Tags:
There are a number of tools available for dumping Windows event logs to text files, but there always seems to be a problem or missing data or weird formatting or license issues or...something!
This DumpEventLog.vbs script hopefully is better or at least sucks less, it's features are:
- Writes output to well-formed CSV text file (one line per log entry, crazy Microsoft formatting cleaned out).
- Works against local and remote systems running Windows 2000 or later (if you have admin privileges).
- Can output all the data from each log entry, even the "insertion strings" and binary attachments (in hex).
- Dump one, some or many event logs on a system by name, or use /all switch to dump them all.
- Events from all the logs are first sorted by time to maintain chronology, then appended to the CSV file.
- CSV data can be directly opened in a spreadsheet or easily imported into a database.
- Script uses asynchronous WMI queries (SWebmSink object) so it's relatively fast for not being a binary.
- Written in VBScript, so it's easy to edit if you want to change the output or otherwise modify it.
- Public domain, do with it as you wish!
The intent of the script is to be able to consolidate event log data from multiple machines at one location for local analysis using PowerShell, grep, Excel or whatever your favorite tools are, then to compress the CSV files with gzip for archival. In the zip file with the script are some sample batch scripts for extracting events of different types. (If you want a PowerShell version of the script, I'll get around to it eventually!)
The script is in the public domain. You can get the script from the SEC505 zip file in the Downloads area of this blog. The script is named "DumpEventLog.vbs" and is located in the VBScriptEventLogs folder inside the scripts zip file. The zip contains many other folders and scripts as well that I hope you will find useful.
Switches
In a command shell, run "cscript.exe dumpeventlog.vbs /?" to see the help for the script.
DumpEventLog.vbs target file.csv "logname(s)" [/clear] [/v] [/dumphex] DumpEventLog.vbs target file.csv /all [/clear] [/v] [/dumphex]
Target is the name or IP address of the system from which to extract event log data.
File.csv is the name or full path to a text file, to which the extracted data will be appended.
"Logname(s)" is a comma-separated list of event log names to be dumped (not case sensitive).
/All will dump all the event logs, whatever their names are (not limited to System, Security and Application).
/Clear will clear each log afterwards.
/V for verbose output with entry message text.
/DumpHex implies /V and will also dump insertion strings and any binary attachments.
Target machine must be Windows 2000 or later, running the Windows Management Instrumention (WMI) service, without firewall restrictions for the necessary RPC traffic. Authentication is single sign-on, so you'll likely need to log on locally as a Domain Admin in order to dump any log from any remote machine in your domain. If you schedule the script, it must run under the context of an account (probably a global account) with the necessary privileges to extract/clear the Security event log.
(On a side note, the script was originally written for a scripting course for the sake of discussing WMI, synchronous vs. asynchronous WMI queries, regular expressions, and how to use a connectionless recordset with ADO, so you might find the badly-written code interesting if you're learning VBScript.)
The Batch Scripts
The other batch scripts in the zip download, such as Last_50_Failed_Logons_In_Excel.bat, are simply to demo how fast and convenient it is to analyze event log data from the command line using free tools like findstr.exe, grep.exe, tail.exe, etc. Run the AutoDumpAndClearEventLogs.bat first on a test machine to get rolling.
Download the SEC505 zip file from the Downloads page of this blog, then look in the VBScriptEventLogs folder inside the zip.
[Updated 17.Nov.09: Script changed to more aggressively clean out unicode characters which cause problems in 64-bit Windows.]