The book you need to succeed! Vbscript, jscript

243
 
Working with the Windows Registry and Event Logs 
12
FIGURE 12-1
Event Viewer displays events on local and remote computers.
FIGURE 12-2
To display events on a remote computer, select Another Computer and then enter the computer name or IP address.
Understanding event entries
When you select a log in the console tree, current entries for the log are displayed in the view pane. 
Each entry provides an overview of why, when, where, and how an event occurred. This information 
is organized under column headings that provide the following information:
Type:
■
 The type of event that occurred, such as an error event
Date:
■
 The date the event occurred
86804c12.indd   243
86804c12.indd   243
1/21/09   1:26:54 PM
1/21/09   1:26:54 PM

244
 Part 
II
 
Windows VBScript and JScript
Time:
■
 The time the event occurred
Source:
■
 The component that generated the event
Category:
■
 The class of the event, such as Online Defragmentation or Logging/Recovery
Event:
■
 An identifier for the specific event that occurred
User:
■
 The user account that triggered the event
Computer:
■
 The computer name where the event occurred
You can obtain detailed information on an event by double-clicking its entry in the view pane. The 
additional information provided is:
Description:
■
 Provides a text description of the event
Record Data:
■
 Provides any data or error code output by the event
Of all the various kinds of information that you can gather from event logs, the most valuable for 
determining the relevance of an event is the event type. Event types include: 
Error:
■
 An event for an application, component, or service error. You should examine all 
error events.
Failure
■
 Audit: An event related to the failed execution of an action. If you are auditing 
user activities to help you monitor network security, you should keep track of all failed 
audit events.
Information:
■
 An information event, which is generally related to a successful action. You 
don’t need to watch information events closely, but may want to track totals on various cat-
egories of information events.
Success
■
 Audit: An event related to the successful execution of an action. You don’t need to 
watch these events closely, but may want to track totals on various categories of these events.
Warning:
■
 An event that may cause problems on the system, but isn’t necessarily the result 
of an error. You should examine all warning events. 
Archiving event logs
On most servers, administrators will archive event logs periodically. When you archive event logs, 
you store logs for later use. Logs can be archived in three formats:
Event log format:
■
 This archive type is designed for viewing logs in Event Viewer. You can 
also access these logs from Dumpel, an event log analysis utility. To access an old log in 
Event Viewer, right-click Event Viewer in the console tree, point to New, and then select 
Log View. You can now load a previously saved log.
Text (Tab Delimited):
■
 This archive type works best for viewing in a text editor or word 
processor. Individual entries are placed on separate lines with each data column represent-
ing a field. Tabs are used to separate the fields.
86804c12.indd   244
86804c12.indd   244
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

245
 
Working with the Windows Registry and Event Logs 
12
Text (Comma Delimited):
■
 This archive type works best for importing logs into spread-
sheets and databases. You can also work with the logs in Dumpel.
When you save log files to a comma-delimited file, each field in the event entry is separated by a 
comma. Example event entries look like this:
Error,08/15/2008,5:35:07 PM,LicenseService,None,202,N/A,ZETA
Information,08/15/2008,11:25:19 AM,SceCli,None,1704,N/A,ZETA
Information,08/15/2008,11:24:36 AM,ESENT,Logging/Recovery ,302,N/A,ZETA
Information,08/15/2008,11:24:31 AM,Remote Storage,Agent ,1000,N/A,ZETA
Information,08/15/2008,11:24:19 AM,ESENT,Logging/Recovery ,302,N/A,ZETA
Information,08/15/2008,11:22:49 AM,Oakley,None,542,N/A,ZETA
Information,08/15/2008,11:20:38 AM,ESENT,Logging/Recovery ,301,N/A,ZETA
Information,08/15/2008,11:20:35 AM,EvntAgnt,None,2018,N/A,ZETA
The format for the entries is as follows:
Type, Date, Time, Source, Category, Event, User, Computer
As you can see, the event description and record data is not saved with text-based archives. This 
saves space and you won’t really need the detailed descriptions in most instances. If you do, you can 
use the event code to find the description. The Windows Resource Kit has an Event log database 
that provides detailed information on events and their meaning.
Writing to Event Logs
In Chapter 13, you learn how to create scripts that can run automatically, such as scripts that are 
scheduled to run periodically at a scheduled time, or scripts that run when a user logs on. To help 
you keep track of the success or failure of these scripts, you can write information related to the 
scripts directly to the application event log. In this way, when you are browsing or analyzing the 
logs, you’ll know immediately if scripts are running properly or failing.
Event logging basics
When you write events to the application event log, you specify the event ID and the event descrip-
tion. Windows Script Host then directs the event to the event logging service. The event logging ser-
vice then:
Sets the event type based on the event identifier
■
Records the event with the current date and time
■
Sets the source as WSH and the category as None
■
Sets the event ID based on the event type
■
Sets the user to N/A and then sets the computer name
■
86804c12.indd   245
86804c12.indd   245
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM