WMI 任务:事件日志
本文内容
事件日志的 WMI 任务从事件日志文件获取事件数据,并执行备份或清除日志文件等操作。 有关其他示例,请通过 https://www.microsoft.com/technet 访问 TechNet ScriptCenter。
本主题中所示的脚本示例仅从本地计算机获取数据。 有关如何使用脚本从远程计算机获取数据的详细信息,请参阅连接到远程计算机上的 WMI 。
以下过程介绍了如何运行脚本。
运行脚本
复制代码并将其保存在扩展名为 .vbs 的文件中,例如 filename.vbs。 确保文本编辑器不会向该文件添加 .txt 扩展名。
打开命令提示符窗口并导航到保存该文件的目录。
在命令提示符下键入 cscript filename.vbs。
如果无法访问事件日志,请进行检查以查看是否正从提升的命令提示符运行。 某些事件日志(例如安全事件日志)可能受用户访问控制 (UAC) 的保护。
注意
默认情况下,cscript 会在命令提示符窗口中显示脚本的输出。 由于 WMI 脚本可以生成大量输出,因此可能需要将输出重定向到文件。 在命令提示符下键入 cscript filename.vbs > outfile.txt 以将 filename.vbs 脚本的输出重定向到 outfile.txt。
下表列出了可用于从本地计算机获取各种类型的数据的脚本示例。
...检索有关安全事件日志的信息?
连接到 Win32_NTEventlogFile 类时包括安全 权限。 有关详细信息,请参阅使用 VBScript 执行特权操作 。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" & _
strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
("Select * from Win32_NTEventLogFile " _
& "Where LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Wscript.Echo "Maximum Size: " _
& objLogfile.MaxFileSize
Next
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'security'}
foreach ($objLogFile in $colLogFiles)
{
"Record Number: " + $objLogFile.NumberOfRecords
"Maximum Size: " + $objLogFile.MaxFileSize
}
...备份事件日志?
使用 Win32_NTEventlogFile 类和 BackupEventLog 方法。 连接到 WMI 时,你可能需要包括备份 权限。 有关详细信息,请参阅使用 VBScript 执行特权操作 。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
WScript.Echo "File saved as c:\scripts\applications.evt"
Next
$strComputer = "." $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'} foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.BackupEventlog("c:\scripts\applications.evt")
"File saved as c:\scripts\applications.evt"
}
...多次备份事件日志?
在使用 Win32_NTEventlogFile 和 BackupEventLog 方法之前,请确保备份文件具有唯一的名称。 操作系统不允许覆盖现有备份文件;必须先移动备份文件或将其重命名,然后才能再次运行脚本。 连接到 WMI 时,你可能需要包括备份 权限。 有关详细信息,请参阅使用 VBScript 执行特权操作 。
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.BackupEventLog("c:\scripts\" & strBackupName & "_application.evt")
objLogFile.ClearEventLog()
WScript.Echo "File saved: " & strBackupName & "_application.evt"
Next
$CurDate = Get-Date $strBackupName = $curDate.Year.ToString() + "_" + $curDate.Month.ToString() + "_" + $CurDate.Day.ToString() $strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'}
foreach ($objLogFile in $colLogFiles)
{
$BackupFile = $objLogFile.BackupEventlog("c:\scripts" + $strBackupName + "_application.evt")
"File saved: c:\scripts" + $strBackupName + "_application.evt"
}
...确定事件日志中的记录数?
使用 Win32_NTEventlogFile 类并检查 NumberOfRecords 属性的值。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='System'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
Next
$strComputer = "." $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'System'} foreach ($objLogFile in $colLogFiles)
{
$objLogFile.NumberOfRecords
}
...清除事件日志?
使用 Win32_NTEventlogFile 类和 ClearEventLog 方法。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
objLogFile.ClearEventLog()
WScript.Echo "Cleared application event log file"
Next
$strComputer = "." $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'System'} foreach ($objLogFile in $colLogFiles)
{
[void]$objLogFile.ClearEventlog()
"Cleared application event log file"
}
...从事件日志中读取事件?
使用 Win32_NTLogEvent 类。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent " _
& "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
& "Computer Name: " & objEvent.ComputerName & VBNewLine _
& "Event Code: " & objEvent.EventCode & VBNewLine _
& "Message: " & objEvent.Message & VBNewLine _
& "Record Number: " & objEvent.RecordNumber & VBNewLine _
& "Source Name: " & objEvent.SourceName & VBNewLine _
& "Time Written: " & objEvent.TimeWritten & VBNewLine _
& "Event Type: " & objEvent.Type & VBNewLine _
& "User: " & objEvent.User
Next
$strComputer = "." $colLogFiles = Get-WmiObject -Class Win32_NTLogEvent -ComputerName $strComputer | Where-Object {$_.LogFile -eq 'System'} foreach ($objEvent in $colLoggedEvents)
{
"Category: " + $objEvent.Category
"Computer Name: " + $objEvent.ComputerName
"Event Code: " + $objEvent.EventCode
"Message: " + $objEvent.Message
"Record Number: " + $objEvent.RecordNumber
"Source Name: " + $objEvent.SourceName
"Time Written: " + $objEvent.TimeWritten
"Event Type: " + $objEvent.Type
"User: " + $objEvent.Use
}
脚本和应用程序的 WMI 任务
WMI C++ 应用程序示例
TechNet ScriptCenter