I need to capture w32time events to a text file for a silly compliance requirement. Is there a way to that in Windows?
Asked
Active
Viewed 5,378 times
3 Answers
3
Quick answer; manually, from Event Viewer, click on the System Log, then go to View > Filter and choose W32Time from the Event Source dropdown. Press OK. Then go to Action > Export List and enter your filename. If you want detail as well, you would have to save the entire log file, with Action > Save Log File As, and choose Tab Delimeted or Comma Separated from the Save as Type dropdown.
Long answer is, scripting. Use WMI to query the Win32_NTLogEvent and spool it to a file with either the FileSystemObject or output redirection:
On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent WHERE SourceName = 'W32Time'",,48)
Dim fso : Set fso = CreateObject("scripting.filesystemobject")
Dim ts : Set ts = fso.CreateTextFile("X:\w32time_events.txt", True)
For Each objItem in colItems
ts.WriteLine "Category: " & objItem.Category
ts.WriteLine "CategoryString: " & objItem.CategoryString
ts.WriteLine "ComputerName: " & objItem.ComputerName
ts.WriteLine "Data: " & objItem.Data
ts.WriteLine "EventCode: " & objItem.EventCode
ts.WriteLine "EventIdentifier: " & objItem.EventIdentifier
ts.WriteLine "EventType: " & objItem.EventType
ts.WriteLine "InsertionStrings: " & objItem.InsertionStrings
ts.WriteLine "Logfile: " & objItem.Logfile
ts.WriteLine "Message: " & objItem.Message
ts.WriteLine "RecordNumber: " & objItem.RecordNumber
ts.WriteLine "SourceName: " & objItem.SourceName
ts.WriteLine "TimeGenerated: " & objItem.TimeGenerated
ts.WriteLine "TimeWritten: " & objItem.TimeWritten
ts.WriteLine "Type: " & objItem.Type
ts.WriteLine "User: " & objItem.User
ts.WriteBlankLines 1
Next
ts.Close
Set ts = Nothing
Set fso = Nothing
Set colItems = Nothing
Set objWMIService = Nothing
Cheating option, if you can't be bothered; from a cmd command prompt, try:
wmic NTEVENT | find /i "W32Time" > W32Time_Events.txt
HTH
J.
jimbobmcgee
- 2,675
- 4
- 27
- 43
-
1Great tip with wmic... it is probably most useful to add a WHERE clause to limit by date and a format clause for XML because the message field in an event log entry will contain line breaks. To get everything from today, the command line would be something like: wmic NTEVENT WHERE "TimeWritten>'07/29/2011 00:00:00'" GET /FORMAT:rawxml >> myoutput.xml – rmalayter Jul 29 '11 at 14:33
-
Good stuff with the WHERE clause; I've never really used WMIC in earnest and always wondered how that worked. Based on the OP, then, go for `wmic NTEVENT WHERE "SourceName='W32Time'" GET /FORMAT:rawxml` – jimbobmcgee Aug 01 '11 at 10:29
1
You didn't specify which version of Windows you are running. Starting with Win2k8 you can attach tasks to events, so some automation is possible. You would have to write a script that can then append the event to a text file. Unfortunately it's a bit tedious since you'd have to set that up for every event id I believe.
Another option is to setup an event log monitoring tool like EventSentry which can monitor your event log in real time and log events (according to your rules) to a variety of formats, including text files and databases. The advantage is that your event log is now monitored in real-time, and it scales to multiple machines as well if need be. You also get the added benefit of having access to additional useful features.
Disclaimer: I work for netikus.net.
Lucky Luke
- 1,634
- 1
- 11
- 12
0
Use winlogbeat to transfer the windows logs you selected, with desired notification level to a file, or a logstash server.
https://www.elastic.co/beats/winlogbeat
PS: be precise with the configuration file indentations. YML format is specific on the number of spaces preceding each line and subcategory.
Joni Nevalainen
- 101
- 1