249 Working with the Windows Registry and Event Logs 12 Argument Description /f Sets the output file name. If none is specified, the output is sent to the standard
output stream.
/format Sets the output format for event fields. Formatting is discussed later in this chapter.
/l Examines the specified log, such as system, application, or security.
/m
250 Part II Windows VBScript and JScript TABLE 12-6 Formatting Modifiers for Dumpel Modifier Description C
Event category
c
Computer name
d
Date
I
Event ID
s
Event comment string
S
Event source
t
Time of day
T
Event type
U
Username
To search the event logs for specified events by identifier, use the
/e
switch and then enter one to 10
event identifiers. Each event must be separated with a space. You must also specify an event source,
such as LicenseService or WINS. The following example shows how you can track multiple events in
the system log:
dumpel /l system /f loc-sys.log /e 401 402 403 404 405 /m netlogon
The Windows Resource Kit contains a comprehensive database of events and their mean- ing. If you’ve installed the resource kit, look for the Windows Event Log Database in the Tools A to Z listing. When you use the
/m
switch, you can search for events logged by specified sources, such as
Netlogon or WINS. Unfortunately, you cannot specify multiple sources, but you can use the
/r
switch with the
/m
switch to specify that you want to see all events except those for the specified
source. In the following example, you search for events logged by the Netlogon service:
dumpel /l system /f loc-sys.log /m netlogon
In this example, you search for all events except those logged by Netlogon:
dumpel /l system /f loc-sys.log /m netlogon /r
Watch out; if you combine /r, /m, and /e, you’ll get a list of all events except the desig- nated events for the specifi ed source. TIP
TIP
CAUTION
CAUTION
86804c12.indd 250
86804c12.indd 250
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
251 Working with the Windows Registry and Event Logs 12 You’ll often have existing log files and may not need to create new ones. In this case, use the
/b
switch to search the existing log file specified with
/l
. In the following example, you search the
loc-sec.log:
dumpel /b /l loc-sec.log /e 401
In this example, you search the loc-sec.log and write the results to a file:
dumpel /b /l loc-sec.log /e 401 /f sec-e401.log
So far we’ve focused on how Dumpel works and how you can use Dumpel from the command line.
Now let’s look at how you can work with Dumpel in scripts.
Working with Dumpel in scripts Dumpel is a command-line utility and as with other command-line utilities, you can run it within a
Windows script using the
Run
method of the
WshShell
object. As discussed in Chapter 6, the basic
syntax for
Run
is:
object.Run (“command”, [winStyle], [“waitOnReturn”])
When you use the
Run
method, you can pass Dumpel any necessary arguments in the command
parameter. An example of this is shown as Listing 12-8.
LISTING 12-8 Reading an Event Log with Dumpel VBScript readlog.vbs Set ws = WScript.CreateObject(“WScript.Shell”)
ret = ws.Run(“dumpel /l system /f loc-sys.log /m netlogon”,0,”TRUE”)
If ret = 0 Then
ws.LogEvent 0, “ReadLog.VBS Script Completed Successfully”
Else
ws.LogEvent 1, “Error executing ReadLog.VBS”
End If
JScript readlog.js var ws = WScript.CreateObject(“WScript.Shell”);
ret = ws.Run(“dumpel /l system /f loc-sys.log /m netlogon”,0,”TRUE”)
if (ret == 0) {
//successful execution
continued 86804c12.indd 251
86804c12.indd 251
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
252 Part II Windows VBScript and JScript ws.LogEvent(0, “ReadLog.JS Script Completed Successfully”)
}
else {
//failed execution
ws.LogEvent(1, “Error executing ReadLog.JS”)
}
If you are dumping multiple event logs or event logs on multiple systems, you can enter additional
Run
statements in the script. Listing 12-9 shows how you can examine the system, security, and
application logs on a remote server, and then store the logs on a network drive. Keep in mind that if
you run this script as a scheduled task, you’ll need to map the drive before you can use it as dis-
cussed in Chapter 10.
