The book you need to succeed! Vbscript, jscript

249
 
Working with the Windows Registry and Event Logs 
12
Argument
Description
/f
Sets the output file name. If none is specified, the output is sent to the standard 
output stream.
/format
Sets the output format for event fields. Formatting is discussed later in this chapter.
/l
Examines the specified log, such as system, application, or security.
/m
Filters for events logged by source.
/ns
Specifies that the description should not be dumped. 
/r
Reverses the source filtering for /m. All events except those logged by the source 
are dumped.
/s
Sets the name of the remote server to use.
/t
Uses a tab to separate fields. If not specified, a space is used.
Using Dumpel
Working with Dumpel is a lot easier than you might imagine, especially after seeing that long list of 
arguments. With Dumpel, the event log you want to examine is specified with the 
/l
 switch. Follow 
the 
/l
 switch with the log type, such as system, application, or security. If you use the 
/l
 switch 
without specifying any other switches, the utility dumps the specified log on the current system to 
the command line. To dump logs to a file, use the 
/f
 switch and specify a file name. The following 
example dumps the system log to a file on a shared network drive:
dumpel /l system /f \\ZETA\DATA\LOG\%computername%.log
If the local system is named Gandolf, the result would be a text file named Gandolf.log. The file 
would contain the entire contents of the system log and each field would be separated with a space. 
Although Dumpel works with the local system by default, you can access event logs on remote sys-
tems as well. Use the 
/s
 switch to specify the system name. For example:
dumpel /l system /f omega-sys.log /s omega
Fields in the event entry are normally separated by spaces, but you can use 
/t
 to specify tabs or 
/c
 
to specify commas as delimiters. You can also use the 
/format
 switch to determine which fields to 
store in the event entries, and their exact order. To do this, follow the 
/format
 switch with any 
combination of the modifiers shown in Table 12-6. The following example dumps the security log 
on the local system and restricts output to the date, time, event ID, and event type fields:
dumpel /l security /format dtIT
86804c12.indd   249
86804c12.indd   249
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

250
 Part 
II
 
Windows VBScript and JScript
TABLE 12-6
Formatting Modifiers for Dumpel
Modifier
Description
C
Event category
c
Computer name
d
Date
I
Event ID
s
Event comment string
S
Event source
t
Time of day
T
Event type
U
Username
To search the event logs for specified events by identifier, use the 
/e
 switch and then enter one to 10 
event identifiers. Each event must be separated with a space. You must also specify an event source, 
such as LicenseService or WINS. The following example shows how you can track multiple events in 
the system log:
dumpel /l system /f loc-sys.log /e 401 402 403 404 405 /m netlogon
The Windows Resource Kit contains a comprehensive database of events and their mean-
ing. If you’ve installed the resource kit, look for the Windows Event Log Database in the 
Tools A to Z listing.
When you use the 
/m
 switch, you can search for events logged by specified sources, such as 
Netlogon or WINS. Unfortunately, you cannot specify multiple sources, but you can use the 
/r
 
switch with the 
/m
 switch to specify that you want to see all events except those for the specified 
source. In the following example, you search for events logged by the Netlogon service:
dumpel /l system /f loc-sys.log /m netlogon
In this example, you search for all events except those logged by Netlogon:
dumpel /l system /f loc-sys.log /m netlogon /r
Watch out; if you combine /r, /m, and /e, you’ll get a list of all events except the desig-
nated events for the specifi ed source.
TIP
TIP
CAUTION 
CAUTION
86804c12.indd   250
86804c12.indd   250
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

