使用wmi获取最新的Windows日志事件

Question

我想使用WMI来监视Windows事件日志并每15分钟获取最新的日志事件。虽然我可以使用WQL来执行查询，但它没有关键字，例如order by。任何想法如何解决这个问题？

Answer 1

您可以使用数据集。下面是使用vbscript完成的，并且只在ComputerName，EventCode和Message字段中完成。根据需要添加其他字段

Const adVarChar = 200 
Const MaxCharacters = 1024 
Const adFldIsNullable = 32 
Set DataList = CreateObject("ADOR.Recordset") 
DataList.Fields.Append "ComputerName", adVarChar, MaxCharacters,adFldIsNullable 
DataList.Fields.Append "EventCode", adVarChar, MaxCharacters,adFldIsNullable 
DataList.Fields.Append "Message",adVarChar,MaxCharacters,adFldIsNullable 
DataList.Open 
strComputer = "." 
strComputer = "." 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 

Set colLoggedEvents = objWMIService.ExecQuery("Select * from Win32_NTLogEvent Where Logfile = 'Application'") 
For Each evt in colLoggedEvents 
DataList.AddNew 
DataList("ComputerName") = evt.ComputerName 
DataList("EventCode") = evt.EventCode 
DataList("Message") = evt.Message 
DataList.Update 
Next 
'sort by eventcode 
DataList..Sort = "EventCode DESC" 
DataList.MoveFirst 
Do Until DataList.EOF 
Wscript.Echo DataList.Fields.Item("ComputerName") & vbTab & DataList.Fields.Item("EventCode") & vbTab & DataList.Fields.Item("Message") 
DataList.MoveNext 
Loop