自動收集錯誤的 EventLog

今天在增加一個小程式, 主要的是可以收集電腦上的 EventLog 並存放置資料庫內, 免除每天必須連線到電腦上面去檢查的困擾

首先要在資料庫內建立 Table,
DROP TABLE OAUSER.EVT_RECORD CASCADE CONSTRAINTS;

CREATE TABLE OAUSER.EVT_RECORD
(
COMPUTER_NAME VARCHAR2(25 CHAR) NOT NULL,
EVENT_DATE DATE NOT NULL,
EVENT_CODE NUMBER(10) NOT NULL,
EVENT_TYPE VARCHAR2(10 CHAR) NOT NULL,
RECORD_NO NUMBER(10),
RECORD_NUMBER VARCHAR2(10 CHAR) NOT NULL,
CATEGORY_NAME VARCHAR2(25 CHAR) NOT NULL,
MESSAGE VARCHAR2(2000 CHAR),
SOURCE_NAME VARCHAR2(50 CHAR) NOT NULL,
USERNAME VARCHAR2(50 CHAR)
)

之後同樣的執行下列的 VBScript
———————————–
Option Explicit

‘ 定義 Oracle 連線變數
Dim connection, connectionString, theCommand, CmdStr

‘ 定義傳入 Vbscript 參數
Dim arg1

‘for standard query
const cnstCommand = 1

‘ 定義
Dim objFso, objFolder, objWMI, objEvent, wshShell ‘ Objects
Dim strComputer, MsgStr, MsgStr1 ‘ Strings
Dim intEvent, intRecordNum, colLoggedEvents

‘ 設定初始值
intEvent = 1
intRecordNum = 1

‘ 如果沒有指定電腦則掃描本機
If Wscript.Arguments.Count = 0 then
Set wshShell = WScript.CreateObject(“WScript.Shell” )
strComputer = UCase(wshShell.ExpandEnvironmentStrings(“%COMPUTERNAME%”))
Else
strComputer = UCase(wscript.arguments(0))
End If

‘ 設定連線字串
connectionString = “DRIVER={Microsoft ODBC for Oracle};SERVER=OTPE;User Id=oauser;Password=oauser;”
Set connection = CreateObject(“ADODB.Connection”)
Set theCommand = CreateObject(“ADODB.Command”)
connection.Open connectionString

‘ 設定抓取 wmi 的資料
Set objWMI = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\” & strComputer & “rootcimv2”)

Set colLoggedEvents = objWMI.ExecQuery (“Select * from Win32_NTLogEvent” )

Wscript.Echo “Start to Retrive ” & strComputer & “‘s error logs ”

‘ 檢查每有撈回來的 Log 檔案
For Each objEvent in colLoggedEvents
‘ 只針對 Type = ERROR 或 TYPE = 錯誤做記錄
If UCase(objEvent.Type) = “ERROR” or objEvent.Type = “錯誤”Then
‘ 清除掉先前記錄的資料
If intRecordNum = 1 Then
CmdStr = “DELETE FROM WEBAP.EVT_RECORD WHERE COMPUTER_NAME = ‘” & strComputer & “‘”
WScript.Echo “Clear ” & strComputer &”‘s Old Logs”
thecommand.CommandText = CmdStr
theCommand.ActiveConnection = connection
theCommand.Execute
End If

MsgStr = Replace (” ” & objEvent.Message, “‘”, “~”)

WScript.Echo strComputer & ” Date/Time-” & Left(objEvent.TimeWritten,14) & “, EventCode-” & objEvent.EventCode

‘ 製作 SQL Command
CmdStr = “INSERT INTO WEBAP.EVT_RECORD (COMPUTER_NAME, EVENT_DATE, EVENT_CODE, EVENT_TYPE, RECORD_NO, RECORD_NUMBER, CATEGORY_NAME, MESSAGE, SOURCE_NAME, USERNAME) VALUES (‘”
CmdStr = CmdStr & strComputer & “‘, to_Date(‘” & Left(objEvent.TimeWritten,14) & “‘, ‘YYYYMMDDHH24MISS’), ”
CmdStr = CmdStr & objEvent.EventCode & “, ‘” & objEvent.Type & “‘, ” & intEvent & “, ‘” & objEvent.RecordNumber & “‘, ‘”
CmdStr = CmdStr & objEvent.Category & “‘, ‘” & MsgStr & “‘, ‘” & objEvent.SourceName & “‘, ‘” & objEvent.User & “‘)”

‘ 執行 SQL 指令
thecommand.CommandText = CmdStr
thecommand.CommandType = cnstCommand
thecommand.ActiveConnection = connection
thecommand.Execute

intRecordNum = intRecordNum +1
End if
IntEvent = intEvent +1
Next

WScript.Echo “End of Process”
WScript.Echo “Total ” &intRecordNum-1 & ” events were added”

WScript.Quit
—————————-

執行方式為 cscript EventLog.vbs computer_name, 不給任何參數則自動檢查本機

發表迴響