251
 
Working with the Windows Registry and Event Logs 
12
You’ll often have existing log files and may not need to create new ones. In this case, use the 
/b
 
switch to search the existing log file specified with 
/l
. In the following example, you search the 
loc-sec.log:
dumpel /b /l loc-sec.log /e 401
In this example, you search the loc-sec.log and write the results to a file:
dumpel /b /l loc-sec.log /e 401 /f sec-e401.log
So far we’ve focused on how Dumpel works and how you can use Dumpel from the command line. 
Now let’s look at how you can work with Dumpel in scripts.
Working with Dumpel in scripts
Dumpel is a command-line utility and as with other command-line utilities, you can run it within a 
Windows script using the 
Run
 method of the 
WshShell
 object. As discussed in Chapter 6, the basic 
syntax for 
Run
 is:
object.Run (“command”, [winStyle], [“waitOnReturn”]) 
When you use the 
Run
 method, you can pass Dumpel any necessary arguments in the command 
parameter. An example of this is shown as Listing 12-8.
LISTING 12-8
Reading an Event Log with Dumpel
VBScript
readlog.vbs
Set ws = WScript.CreateObject(“WScript.Shell”)
ret = ws.Run(“dumpel /l system /f loc-sys.log /m netlogon”,0,”TRUE”)
If ret = 0 Then
 ws.LogEvent 0, “ReadLog.VBS Script Completed Successfully”
Else
 ws.LogEvent 1, “Error executing ReadLog.VBS”
End If
JScript
readlog.js
var ws = WScript.CreateObject(“WScript.Shell”);
ret = ws.Run(“dumpel /l system /f loc-sys.log /m netlogon”,0,”TRUE”)
if (ret == 0) {
 //successful execution 
continued
86804c12.indd   251
86804c12.indd   251
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

252
 Part 
II
 
Windows VBScript and JScript
 ws.LogEvent(0, “ReadLog.JS Script Completed Successfully”)
 }
else {
 //failed execution
 ws.LogEvent(1, “Error executing ReadLog.JS”)
}
If you are dumping multiple event logs or event logs on multiple systems, you can enter additional 
Run
 statements in the script. Listing 12-9 shows how you can examine the system, security, and 
application logs on a remote server, and then store the logs on a network drive. Keep in mind that if 
you run this script as a scheduled task, you’ll need to map the drive before you can use it as dis-
cussed in Chapter 10.
LISTING 12-9
Working with Multiple Logs
VBScript
createlogs.vbs
Set ws = WScript.CreateObject(“WScript.Shell”)
c = ws.ExpandEnvironmentStrings(“%computername%”)
ret = ws.Run(“dumpel /l system /f \\ash\log\” & c & “-sys.log”,0,”TRUE”)
ret = ret + ws.Run(“dumpel /l security /f \\ash\log\” & c & “-sec.log”,0,”TRUE”)
ret = ret + ws.Run(“dumpel /l application /f \\ash\log\” & c & “-app.
log”,0,”TRUE”)
If ret = 0 Then
 ws.LogEvent 0, “CreateLogs.VBS Script Completed Successfully”
Else
 ws.LogEvent 1, “Error executing CreateLogs.VBS”
End If
JScript
createlogs.js
var ws = WScript.CreateObject(“WScript.Shell”)
c = ws.ExpandEnvironmentStrings(“%computername%”)
ret = ws.Run(“dumpel /l system /f \\\\ash\\log\\” + c + “-sys.log”,0,”TRUE”)
ret += ws.Run(“dumpel /l security /f \\\\ash\\log\\” + c + “-sec.log”,0,”TRUE”)
ret += ws.Run(“dumpel /l application /f \\\\ash\\log\\” + c + “-app.
log”,0,”TRUE”)
if (ret == 0) {
LISTING 12-8 
(continued)
86804c12.indd   252
86804c12.indd   252
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

253
 
Working with the Windows Registry and Event Logs 
12
 //successful execution 
 ws.LogEvent(0, “CreateLogs.JS Script Completed Successfully”)
 }
else {
 //failed execution
 ws.LogEvent(1, “Error executing CreateLogs.JS”)
}
Generating Event Log Reports
Event logs are only useful if you can analyze the information they contain. One way to do this is to 
create a daily event log report for key systems on the network and then publish the results on the 
corporate intranet. Let’s break this process down into a series of steps and then analyze how each 
step can be implemented.
Step 1: Creating the logs
Step one is to create a script that dumps logs on critical systems and stores the logs on a network 
drive. If these systems are named Gandolf, Bilbo, and Dragon, the first part of the script would look 
like Listing 12-10. Each time you run the script, the original logs are overwritten.
LISTING 12-10
Creating Logs for the Report
JScript
logstep1.js
var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)   
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)   
evArray = parseInt(logs.split(“,”))
//examine each item in the systems array and then the log array
for (s in sysArray) {
continued
86804c12.indd   253
86804c12.indd   253
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