LISTING 12-9 Working with Multiple Logs VBScript createlogs.vbs Set ws = WScript.CreateObject(“WScript.Shell”)
c = ws.ExpandEnvironmentStrings(“%computername%”)
ret = ws.Run(“dumpel /l system /f \\ash\log\” & c & “-sys.log”,0,”TRUE”)
ret = ret + ws.Run(“dumpel /l security /f \\ash\log\” & c & “-sec.log”,0,”TRUE”)
ret = ret + ws.Run(“dumpel /l application /f \\ash\log\” & c & “-app.
log”,0,”TRUE”)
If ret = 0 Then
ws.LogEvent 0, “CreateLogs.VBS Script Completed Successfully”
Else
ws.LogEvent 1, “Error executing CreateLogs.VBS”
End If
JScript createlogs.js var ws = WScript.CreateObject(“WScript.Shell”)
c = ws.ExpandEnvironmentStrings(“%computername%”)
ret = ws.Run(“dumpel /l system /f \\\\ash\\log\\” + c + “-sys.log”,0,”TRUE”)
ret += ws.Run(“dumpel /l security /f \\\\ash\\log\\” + c + “-sec.log”,0,”TRUE”)
ret += ws.Run(“dumpel /l application /f \\\\ash\\log\\” + c + “-app.
log”,0,”TRUE”)
if (ret == 0) {
LISTING 12-8 (continued) 86804c12.indd 252
86804c12.indd 252
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
253 Working with the Windows Registry and Event Logs 12 //successful execution
ws.LogEvent(0, “CreateLogs.JS Script Completed Successfully”)
}
else {
//failed execution
ws.LogEvent(1, “Error executing CreateLogs.JS”)
}
Generating Event Log Reports Event logs are only useful if you can analyze the information they contain. One way to do this is to
create a daily event log report for key systems on the network and then publish the results on the
corporate intranet. Let’s break this process down into a series of steps and then analyze how each
step can be implemented.
Step 1: Creating the logs Step one is to create a script that dumps logs on critical systems and stores the logs on a network
drive. If these systems are named Gandolf, Bilbo, and Dragon, the first part of the script would look
like Listing 12-10. Each time you run the script, the original logs are overwritten.
LISTING 12-10 Creating Logs for the Report JScript logstep1.js var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)
evArray = parseInt(logs.split(“,”))
//examine each item in the systems array and then the log array
for (s in sysArray) {
continued 86804c12.indd 253
86804c12.indd 253
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
}
}
The output from the script tells you what the script is doing and can really help in understanding
the script’s logic. The output looks like this:
Executing dumpel /l system /f \\zeta\corpdatashare\gandolf-system.log
/d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\gandolf-application.log
/d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\gandolf-security.log
/d 1 /ns /s gandolf 0 TRUE
Executing dumpel /l system /f \\zeta\corpdatashare\biblo-system.log
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\biblo-application.log
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\biblo-security.log
/d 1 /ns /s biblo 0 TRUE
Executing dumpel /l system /f \\zeta\corpdatashare\dragon-system.log
/d 1 /ns /s dragon 0 TRUE
Executing dumpel /l application /f \\zeta\corpdatashare\dragon-application.log
/d 1 /ns /s dragon 0 TRUE
Executing dumpel /l security /f \\zeta\corpdatashare\dragon-security.log
/d 1 /ns /s dragon 0 TRUE
As you can see from the output, the script dumps the logs for the first system specified in the com-
puter’s variable, and then dumps the logs for the seconds system, and so on. The order of the logs is
specified in the
logs
variable. The output contains events for the current day only (
/d 1
) and does
not contain descriptions (
/ns
).
LISTING 12-10 (continued) 86804c12.indd 254
86804c12.indd 254
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
255 Working with the Windows Registry and Event Logs 12 To dump the log files daily, you can schedule the script to run with the Task Scheduler. Scheduling
scripts to run periodically is covered in Chapter 13. Rather than dumping the log to a file and then
browsing the file in a text editor, it would be a lot easier if you could browse the file on the corporate
intranet. Before you do this, you may want to clean up the files, search for specific events, or format
the files in HTML.
Step 2: Formatting the logs for viewing You can format the logs for viewing in many different ways. If you are running the script manually,
the easiest way to do this is to display the contents of each log file in a pop-up dialog box. The code
that does this is shown in Listing 12-11. Figure 12-3 shows sample output for a log file.
LISTING 12-11 Displaying the Log Reports in a Pop-up Dialog Box JScript logstep2a.js var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)
//examine each item in the systems array and then the log array
for (s in sysArray) {
for (l in logArray) {
ws.Run(“dumpel /l “ + logArray[l] + “ /f \\\\zeta\\corpdatashare\\” +
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
WScript.Echo(“Executing dumpel /l “ + logArray[l] + “ /f \\\zeta\\
corpdatashare\\” +
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
256 Part II Windows VBScript and JScript for (s in sysArray) {
for (l in logArray) {
fname = “\\\\zeta\\corpdatashare\\” + sysArray[s] + “-” + logArray[l] + “.log”
var fs = new ActiveXObject (“Scripting.FileSystemObject”);
var f = fs.OpenTextFile (fname, ForReading, “True”)
fContents = f.ReadAll()
f.Close()
var w = WScript.CreateObject(“WScript.Shell”);
a = w.Popup (fContents,60,”Display File”,1)
}
}
FIGURE 12-3 Viewing partial logs in a pop-up dialog box
As you can see from the listing,
For
loops are used to display the contents of each log in turn. These
For
loops are implemented in the same way as the
For
loops that dump the logs in the first place. The
key difference is that instead of dumping logs, you are reading the contents of the logs and displaying
them in a pop-up dialog box. You can extend this technique to format the logs as HTML, which then
makes the daily log report easier to work with.
