Home / server / Questions / 295224
Accepted
Vitaliy
Asked: 2011-07-29 12:09:50 +0800 CST

Catch Windows system log events to a text file

  • 772

I need to capture w32time events to a text file for a silly compliance requirement. Is there a way to that in Windows?

logging w32time windows-event-log

3 Answers

  1. Best Answer

    Quick answer; manually, from Event Viewer, click on the System Log, then go to View > Filter and choose W32Time from the Event Source dropdown. Press OK. Then go to Action > Export List and enter your filename. If you want detail as well, you would have to save the entire log file, with Action > Save Log File As, and choose Tab Delimeted or Comma Separated from the Save as Type dropdown.

    Long answer is, scripting. Use WMI to query the Win32_NTLogEvent and spool it to a file with either the FileSystemObject or output redirection:

    On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_NTLogEvent WHERE SourceName = 'W32Time'",,48)

Dim fso : Set fso = CreateObject("scripting.filesystemobject")
Dim ts : Set ts = fso.CreateTextFile("X:\w32time_events.txt", True)

For Each objItem in colItems
    ts.WriteLine "Category: " & objItem.Category
    ts.WriteLine "CategoryString: " & objItem.CategoryString
    ts.WriteLine "ComputerName: " & objItem.ComputerName
    ts.WriteLine "Data: " & objItem.Data
    ts.WriteLine "EventCode: " & objItem.EventCode
    ts.WriteLine "EventIdentifier: " & objItem.EventIdentifier
    ts.WriteLine "EventType: " & objItem.EventType
    ts.WriteLine "InsertionStrings: " & objItem.InsertionStrings
    ts.WriteLine "Logfile: " & objItem.Logfile
    ts.WriteLine "Message: " & objItem.Message
    ts.WriteLine "RecordNumber: " & objItem.RecordNumber
    ts.WriteLine "SourceName: " & objItem.SourceName
    ts.WriteLine "TimeGenerated: " & objItem.TimeGenerated
    ts.WriteLine "TimeWritten: " & objItem.TimeWritten
    ts.WriteLine "Type: " & objItem.Type
    ts.WriteLine "User: " & objItem.User
    ts.WriteBlankLines 1
Next

ts.Close

Set ts = Nothing
Set fso = Nothing
Set colItems = Nothing
Set objWMIService = Nothing

    Cheating option, if you can't be bothered; from a cmd command prompt, try:

    wmic NTEVENT | find /i "W32Time" > W32Time_Events.txt

    HTH

    J.

    • 3

  2. You didn't specify which version of Windows you are running. Starting with Win2k8 you can attach tasks to events, so some automation is possible. You would have to write a script that can then append the event to a text file. Unfortunately it's a bit tedious since you'd have to set that up for every event id I believe.

    Another option is to setup an event log monitoring tool like EventSentry which can monitor your event log in real time and log events (according to your rules) to a variety of formats, including text files and databases. The advantage is that your event log is now monitored in real-time, and it scales to multiple machines as well if need be. You also get the added benefit of having access to additional useful features.

    Disclaimer: I work for netikus.net.

    • 1

  3. Use winlogbeat to transfer the windows logs you selected, with desired notification level to a file, or a logstash server.

    https://www.elastic.co/beats/winlogbeat

    PS: be precise with the configuration file indentations. YML format is specific on the number of spaces preceding each line and subcategory.

    • 0