larksp Posted January 9, 2017 Share Posted January 9, 2017 getting event logs"6008" bad shutdowns on a computer i have tried 3 different ways to get the information _eventlogs and wmi and dos.... dos gets data faster for me even when only getting 5 logs i got the data * but i would like it in a 2day array*(after i may then show in very simple gui with option change the amount to get or just out put it to a text file) also the way iv grabbed the data is that the correct way to get it... Or a loop that grabs all the info i want in a for loop? array example not sure if i will switch columns around Just an example for now 0 0 1 2 1 Date Time Event ID <------- iv got to add so i know whats in each 2 21-12-2016 20:32:35 6008 3 21-12-2016 20:32:35 6008 4 21-12-2016 20:32:35 6008 expandcollapse popup#include <AutoItConstants.au3> ;Needed for Dos Readout #include <Array.au3> ;only needed for _ArrayDisplay #include <String.au3> ;Needed for _stringbetween Global $iEvenid ;Event Id 6008 Global $iTime ;The date and time of event id 6008 Global $iDate ;des to get date #RequireAdmin ;Needed to get infomation from system eventlogs $iprot = _getinfo() ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ; Set Vars and format data ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;~ $profiles = StringRegExp($dosssid, 'Event ID.+: (.+)', 3) ; Does not work Func _getinfo() $NoLogsGet = 3 ; Number of Logs to get 10 $cmd = '"wevtutil qe system /q:*[System[(EventID=6008)]] /rd:true /c:' & $NoLogsGet & ' /f:text' ; /f:text>C:\wevtutil.txt ;save file to text MsgBox(0, 'Info', _DosOutput($cmd)) ; testing info Global $dosssid = _DosOutput($cmd) $iEventid = _Stringchange("Event ID") ;Get Event ID = 'Number' $iTime = _Stringchange("Date") ;Get Time with correct format $iDate = _Stringchange("Description") ;Get Date with correct format ; ****************Format Time and Date ************************ For $itf = 0 To UBound($iTime) - 1 ;~ 2016-12-21T20:20:59.000 ;Itime output $iTime[$itf] = StringTrimRight($iTime[$itf], 4) $iTime[$itf] = StringTrimLeft($iTime[$itf], 11) Next $iDate = _StringBetween($dosssid, 'on ?', ' was') For $idf = 0 To UBound($iDate) - 1 $iDate[$idf] = StringReplace($iDate[$idf], '/?', '-') Next ; ************************************************************* ; ---------------------------------------- _ArrayDisplay($iEventid, 'Event ID') _ArrayDisplay($iTime, 'Time') _ArrayDisplay($iDate, 'Date') ;----------------------------------------- EndFunc ;==>_getinfo ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ; Get data from DOS output ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Func _Stringchange($Isting) $aaa = StringRegExp($dosssid, '(?s)(?i)' & $Isting & '\s*:\s(.*?)' & @CR, 3) If @error Then Return SetError(1, 0, $Isting & ' - Failed') Return $aaa EndFunc ;==>_Stringchange ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ; DOS Command to get the infomation ; *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* Func _DosOutput($Dcommand) Local $iPid, $sOutput = '' $iPid = Run(@ComSpec & ' /u /c ' & $Dcommand, '', @SW_HIDE, $STDERR_CHILD + $STDOUT_CHILD) ;~ ProcessWaitClose($ipid) ; another way rather tham Loop! ;~ $sOutput = StdoutRead($ipid) While 1 $sOutput &= StdoutRead($iPid, False, False) If @error Then ExitLoop EndIf Sleep(10) WEnd Return $sOutput EndFunc ;==>_DosOutput Link to comment Share on other sites More sharing options...
ripdad Posted January 10, 2017 Share Posted January 10, 2017 This might help... expandcollapse popup#include 'array.au3' #RequireAdmin Opt('MustDeclareVars', 1) ; Local $rtn = _WMIC_GET('Win32_NTLogEvent Where EventCode="6008"', 'ComputerName,EventCode,EventIdentifier,TimeGenerated') If IsArray($rtn) Then _ArrayDisplay($rtn) Else MsgBox(0, '', $rtn) EndIf Exit ; Func _WMIC_GET($sClass, $sProperty) Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $sClass & ' GET ' & $sProperty & ' /format:LIST', '', @SW_HIDE, 2) If @error Or Not $pid Then Return -1 Local $s = '' ; Do Sleep(10) $s &= StdoutRead($pid) Until @error ; $s = StringReplace($s, @CRLF, '') $s = StringStripWS($s, 7) If StringLen($s) = 0 Then Return -2; no data ; Local $a = StringSplit($s, @CR) Local $array[101][4] = [['ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']] Local $x, $n = 0 ; For $i = 1 To $a[0] Step 4 $n += 1 For $j = 0 To 3 $x = StringSplit($a[$i + $j], '=') $array[$n][$j] = $x[2] If $j = 3 Then; <- format DateTime $array[$n][$j] = StringRegExpReplace($array[$n][$j], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6') EndIf Next If $n = 10 Then; <- number of records to get ExitLoop EndIf Next ReDim $array[$n + 1][4] Return $array EndFunc ; "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 10, 2017 Author Share Posted January 10, 2017 Thanks for the reply I will have a look after finished work Link to comment Share on other sites More sharing options...
