Topic: Eventtriggers and Eventquery.vbs (Read 5005 times)

Bonk · « **on:** July 22, 2008, 05:50:42 pm »

I came across these handy windows server tools today, thought I'd share the links and my use of them.

Eventtriggers
Eventquery.vbs

An example use (adds Apache events and concurrent terminal services sessions to a text log file):
Apache Events Trigger:

Code: [Select]

> eventtriggers /create /s "COMPUTERNAME" /tr "Apache Events" /l application /so "Apache Service" /tk C:\Logs\ApacheEvents.bat /ru "System"

Apache Events Script (ApacheEvents.bat):

Code: [Select]

For /F "tokens=2,3,4 delims=/ " %%A in ('date /t') do @(
Set Day=%%A
Set Month=%%B
Set Year=%%C
)
For /F "tokens=1,2,3,4 delims=:, " %%D in ('time /t') do @(
Set Hour=%%D
Set Minute=%%E
Set AMPM=%%F
)
for /f "tokens=7 delims=:. " %%G in ('ECHO. ^| TIME') do (
Set second=%%G
)
Set mydatetime=%Day%/%Month%/%Year%,%Hour%:%Minute%:%second%%AMPM%
cscript //h:cscript //s //nologo
ECHO. >> "C:\Logs\Apache_Event_Log.txt"
eventquery /fi "Source eq Apache Service"/fi "Datetime le %mydatetime%" /fo table /r 1 /v /l application >> "C:\Logs\Apache_Event_Log.txt"
ECHO. >> "C:\Logs\Apache_Event_Log.txt"
ECHO  Terminal Services Sessions: >> "C:\Logs\Apache_Event_Log.txt"
query user >> "C:\Logs\Apache_Event_Log.txt"
ECHO. >> "C:\Logs\Apache_Event_Log.txt"
ECHO  Comments:  >> "C:\Logs\Apache_Event_Log.txt"
ECHO  ------------------------------------------------------------------------------------------------------------------------------- >> "C:\Logs\Apache_Event_Log.txt"

Typical Output:

Code: [Select]

------------------------------------------------------------------------------
Listing the events in 'application' log of host 'COMPUTERNAME'
------------------------------------------------------------------------------
 Type          Event  Date Time               Source            ComputerName    Category        User                 Description
 ------------- ------ ----------------------- ----------------- --------------- --------------- -------------------- -----------
 Error         3299   7/22/2008 4:38:42 PM    Apache Service    COMPUTERNAME    None            N/A                  The Apache service named  reported the following error: >>> [Tue Jul 22 16:38:42 2008] [notice] Disabled use of AcceptEx() WinSock2 API     .
 
 Terminal Services Sessions: 
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 bonk                  rdp-tcp#35          1  Active          .  7/22/2008 12:15 PM
 
 Comments:  Bonk - started Apache in the process of setting up automated entries for this log
 -------------------------------------------------------------------------------------------------------------------------------

Of course one could make these triggers more specific and for other services as well and with other outputs, such as an email or RSS if desired.

* Bonk takes bow...

Questions, gratitude, adulations... all welcome!

Edit: Script updated to account for timing.

toasty0 · « **Reply #1 on:** July 22, 2008, 09:56:44 pm »

Interesting. Congrats Bonk.

I'm not much on networking. The most I've done in that regards is played with our AD and the GPOs (WinServer 2003 Enterprise.

I think you might enjoy the following geekdom:

In IPv6, on the other hand, the loopback routing prefix ::1/128 consists of only one address ::1 (i.e., 0:0:0:0:0:0:0:1, the address with a one at its least significant bit and zero otherwise) is explicitly defined as an automatic loopback address (RFC 3513), though additional addresses maybe assigned to the loopback interface by the host administrator.

Bonk · « **Reply #2 on:** July 22, 2008, 10:29:32 pm »

Thanks. (I just updated the example script to account for the execution time of Eventquery.vbs)

NOTE: the Eventquery.vbs docs are wrong... the date format is DD/MM/YYY -NOT- MM/DD/YYYY and when filtered by date, it appears the /r parameter is reversed in sign. (those were a pain to figure out)

toasty0 · « **Reply #3 on:** July 22, 2008, 11:12:23 pm »

Quote from: Bonk on July 22, 2008, 10:29:32 pm

Thanks. (I just updated the example script to account for the execution time of Eventquery.vbs)

NOTE: the Eventquery.vbs docs are wrong... the date format is DD/MM/YYY -NOT- MM/DD/YYYY and when filtered by date, it appears the /r parameter is reversed in sign. (those were a pain to figure out)

What language is you server set for? That might explain the date format issue.

Bonk · « **Reply #4 on:** July 23, 2008, 05:48:18 am »

Quote from: toasty0 on July 22, 2008, 11:12:23 pm

What language is you server set for? That might explain the date format issue.

English(US) e.g. 7/23/2008 ... I might have a look at that Eventquery.vbs script and fix it or at least check out how and why it is doing what it is doing.

Interesting bit about the IPv6 loopback addresses you posted up there.

toasty0 · « **Reply #5 on:** July 23, 2008, 11:54:15 am »

Even though you will need to modify this for your logfile/txtfile output this might help:

Code: [Select]

<% 
    response.write pd(DAY(date()),2) & "-" & _ 
        pd(MONTH(date()),2) & "-" & _ 
        pd(RIGHT(YEAR(date()),2),2) 
%>

News: