使用wmi获取最新的Windows日志事件
问题描述:
我想使用WMI来监视Windows事件日志并每15分钟获取最新的日志事件。虽然我可以使用WQL来执行查询,但它没有关键字,例如order by。任何想法如何解决这个问题?使用wmi获取最新的Windows日志事件
答
您可以使用数据集。下面是使用vbscript完成的,并且只在ComputerName,EventCode和Message字段中完成。根据需要添加其他字段
Const adVarChar = 200
Const MaxCharacters = 1024
Const adFldIsNullable = 32
Set DataList = CreateObject("ADOR.Recordset")
DataList.Fields.Append "ComputerName", adVarChar, MaxCharacters,adFldIsNullable
DataList.Fields.Append "EventCode", adVarChar, MaxCharacters,adFldIsNullable
DataList.Fields.Append "Message",adVarChar,MaxCharacters,adFldIsNullable
DataList.Open
strComputer = "."
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'Application'")
For Each evt in colLoggedEvents
DataList.AddNew
DataList("ComputerName") = evt.ComputerName
DataList("EventCode") = evt.EventCode
DataList("Message") = evt.Message
DataList.Update
Next
'sort by eventcode
DataList..Sort = "EventCode DESC"
DataList.MoveFirst
Do Until DataList.EOF
Wscript.Echo DataList.Fields.Item("ComputerName") & vbTab & DataList.Fields.Item("EventCode") & vbTab & DataList.Fields.Item("Message")
DataList.MoveNext
Loop