WMI 任务:事件日志

事件日志的 WMI 任务从事件日志文件中获取事件数据,并执行备份或清除日志文件等操作。 有关其他示例,请参阅 TechNet ScriptCenter at https://www.microsoft.com/technet.

本主题中显示的脚本示例仅从本地计算机获取数据。 有关如何使用脚本从远程计算机获取数据的详细信息,请参阅 远程计算机上的“连接到 WMI”。

以下过程介绍如何运行脚本。

运行脚本

  1. 复制代码并将其保存在扩展名为 .vbs 的文件中,例如 filename.vbs。 确保文本编辑器不会向文件添加.txt扩展名。
  2. 打开命令提示符窗口并导航到保存文件的目录。
  3. 在命令提示符处键入 cscript filename.vbs
  4. 如果无法访问事件日志,请检查是否正在从提升的命令提示符运行。 某些事件日志(如安全事件日志)可能受用户访问控制 (UAC) 的保护。

注意

默认情况下,cscript 会在命令提示符窗口中显示脚本的输出。 由于 WMI 脚本可以生成大量输出,因此可能需要将输出重定向到文件。 在命令提示符下键入 cscript filename.vbs > outfile.txt ,将 filename.vbs 脚本的输出重定向到 outfile.txt

下表列出了可用于从本地计算机获取各种类型的数据的脚本示例。

如何实现... WMI 类或方法
...检索有关安全事件日志的信息? 连接到 Win32_NTEventlogFile 类时包括安全权限。 有关详细信息,请参阅 使用 VBScript 执行特权操作
VB
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Security)}!\\" & _
        strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery _
    ("Select * from Win32_NTEventLogFile " _
        & "Where LogFileName='Security'")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
    Wscript.Echo "Maximum Size: " _
    &  objLogfile.MaxFileSize 
Next
PowerShell
$strComputer = "."
$colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'security'}
foreach ($objLogFile in $colLogFiles) 
{ 
    "Record Number: " + $objLogFile.NumberOfRecords
    "Maximum Size: " + $objLogFile.MaxFileSize
}
...备份事件日志?

使用 Win32_NTEventlogFile 类和 BackupEventLog 方法。 连接到 WMI 时,可能需要包含备份特权。 有关详细信息,请参阅 使用 VBScript 执行特权操作

VB
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    errBackupLog = objLogFile.BackupEventLog("c:\scripts\application.evt")
    WScript.Echo "File saved as c:\scripts\applications.evt"
Next

PowerShell
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'Application'}

foreach ($objLogFile in $colLogFiles) { [void]$objLogFile.BackupEventlog("c:\scripts\applications.evt") "File saved as c:\scripts\applications.evt" }

...多次备份事件日志?

在使用 Win32_NTEventlogFileBackupEventLog 方法之前,请确保备份文件具有唯一的名称。 操作系统不允许覆盖现有备份文件;必须先移动备份文件或将其重命名,然后才能再次运行脚本。 连接到 WMI 时,可能需要包含备份特权。 有关详细信息,请参阅 使用 VBScript 执行特权操作

VB
dtmThisDay = Day(Date)
dtmThisMonth = Month(Date)
dtmThisYear = Year(Date)
strBackupName = dtmThisYear & "_" & dtmThisMonth & "_" & dtmThisDay
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    objLogFile.BackupEventLog("c:\scripts\" & strBackupName & "_application.evt")
    objLogFile.ClearEventLog()
    WScript.Echo "File saved: " & strBackupName & "_application.evt"
Next

PowerShell
$CurDate = Get-Date $strBackupName = $curDate.Year.ToString () + “_” + $curDate.Month.ToString () + “_” + $CurDate.Day.ToString () 

$strComputer = "." $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer | Where-Object {$_.LogFileName -eq 'Application'} foreach ($objLogFile in $colLogFiles) { $BackupFile = $objLogFile.BackupEventlog("c:\scripts" + $strBackupName + "_application.evt") "File saved: c:\scripts" + $strBackupName + "_application.evt" }

...确定事件日志中的记录数?

使用 Win32_NTEventlogFile 类并检查 NumberOfRecords 属性的值。

VB
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='System'")
For Each objLogFile in colLogFiles
    Wscript.Echo objLogFile.NumberOfRecords
Next

PowerShell
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}

foreach ($objLogFile in $colLogFiles) { $objLogFile.NumberOfRecords }

...清除我的事件日志?

使用 Win32_NTEventlogFile 类和 ClearEventLog 方法。

VB
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & strComputer & "\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("Select * from Win32_NTEventLogFile " & "Where LogFileName='Application'")
For Each objLogfile in colLogFiles
    objLogFile.ClearEventLog()
    WScript.Echo "Cleared application event log file"
Next

PowerShell
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTEventLogFile -ComputerName $strComputer |Where-Object {$_.LogFileName -eq 'System'}

foreach ($objLogFile in $colLogFiles) { [void]$objLogFile.ClearEventlog() "Cleared application event log file" }

...从事件日志中读取事件?

使用 Win32_NTLogEvent 类。

VB
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" _
    & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent " _
        & "Where Logfile = 'System'")
For Each objEvent in colLoggedEvents
    Wscript.Echo "Category: " & objEvent.Category & VBNewLine _
    & "Computer Name: " & objEvent.ComputerName & VBNewLine _
    & "Event Code: " & objEvent.EventCode & VBNewLine _
    & "Message: " & objEvent.Message & VBNewLine _
    & "Record Number: " & objEvent.RecordNumber & VBNewLine _
    & "Source Name: " & objEvent.SourceName & VBNewLine _
    & "Time Written: " & objEvent.TimeWritten & VBNewLine _
    & "Event Type: " & objEvent.Type & VBNewLine _
    & "User: " & objEvent.User
Next

PowerShell
$strComputer = “.” $colLogFiles = Get-WmiObject -Class Win32_NTLogEvent -ComputerName $strComputer |Where-Object {$_.LogFile -eq 'System'}

foreach ($objEvent in $colLoggedEvents) { "Category: " + $objEvent.Category "Computer Name: " + $objEvent.ComputerName "Event Code: " + $objEvent.EventCode "Message: " + $objEvent.Message "Record Number: " + $objEvent.RecordNumber "Source Name: " + $objEvent.SourceName "Time Written: " + $objEvent.TimeWritten "Event Type: " + $objEvent.Type "User: " + $objEvent.Use }

脚本和应用程序的 WMI 任务

WMI C++ 应用程序示例

TechNet ScriptCenter