Saturday, May 8, 2010

Getting windows security or system event log remotely

How to get windows event log information from remote computer?
Sure thing you can install really cool logging tool Snare for getting these logs over the syslog protocol to the central log host.
But what would you do if there is no possibility to install any application on this computers?
Here is a very simple vb script for collecting these log files from remote computer.
strComputer = ""
Set objWMILocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = objWMILocator.ConnectServer(strComputer,"root\cimv2","User_name","Password")
objWMIService.Security_.ImpersonationLevel = 3
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile WHERE LogFileName='Security'")
For Each objLogFile in colLogFiles
Wscript.Echo objLogFile.NumberOfRecords
errBackupLog = objLogFile.BackupEventLog("\\\Security.evt")
If errBackupLog <> 0 Then
Wscript.Echo "The System event log could not be backed up."
Wscript.Echo errBackupLog
End If

This script utilize WMI mechanism and should run from log collection host with file share(for saving log files) on it. You must have an account on host from which you would like get logs. It shouldn't be user with admin privilege - just give backup permission and grant access to wmi namespaces.
For parsing these logs you can use one old MS tool Log Parser