3

I am going to write a script of some sort to check event viewer in a windows server 2003 for all printjobs, and then write them to a comma delimited textfile like printername_floor_room.txt

I am wondering what the best way is to do this realtime, and keep checking the event viewer constantly. Any caveats I need to be aware of?

Thanks

EDIT: Okay, so I will most likely go for PowerShell and use Get-EventLog and then edit the "table" data. Problems I'm having: if I were to save all this data to a text file, how do I get the data out of it? A comma-separated file I could work with, but this, I'm not really sure. And once that is sorted out, I'm still not sure how to keep the file updated more or less real-time. Can I make this service-like, without hogging up all resources? Run it every x seconds for example?

EDIT 2: So I tried adding the Event Filter and Consumer using WMI Tools (via the GUI, that is) on my local pc, trying to get it to properly log my printjobs. It looks like my event gets caught, though there's something wrong with my script that is linked to the event. I let it rest over the weekend and upon arriving back at the office, I notice a ton of events on the wbemess.log file, like these:

(Fri Apr 30 16:39:00 2010.112476500) : Polling query select * from Win32_PrintJob failed with error code 80041033. Will retry at next polling interval

or

(Mon May 03 09:25:23 2010.1380562) : NT Event Log Consumer: could not retrieve sid, 0x80041002

I'm also noticing spikes in cpu usage by wmiprvse.exe. Upon googling around a bit, I found one guy solving his problems by reinstalling WMI into the registry. I'm wondering if this is the only way to troubleshoot this. I really don't want this happening on our production print server when I implement this...

HannesFostie
  • 845
  • 14
  • 29
  • Accepted an answer, didn't quite get this to work as it should but my boss told me I could drop it, for now anyway... – HannesFostie May 07 '10 at 07:47

2 Answers2

1

You probably do not want to try to grovel thru logs like a unix admin to try to get up to date on printer states. Wouldn't it be nice if there was a way to get notified of a printer event instead. The good news is that in windows there is. I'd first read this article: Notify with WMI. then take a look at Windows PowerShell 2.0 CTP2 WMI Event Monitoring

I tested this simple powershell script:

$query = "Select * From __InstanceCreationEvent within .1 Where TargetInstance ISA 'Win32_printjob'"
$action = write-host "Printed Document status" (gwmi win32_printjob).status ", time" (gwmi win32_printjob).timesubmitted
register-wmievent -query $query -action $action -sourceidentifier "printerwatcher"

You shuold get an output line when you print something

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • Thanks a bunch, looks quite complicated so I'll have a look at this tomorrow or next week. Keeping the question open until then. Skimmed through it and didn't quite get if it had an option of (almost) real-time monitoring these events though, or didn't notice it anyway. But I'll read it properly first... – HannesFostie Apr 29 '10 at 14:51
  • yeah the whole point of wmi events is that they occur when the event occurs. It seems complicated but once you have a chance to play with it it's not as bad as it looks. – Jim B Apr 29 '10 at 15:28
  • Okay so I tried it out just now, added the Filter and the Consumer to the Event Registration Editor, registered it.. and it doesn't work. My script wouldnt be the problem as its a simple echo (for now, obviously), but I'm starting to wonder if the events get fired (correctly) ? Should I see an event in eventviewer as well, or could they be hidden there but still get spotted by the Filter? – HannesFostie Apr 30 '10 at 09:20
  • I added a powershell script- does that help? – Jim B Apr 30 '10 at 17:51
  • Checking it out on monday, I had progressed using WMI Tools but was still getting errors, probably because the script you supply to the Event Consumer is limited so you cant use certain objects... kinda sucks. But thanks! – HannesFostie May 01 '10 at 11:32
  • Updated question a bit... – HannesFostie May 03 '10 at 07:34
  • Did the powershell script work? That should tell you if there was an error in the way you set up your event registration or if there is a problem with the system. – Jim B May 03 '10 at 11:53
0

Powershell has some nice hooks for this, but on Server 2003 I believe it is limited to local-gathering only. It's also batch-mode rather than real-time, I don't know if that matters for you. Server 2008 has better hooks for realtime monitoring.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • You wouldn't happen to be able to supply me with some more details on which hook you mean? As far as the batch-mode goes: how close can it get to real time? – HannesFostie Apr 26 '10 at 12:50
  • There are two. 'get-eventlog' and 'get-winevent'. Also, 'wevtutil' is a very handy command-line utility on Vista/Win-7 that grabs remote event-log data. If I have to use batch-mode, I use wevtutil to grab an XML file, and then parse the XML with powershell. The search syntax with wevtutil is a bit opaque, but you can do very complex filters with it. – sysadmin1138 Apr 26 '10 at 15:34