Listing 12-12 shows how you can add an HTML header and footer to the log files. Don’t worry — we’ll
analyze the script one step at a time following the listing.
LISTING 12-11 (continued) 86804c12.indd 256
86804c12.indd 256
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
257 Working with the Windows Registry and Event Logs 12 LISTING 12-12 Creating HTML Documents for the Log Reports JScript logreports.js // ************************
// Script: The Log Reporter
// Version: 1.1.5
// Creation Date: 02/15/2007
// Last Modified: 02/15/2007
// Author: William R. Stanek
// Email: williamstanek@aol.com
// Copyright (c) 2007 William R. Stanek
// ************************
// Description: Uses the Dumpel utility to dump specified
// logs on local and remote systems. The script
// then generates reports formatted as HTML.
//
// Maintenance: When installing this script, you should update
// computers, logs, netDrive and fname.
// Computers sets the name of the systems to check.
// Logs sets the type of event logs to dump.
// netDrive sets the log creation directory.
// fname sets the full file path to the publishing directory for
// the HTML reports.
// ************************
theMonth = new Array(12)
theMonth[1] = “January”
theMonth[2] = “February”
theMonth[3] = “March”
theMonth[4] = “April”
theMonth[5] = “May”
theMonth[6] = “June”
theMonth[7] = “July”
theMonth[8] = “August”
theMonth[9] = “September”
theMonth[10] = “October”
theMonth[11] = “November”
theMonth[12] = “December”
theDays = new Array(7)
theDays[1] = “Sunday”
theDays[2] = “Monday”
theDays[3] = “Tuesday”
theDays[4] = “Wednesday”
theDays[5] = “Thursday”
theDays[6] = “Friday”
theDays[7] = “Saturday”
continued 86804c12.indd 257
86804c12.indd 257
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
258 Part II Windows VBScript and JScript function theDate(aDate) {
var currentDay = theDays[aDate.getDay() + 1]
var currentMonth = theMonth[aDate.getMonth() + 1]
return currentDay + “, “ + currentMonth + “ “ + aDate.getDate()
}
var ret; ret=0
var ws = WScript.CreateObject(“WScript.Shell”)
//create array of computers to check from string; no spaces
computers = “gandolf,bilbo,dragon”
sysArray = computers.split(“,”)
//sets the network drive where logs are created
netDrive = “\\\\zeta\\corpdatashare\\”
//create array of logs to check from string; no spaces
logs = “system,application,security”
logArray = logs.split(“,”)
//examine each item in the systems array and then the log array
for (s in sysArray) {
for (l in logArray) {
ws.Run(“dumpel /l “ + logArray[l] + “ /f “ + netDrive + sysArray[s] + “-”
+ logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
WScript.Echo(“Executing dumpel /l “ + logArray[l] + “ /f “ + netDrive +
sysArray[s] + “-” + logArray[l] + “.log /d 1 /ns /s “ + sysArray[s],0,”TRUE”)
}
}
ForReading = 1
ForAppending = 8
for (s in sysArray) {
for (l in logArray) {
fname = “\\\\zeta\\corpdatashare\\” + sysArray[s] + “-” + logArray[l]
var fs = new ActiveXObject (“Scripting.FileSystemObject”);
var f = fs.OpenTextFile (fname + “.log”, ForReading, “True”)
fContents = f.ReadAll()
f.Close()
var f = fs.OpenTextFile (fname + “.html”, ForAppending, “True”)
”
After creating the header, the code starts a preformatted text element in which the contents of the
log file are placed. The code then writes the document header and contents:
fHeader += “
”
f.Write(fHeader)
f.Write(fContents)
86804c12.indd 260
86804c12.indd 260
1/21/09 1:26:55 PM
1/21/09 1:26:55 PM
261 Working with the Windows Registry and Event Logs 12 The final steps are to write the document footer and then close the file:
fFooter = “