larksp Posted January 10, 2017 Author Share Posted January 10, 2017 i have tried to add a col to $array[1][] on the left side.. adding on the right was easy but i cant work out what bit to change to move the other data over a col Local $array[101][5] = [['Log No','ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']] Local $x, $n = 0 ;~ _ArrayDisplay For $i = 1 To $a[0] Step 4 $n += 1 $icount +=1 For $j = 0 To 3 $x = StringSplit($a[$i + $j], '=') $array[$n][$j] = $x[2] $array[$n][1] = $icount If $j = 3 Then; <- format DateTime $array[$n][$j] = StringRegExpReplace($array[$n][$j], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6') EndIf Next If $n = 10 Then; <- number of records to get ExitLoop EndIf Next ReDim $array[$n + 1][5] Link to comment Share on other sites More sharing options...
ripdad Posted January 10, 2017 Share Posted January 10, 2017 (edited) Is "Log No" the actual property "RecordNumber" or just a count of records? Edit: Nevermind ... I didn't see $icount be back in a bit. Edited January 10, 2017 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
ripdad Posted January 10, 2017 Share Posted January 10, 2017 expandcollapse popup#include 'array.au3' #RequireAdmin Opt('MustDeclareVars', 1) ; Local $rtn = _WMIC_GET('Win32_NTLogEvent Where EventCode="6008"', 'ComputerName,EventCode,EventIdentifier,TimeGenerated') If IsArray($rtn) Then _ArrayDisplay($rtn) Else MsgBox(0, '', $rtn) EndIf Exit ; Func _WMIC_GET($sClass, $sProperty) Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $sClass & ' GET ' & $sProperty & ' /format:LIST', '', @SW_HIDE, 2) If @error Or Not $pid Then Return -1 Local $s = '' ; Do Sleep(10) $s &= StdoutRead($pid) Until @error ; $s = StringReplace($s, @CRLF, '') $s = StringStripWS($s, 7) If StringLen($s) = 0 Then Return -2; no data ; Local $a = StringSplit($s, @CR) Local $array[101][5] = [['Log No', 'ComputerName','EventCode','EventIdentifier','TimeGenerated (UTC)']] Local $x, $icount = 0, $n = 0 ; For $i = 1 To $a[0] Step 4 $n += 1 $icount += 1 $array[$n][0] = $icount For $j = 0 To 3 $x = StringSplit($a[$i + $j], '=') $array[$n][$j + 1] = $x[2] If $j = 3 Then; <- format DateTime $array[$n][$j + 1] = StringRegExpReplace($array[$n][$j + 1], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6') EndIf Next If $n = 10 Then; <- number of records to get ExitLoop EndIf Next ReDim $array[$n + 1][5] Return $array EndFunc ; larksp 1 "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 10, 2017 Author Share Posted January 10, 2017 thanks that is it.. it was just so i can add a total number records got and see it lined to what record i did try changing the for $j 0 to 3 and others witch jumbled all the text up lol hoping some one will make good videos on stringregexp and replace or anything really.... watched a few already Link to comment Share on other sites More sharing options...
anthonyjr2 Posted January 10, 2017 Share Posted January 10, 2017 36 minutes ago, larksp said: thanks that is it.. it was just so i can add a total number records got and see it lined to what record i did try changing the for $j 0 to 3 and others witch jumbled all the text up lol hoping some one will make good videos on stringregexp and replace or anything really.... watched a few already If you need some help with regex, and don't mind some hands-on learning, https://regexone.com/ is a good website that I've personally used. It covers the basics and also allows you to go more in depth if you desire. larksp 1 UHJvZmVzc2lvbmFsIENvbXB1dGVyZXI= Link to comment Share on other sites More sharing options...
larksp Posted January 10, 2017 Author Share Posted January 10, 2017 thanks i have added it to my internet fav. when im next trying to use it. when i have learnt a bit more of the basics also might come a bit easier Link to comment Share on other sites More sharing options...
ripdad Posted January 10, 2017 Share Posted January 10, 2017 WMI date codes look like this: '20170101091020.000000-500' StringRegExpReplace($str, '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6') What we want is the first 14 numbers. One dot . represents one character. Put braces around the dot (.) becomes a capture group. (....) is capturing 4 characters in the first group. (..) is capturing 2 characters in the second group. and so on... until all 14 characters are captured in 6 groups. group 1: Year group 2: Month group 3: Day group 4: Hour group 5: Minutes group 6: Seconds $1 is the first group (Year) / is the date divider You can figure out the rest. So basically, THIS regex is grouping 14 numbers and formats them into something more friendly. If you wish, you can change the order of the format by rearranging $1, $2 and $3 to like an American standard date: $2/$3/$1 It's better to use the original date format, when sorting dates. larksp 1 "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 10, 2017 Author Share Posted January 10, 2017 thanks. i understood your use of it..... up to the point of the --> .* <--- the date format is perfect the way you did, im English so as i played with the example in the help. it is close to what you did but it just does date not time as well However it is nice to get The how it works as less questions i have to ask later lol Link to comment Share on other sites More sharing options...
