WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

WinBatch
dotNet
System_Core

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Query EventLogs

 Keywords:  Query Specific Event Log Eventvwr.exe Filter 
;***************************************************************************
;**   Query for Specific Events in the Event Logs
;**
;** Purpose: Query for Events
;** Inputs:
;** Outputs: Results in a Reportview
;** Reference:
;**       REQUIRES WinBatch 2013A or newer
;**       .NET Framework 3.5
;** Developer: Deana Falk 2013.05.08
;***************************************************************************
If Version( )< '2013A'
   Pause('Notice', 'Need 2013A or Newer Version of WinBatch')
   Exit
EndIf

;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; Load assemblies into the WinBatch process.
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; mscorlib assembly is automatically loaded by WinBatch when the CLR is loaded.
; ObjectClrOption ('use','mscorlib, version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089')
; C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
ObjectClrOption ( 'use', 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089')

;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; Event Queries and Event XML
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; For more information about how to create an event query string, see Event Queries and Event XML.
; http://msdn.microsoft.com/en-us/library/bb399427(v=vs.90).aspx
;
; If you need help creating the XML Query.
; 1. Open Eventvwr.exe
; 2. Under 'Action's, select 'Create Custom View'
; 3. Manually choose all of the Filter settings.
; 4. Select the XML tab
; 5. Copy and paste the query into your WinBatch script.
;
; Here are examples of simple custom filters for the new Window Event Log:

;Select all events in the Application Event Log where Event Level is CRITICAL or ERROR in the last 30 days
queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=1 or Level=2 ) and TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select></Query></QueryList>`

;Select all events in the Application Event Log where the Provider is'.NET Runtime' and the Event Level is critcal
;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='.NET Runtime'] and (Level=1 )]]</Select></Query></QueryList>`

;Select all events in the Security Event Log where the account name involved (TargetUserName) is "JUser"
;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data[@Name="TargetUserName"]="JUser"]]</Select></Query></QueryList>`

;Select all events in the Security Event Log where any Data node of the EventData section is the string "JUser"
;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser"]]</Select></Query></QueryList>`

;Select all events in the Security Event Log where any Data node of the EventData section is "JUser" or "JDoe"
;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[EventData[Data="JUser" or Data="JDoe"]]</Select></Query></QueryList>`

;Select all events in the Security Event Log where any Data node of the EventData section is "JUser" and the Event ID is "4471"
;queryString = `<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID="4771"]] and *[EventData[Data="JUser"]]</Select></Query></QueryList>`

;Real world example for a package called Goldmine which has two @Names
;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[Provider[@Name='GoldMine' or @Name='GMService']]]</Select></Query></QueryList>`

;Select all events in the Application Event Log where the
;queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID='4000']</Select></Query></QueryList>`

;Complicated Query
;queryString = ''
;queryString = queryString : '<QueryList>'
;queryString = queryString : '  <Query Id="0" Path="Application">'
;queryString = queryString : '    <Select Path="Application">'
;queryString = queryString : '        *[System[(Level &lt;= 3) and'
;queryString = queryString : '        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]'
;queryString = queryString : '    </Select>'
;queryString = queryString : '    <Suppress Path="Application">'
;queryString = queryString : '        *[System[(Level = 2)]]'
;queryString = queryString : '    </Suppress>'
;queryString = queryString : '  <Select Path="System">'
;queryString = queryString : '        *[System[(Level=1  or Level=2 or Level=3) and'
;queryString = queryString : '        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]'
;queryString = queryString : '    </Select>'
;queryString = queryString : '  </Query>'
;queryString = queryString : '</QueryList>'

;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; Associate a Framework based type name with a value.
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
enumPathType = ObjectClrNew( 'System.Diagnostics.Eventing.Reader.PathType' )
logname = ObjectClrType( 'System.Diagnostics.Eventing.Reader.PathType', enumPathType.LogName )
filepth = ObjectClrType( 'System.Diagnostics.Eventing.Reader.PathType', enumPathType.FilePath )

;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; Create a class implemented by a managed assembly.
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
oEventsQuery  = ObjectClrNew( 'System.Diagnostics.Eventing.Reader.EventLogQuery','Application', logname, queryString)
oEventLogReader =  ObjectClrNew( 'System.Diagnostics.Eventing.Reader.EventLogReader', oEventsQuery )

MAX_RESULTS = 2048
arrEvents = ArrDimension( MAX_RESULTS, 4 )
i = 0
While @TRUE
   eventInstance = oEventLogReader.ReadEvent()
   If eventInstance == "" Then Break
   arrEvents[i,0] = eventInstance.Id; Event ID
   arrEvents[i,1] = eventInstance.ProviderName; Publisher
   arrEvents[i,2] = eventInstance.FormatDescription(); Description
   ; Cast the EventRecord object as an EventLogRecord object to access the EventLogRecord class properties.
   logRecord = ObjectClrType( 'System.Diagnostics.Eventing.Reader.EventLogRecord', eventInstance )
   arrEvents[i,3] = logRecord.ContainerLog
   i = i+1
EndWhile

; Display in WIL Dialogs Reportview Control
MyDialogFormat=`WWWDLGED,6.2`

MyDialogCaption=`Event Log Query Results`
MyDialogX=002
MyDialogY=059
MyDialogWidth=766
MyDialogHeight=353
MyDialogNumControls=003
MyDialogProcedure=`DEFAULT`
MyDialogFont=`DEFAULT`
MyDialogTextColor=`DEFAULT`
MyDialogBackground=`DEFAULT,DEFAULT`
MyDialogConfig=0

MyDialog001=`231,333,036,012,PUSHBUTTON,"PushButton_OK",DEFAULT,"OK",1,10,32,DEFAULT,DEFAULT,DEFAULT`
MyDialog002=`499,333,036,012,PUSHBUTTON,"PushButton_Cancel",DEFAULT,"Cancel",0,20,DEFAULT,DEFAULT,DEFAULT,DEFAULT`
MyDialog003=`001,001,758,322,REPORTVIEW,"ReportView_1",arrEvents,DEFAULT,DEFAULT,30,2097152,DEFAULT,DEFAULT,"192|192|192"`

ButtonPushed=Dialog("MyDialog")

Exit

Article ID:   W17808

Filename:   Query EventLogs.txt
File Created: 2013:05:08:14:31:28
Last Updated: 2013:05:08:14:31:28