Get security Event logs into logfile - VBS

November 3, 2010 at 07:46:25
Specs: Windows XP sp3, 3 ghz / 2 gig ram
Hi, I cant understand why the file below won't get security login/logoff events from event viewer.

Please would someone point me in the right direction? Thank you.


Const ForAppending = 8


Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colLoggedEvents = objWMIService.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = 'Security' and " _
& "Event = 'Success Audit'")

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("c:\logons\123.txt", ForAppending, True)

For Each objEvent in colLoggedEvents
objTextFile.WriteLine "Category: " & objEvent.Category
objTextFile.WriteLine "Computer Name: " & objEvent.ComputerName
objTextFile.WriteLine "Event Code: " & objEvent.EventCode
objTextFile.WriteLine "Message: " & objEvent.Message
' objTextFile.WriteLine "Record Number: " & objEvent.RecordNumber
' objTextFile.WriteLine "Source Name: " & objEvent.SourceName
objTextFile.WriteLine "Time Written: " & objEvent.TimeWritten
' objTextFile.WriteLine "Event Type: " & objEvent.Type
objTextFile.WriteLine "User: " & objEvent.User


Wscript.Echo "Errors Found: " & colLoggedEvents.Count

See More: Get security Event logs into logfile - VBS

Report •

November 4, 2010 at 07:53:49
Uh huh. And what'd you say the error message was?

How To Ask Questions The Smart Way

Report •

November 4, 2010 at 07:59:59
Hi, thanks for taking the time to read this.
the error is:

Line: 16
Char: 1
Error: 0x80041017
Code: 0x80041017
Source: (null)


Report •

November 4, 2010 at 08:18:04
And which line is line 16?

How To Ask Questions The Smart Way

Report •

Related Solutions

November 4, 2010 at 09:22:39
For Each objEvent in colLoggedEvents

Report •

November 4, 2010 at 10:46:51
Congratulations, you now have everything that should have been in your first post.

It looks like WMI doesn't like your query. Probably because Win32_NTLogEvent doesn't have an 'Event' property.

If you're only interested in logon/logoff events, you might also throw in a test to grab only those events.

Try the following query instead:

Set colLoggedEvents = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType = 4 AND (EventCode = 528 OR EventCode = 538)")

How To Ask Questions The Smart Way

Report •

November 4, 2010 at 12:28:42
Sorry about not giving any info in the beginning, I have used Computing.Net alot and just assumed someone would know the answer without thinking my post through.

Your suggestion does allow the script to run through, but zero errors are written to the logfile and the message that is displayed when the script has completed displays "Errors found: 0".

I will try some other methods tomorrow, but with your suggestion at least I am pointed in the right direction.

Thank you Razor2.3

Report •

November 5, 2010 at 10:08:19
Razor, I just cant figure this out. I dont know why my log file contains no information. I have checked the event logs (System) and there are loads of logon/logoff events.

Can you see anything wrong with this script? (Obviously I type in my own computername.)

Report •

November 9, 2010 at 18:45:09
Suggested reading

Set objWMIService = GetObject("winmgmts:{(Security)}")

How To Ask Questions The Smart Way

Report •

Ask Question