: " & objLogfile.MaxFileSize
Next