0

Hie all,

I'm trying to get eventlog entries using WMI and WQL.

I can get the right log with the right sourcename of itand so on, but i can make a select query to only get result for the 5 or 10 past minutes.

here is my query:

mike42
  • 1
  • 1
  • 1
  • possible duplicate of [WMI - EventLog - Time interval](http://stackoverflow.com/questions/3585436/wmi-eventlog-time-interval) – Helen Aug 27 '10 at 16:30

2 Answers2

2

Here are a few snippets from a script of mine:

Dim dtmStart, dtmEnd, sDate, ...

I actually had an array of dates and I was looking for logon/off/unlock events for the entire day. So I built my complete start and end dates from that.

I won't put in the day month and year but, you could just define it, e.g. sDate = 10100608.

dtmStart = sDate + "000000.000000-420" '0hr on the date in question.
dtmEnd = sDate + "235900.000000-420" ' 23:59 on the date in question

(Note that the UTC offset is in minutes here -420 day light savings time North America.) 

Set colEvents = oWMIService.ExecQuery _
        ("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND " _
            & "TimeWritten >= '" & dtmStart & "' AND TimeWritten < '" _
            & dtmEnd & "' AND " _
            & "(EventCode = '528' OR EventCode = '540' OR EventCode = '538')")
            ' Query for events during the time range we're looking for.
Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
waydaws
  • 31
  • 2
0

Mike,

Show me your query. Usually the time format is something like this

20100608100000.000000-300

see this for more details about DateTime formatting for WQL

Greg Olmstead
  • 1,551
  • 10
  • 22