254
 Part 
II
 
Windows VBScript and JScript
 for (l in logArray) {
    ws.Run(“dumpel /l “ + logArray[l] + “ /f \\\\zeta\\corpdatashare\\” + 
sysArray[s] + “-” +  logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
    WScript.Echo(“Executing dumpel /l “ + logArray[l] + “ /f \\\\zeta\\
corpdatashare\\” + sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + 
sysArray[s],0,”TRUE”)
  
 }
}
The output from the script tells you what the script is doing and can really help in understanding 
the script’s logic. The output looks like this:
Executing dumpel /l system /f \\zeta\corpdatashare\gandolf-system.log 
/d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\gandolf-application.log
 /d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\gandolf-security.log 
/d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l system /f \\zeta\corpdatashare\biblo-system.log 
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\biblo-application.log 
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\biblo-security.log 
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l system /f \\zeta\corpdatashare\dragon-system.log 
/d 1 /ns /s dragon 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\dragon-application.log
 /d 1 /ns /s dragon 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\dragon-security.log 
/d 1 /ns /s dragon 0 TRUE
As you can see from the output, the script dumps the logs for the first system specified in the com-
puter’s variable, and then dumps the logs for the seconds system, and so on. The order of the logs is 
specified in the 
logs
 variable. The output contains events for the current day only (
/d 1
) and does 
not contain descriptions (
/ns
).
LISTING 12-10 
(continued)
86804c12.indd   254
86804c12.indd   254
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

255
 
Working with the Windows Registry and Event Logs 
12
To dump the log files daily, you can schedule the script to run with the Task Scheduler. Scheduling 
scripts to run periodically is covered in Chapter 13. Rather than dumping the log to a file and then 
browsing the file in a text editor, it would be a lot easier if you could browse the file on the corporate 
intranet. Before you do this, you may want to clean up the files, search for specific events, or format 
the files in HTML.
Step 2: Formatting the logs for viewing
You can format the logs for viewing in many different ways. If you are running the script manually, 
the easiest way to do this is to display the contents of each log file in a pop-up dialog box. The code 
that does this is shown in Listing 12-11. Figure 12-3 shows sample output for a log file.
LISTING 12-11
Displaying the Log Reports in a Pop-up Dialog Box
JScript
logstep2a.js
var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)   
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)   
//examine each item in the systems array and then the log array
for (s in sysArray) {
 for (l in logArray) {
    ws.Run(“dumpel /l “ + logArray[l] + “ /f \\\\zeta\\corpdatashare\\” + 
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
    WScript.Echo(“Executing dumpel /l “ + logArray[l] + “ /f \\\zeta\\
corpdatashare\\” + 
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
  
 }
}
ForReading = 1
continued
86804c12.indd   255
86804c12.indd   255
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

256
 Part 
II
 
Windows VBScript and JScript
for (s in sysArray) {
 for (l in logArray) {
  fname = “\\\\zeta\\corpdatashare\\” + sysArray[s] + “-” + logArray[l] + “.log”
  var fs = new ActiveXObject (“Scripting.FileSystemObject”);
  var f = fs.OpenTextFile (fname, ForReading, “True”)
  fContents = f.ReadAll()
  f.Close()
  var w = WScript.CreateObject(“WScript.Shell”);
  a = w.Popup (fContents,60,”Display File”,1)
 }
}
FIGURE 12-3
Viewing partial logs in a pop-up dialog box
As you can see from the listing, 
For
 loops are used to display the contents of each log in turn. These 
For
 loops are implemented in the same way as the 
For
 loops that dump the logs in the first place. The 
key difference is that instead of dumping logs, you are reading the contents of the logs and displaying 
them in a pop-up dialog box. You can extend this technique to format the logs as HTML, which then 
makes the daily log report easier to work with.
Listing 12-12 shows how you can add an HTML header and footer to the log files. Don’t worry — we’ll 
analyze the script one step at a time following the listing.
LISTING 12-11 
(continued)
86804c12.indd   256
86804c12.indd   256
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