ripdad Posted January 10, 2017 Share Posted January 10, 2017 .* finishes out the rest of the string with no capturing. And, you're welcome. It's always nice to learn something worthwhile. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 12, 2017 Author Share Posted January 12, 2017 (edited) _FileWriteFromArray() into a txt but the table does not align up eg Example only adasdasdasd|asda|asas|asa 1|22|33|44 1|22|33|44 then ill move onto adding into something like gui list view nice to know both options Edited January 12, 2017 by larksp add infomation Link to comment Share on other sites More sharing options...
ripdad Posted January 12, 2017 Share Posted January 12, 2017 (edited) expandcollapse popup; AutoIt v3.3.14 #include 'array.au3' #include 'file.au3' #RequireAdmin Opt('MustDeclareVars', 1) ; Local $rtn = _WMIC_Win32_NTLogEvent('6008') If IsArray($rtn) Then _ArrayDisplay($rtn) _FileWriteFromArray(@ScriptDir & '\Win32_NTLogEvent6008.txt', $rtn) Else MsgBox(0, '', $rtn) EndIf Exit ; Func _WMIC_Win32_NTLogEvent($nEventCode) Local $strClass = 'Win32_NTLogEvent Where EventCode="' & $nEventCode & '"' Local $sProperties = 'ComputerName,EventCode,EventIdentifier,RecordNumber,TimeGenerated' Local $pid = Run('WMIC /NAMESPACE:\\root\CIMV2 PATH ' & $strClass & ' GET ' & $sProperties & ' /format:LIST', '', @SW_HIDE, 2) If @error Or Not $pid Then Return -1 Local $s = '' ; Do Sleep(10) $s &= StdoutRead($pid) Until @error ; $s = StringRegExpReplace($s, '(?s)(\v)', @CR) $s = StringStripWS($s, 7) If StringLen($s) = 0 Then Return -2; no data ; Local $a = StringSplit($s, @CR) Local $array[101][6] = [['Log No', 'ComputerName','EventCode','EventIdentifier','RecordNumber','TimeGenerated (UTC)']] Local $x, $n = 0 ; For $i = 1 To $a[0] Step 5 $n += 1 $array[$n][0] = $n For $j = 0 To 4 $x = StringSplit($a[$i + $j], '=') $array[$n][$j + 1] = $x[2] If $j = 4 Then; <- format DateTime $array[$n][$j + 1] = StringRegExpReplace($array[$n][$j + 1], '(....)(..)(..)(..)(..)(..).*', '$1/$2/$3 - $4:$5:$6') EndIf Next If $n = 10 Then; <- number of records to get ExitLoop EndIf Next ReDim $array[$n + 1][6] Return $array EndFunc ; I'm not having any problems with AutoIt v3.3.14 It's better to show runnable code (even if it's not working), than a text example. Those are hard to decipher sometimes. Also, it's always good to start another topic, if you change the topic matter. Edit: Oh, I changed the function up a little. Edited January 12, 2017 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 12, 2017 Author Share Posted January 12, 2017 Ok next time i will. i thought as the code was here it would be ok. I did ok adding it to gui list view... and then cheated by adding Guinness list view to html Code. I'll run it tomoz on the mobile in bed watching a film .. and nearly ready to move onto the next..... i have learnt a lot more about arrays doing this... Thanks for all the help. Link to comment Share on other sites More sharing options...
ripdad Posted January 12, 2017 Share Posted January 12, 2017 Ohhhh, you mean the TEXT doesn't line up, something like this? Log No|ComputerName|EventCode|EventIdentifier|RecordNumber|TimeGenerated (UTC) 1 |UNKNOWN |6005 |-2147477643 |399 |2017/01/12 - 09:45:17 2 |UNKNOWN |6005 |-2147477643 |383 |2017/01/11 - 09:19:31 3 |UNKNOWN |6005 |-2147477643 |366 |2017/01/10 - 09:14:12 Haha, I can't get it to line up between my computer and the forum. Okay there, I had to change the font to "Courier New". Well, I can certainly understand if you were to print a text file. Other than that, it's best to leave the formatting alone. Scriptwise, character positioning seems the way to go. But then, there's the font issue ... depending what you are viewing it on. Now, we are definitely off-topic. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward Link to comment Share on other sites More sharing options...
larksp Posted January 12, 2017 Author Share Posted January 12, 2017 Yer I ment when you open the saved information up in the text file.. the row I added Log No', 'ComputerName','EventCode','EventIdentifier','RecordNumber','TimeGenerated (UTC) was out of alignment with the rest of the info as they have more characters... I did try _FileWriteFromArray ( $sFilePath, Const ByRef $aArray [, $iBase = Default [, $iUBound = Default [, $sDelimiter = "|"]]] ) For the $sDelimiter adding @tab & '|' But I was going no where lol.. It's OK tho as I don't need it. Only if it was simple it may have been useful down the line Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now