BigBrother Scripting
I was recently asked if it was possible to monitor the Event Log for a single event and ensure that it was occurring regularly. It is rare that I handle Windows scripting and when I do I normally find myself cursing it, haha! In this case we want to ensure that a print server is constantly printing through the day, we expect that at least 1 print job will occur every 15 minutes, if not then we’d like a warning. Obviously this check should only run during work hours.
So the first step is relatively simple, access the Event Log and look for a single event by its event code.
set objWMIService = GetObject("winmgmts:\root\cimv2") set colEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventCode = 10")
What we did here was grab all the events with event code of 10 (a print job!). So if we count the number of events within a range then we will have basically completed a huge part of the work.
So next step is to make an interval that will be 15 minutes back from whatever time is current.
set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") dtmStartDate.SetVarDate DateAdd("n",-15,Now()),True
And applying that into our statement:
set colEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventCode = 10" _ & " and TimeWritten >= '" & dtmStartDate & "'")
This means that we are now collecting the events that only occurred within the last fifteen minutes. So what next, well we need to have a statement to pass to BigBrother to indicate success or failure. Fortunately enough I have another script which monitors the cluster (thanks to the awesome DeadCat repository) and it has some code to help place the file that BigBrother collects.
const HKLM = &H80000002 strBBExtPathNew = "SOFTWARE\Quest Software\BigBrother\bbnt\ExternalPath" strBBExtPathOld = "SOFTWARE\BigBrother\bbnt\ExternalPath" set oReg = GetObject("winmgmts:\root\default:StdRegProv") oReg.GetStringValue HKLM,strBBExtPathNew,,strExtPath if isNull(strExtPath) then oReg.GetStringValue HKLM,strBBExtPathOld,,strExtPath end if if isNull(strExtPath) then WScript.Quit end if
So now we have the path to put our file in, all we need to do now is write the file and add two simple checks to see that the time is within work ours (9-5).
On Error Resume Next strState = "green Printing was active within the last 15 minutes" strBBFileName = "print" intEventCode = 10 ' Find out where to put the BB log files const HKLM = &H80000002 strBBExtPathNew = "SOFTWARE\Quest Software\BigBrother\bbnt\ExternalPath" strBBExtPathOld = "SOFTWARE\BigBrother\bbnt\ExternalPath" set oReg = GetObject("winmgmts:\root\default:StdRegProv") ' Check for the BB External Path, new then old otherwise quit oReg.GetStringValue HKLM,strBBExtPathNew,,strExtPath if isNull(strExtPath) then oReg.GetStringValue HKLM,strBBExtPathOld,,strExtPath end if if isNull(strExtPath) then WScript.Quit end if ' Get Computer name set WshNetwork = WScript.CreateObject("WScript.Network") strComputerName = WshNetwork ' Prepare file set fso = CreateObject("Scripting.FileSystemObject") set f = fso.OpenTextFile(strExtPath & "\" & strBBFileName, 8, True) ' Run between 9 - 5 if Hour(Now()) < 9 then strState = "green Not checking as we are outwith work hours" f.Write strState set fso = Nothing set f = Nothing WScript.Quit end if if Hour(Now()) > 17 then strState = "green Not checking as we are outwith work hours" f.Write strState set fso = Nothing set f = Nothing WScript.Quit end if ' Get a date 15 minutes in the past. set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime") dtmStartDate.SetVarDate DateAdd("n",-15,Now()),True ' Collect the events from eventlog within the last 15 minutes set objWMIService = GetObject("winmgmts:\root\cimv2") Set colEvents = objWMIService.ExecQuery _ ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _ & "EventCode = '" & intEventCode _ & "' and TimeWritten >= '" & dtmStartDate & "'") ' If no events then alert. if colEvents.Count = 0 then strState = "red No print job within the last 15 minutes" end if ' Output f.Write strState set fso = Nothing set f = Nothing WScript.Quit
Obviously you can adjust this script to monitor for any regular event and it works well on Windows 2003 and XP machines. It is at this point I thought that I was finished. Testing this script on a Windows XP machine, no issues it was doing exactly what it was meant to. However the server I was intending on running it under was a Windows 2000 server. So I was forced to make some more changes to the script to allow it to run. The changes I made unfortunately make the script slightly harder to adjust to make it work for any event.
The first change was to the statement to collect the print job.
Set colEvents = objWMIService.ExecQuery _ ("Select * From Win32_NTLogEvent Where Type = 'information' " _ & "and EventCode = " & intEventCode _ & "TimeWritten >= '" & dtmStartDate & "'")
The next change I had to make was very strange, the Count method didn’t seem to exist (strange!?) so I was forced to loop to count:
' UGLY set intCount = 0 For Each objEvent in colEvents intCount = intCount + 1 Next if intCount = 0 then strState = "red No print job within the last 15 minutes" end if
Those two changes allowed me to successfully monitor a single event. Same script in Linux would have taken me seconds! Anyway at least its a working model, let’s hope not a lot more requests come through for Windows issues, especially W2K ones!
Comments