257
 
Working with the Windows Registry and Event Logs 
12
LISTING 12-12
Creating HTML Documents for the Log Reports
JScript
logreports.js
// ************************
// Script: The Log Reporter
// Version: 1.1.5
// Creation Date: 02/15/2007
// Last Modified: 02/15/2007
// Author: William R. Stanek
// Email: williamstanek@aol.com 
// Copyright (c) 2007 William R. Stanek
// ************************
// Description: Uses the Dumpel utility to dump specified
//              logs on local and remote systems. The script
//              then generates reports formatted as HTML.
// 
// Maintenance: When installing this script, you should update
//              computers, logs, netDrive and fname. 
//              Computers sets the name of the systems to check.
//              Logs sets the type of event logs to dump.
//              netDrive sets the log creation directory.
//              fname sets the full file path to the publishing directory for
//              the HTML reports.
// ************************
theMonth = new Array(12)
theMonth[1] = “January”
theMonth[2] = “February”
theMonth[3] = “March”
theMonth[4] = “April”
theMonth[5] = “May”
theMonth[6] = “June”
theMonth[7] = “July”
theMonth[8] = “August”
theMonth[9] = “September”
theMonth[10] = “October”
theMonth[11] = “November”
theMonth[12] = “December”
theDays = new Array(7)
theDays[1] = “Sunday”
theDays[2] = “Monday”
theDays[3] = “Tuesday”
theDays[4] = “Wednesday”
theDays[5] = “Thursday”
theDays[6] = “Friday”
theDays[7] = “Saturday”
continued
86804c12.indd   257
86804c12.indd   257
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

258
 Part 
II
 
Windows VBScript and JScript
function theDate(aDate) {
   var currentDay = theDays[aDate.getDay() + 1]
   var currentMonth = theMonth[aDate.getMonth() + 1]
   return currentDay + “, “ + currentMonth + “ “ + aDate.getDate()
}
var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)   
//sets the network drive where logs are created
netDrive = “\\\\zeta\\corpdatashare\\”
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)   
//examine each item in the systems array and then the log array
for (s in sysArray) {
 for (l in logArray) {
    ws.Run(“dumpel /l “ + logArray[l] + “ /f “ + netDrive + sysArray[s] + “-” 
+ logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
    WScript.Echo(“Executing dumpel /l “ + logArray[l] + “ /f “ + netDrive + 
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
  
 }
}
ForReading = 1
ForAppending = 8
for (s in sysArray) {
 for (l in logArray) {
  fname = “\\\\zeta\\corpdatashare\\” + sysArray[s] + “-” + logArray[l]
  var fs = new ActiveXObject (“Scripting.FileSystemObject”);
  var f = fs.OpenTextFile (fname + “.log”, ForReading, “True”)
  fContents = f.ReadAll()
  f.Close()
  var f = fs.OpenTextFile (fname + “.html”, ForAppending, “True”)
  
  fHeader = “”
  fHeader += “”
  fHeader += “

Daily “
  fHeader += logArray[l]
  fHeader += “ Log Report for “
  fHeader += sysArray[s]
  fHeader += “

”
  fHeader += “

”
  today = new Date()
  fHeader += theDate(today)
  fHeader += “

”
  fHeader += “
”
  f.Write(fHeader)
  f.Write(fContents)
  fFooter = “
”
  fHeader += “

Daily “
  fHeader += logArray[l]
  fHeader += “ Log Report for “
  fHeader += sysArray[s]
  fHeader += “

”
  fHeader += “

”
  today = new Date()
  fHeader += theDate(today)
  fHeader += “

”
After creating the header, the code starts a preformatted text element in which the contents of the 
log file are placed. The code then writes the document header and contents:
  fHeader += “
”
  f.Write(fHeader)
  f.Write(fContents)
86804c12.indd   260
86804c12.indd   260
1/21/09   1:26:55 PM
1/21/09   1:26:55 PM

261
 
Working with the Windows Registry and Event Logs 
12
The final steps are to write the document footer and then close the file:
  fFooter = “