'Security Log Properties.vbs 'Get security log information 'Alan dot Kaplan at va dot gov '4/24/2009 Option Explicit Dim strComputer Dim oWMI Dim colLogFiles, objLogFile Dim secRecords Dim colLoggedEvents, objEvent Dim HighestRecordNumber, LowestRecordNumber Dim strNewestTime, strOldestTime, strOverWrite Dim message ' This problem occurs If the security event Log has reached the maximum Log size and the ' Event Log Wrapping setting is set to Overwrite Events Older than X Days Or Do Not Overwrite Events. If WScript.Arguments.Count = 1 Then strComputer = WScript.Arguments(0) Else Dim WshShell Set wshShell = WScript.CreateObject("WScript.Shell") strComputer = wshShell.ExpandEnvironmentStrings("%COMPUTERNAME%") strComputer = InputBox("Check Security Event Log settings on what PC","Name",strComputer) End If If strcomputer = "" Then WScript.Quit strComputer = UCase(strComputer) On Error Resume next Set oWMI = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,(Security)}!\\" & strComputer & "\root\cimv2") If Err <> 0 Then MsgBox "Fatal Error: " & Err.Description,vbCritical + vbOKOnly,strComputer & " Error" WScript.Quit(100) End If Set colLogFiles = oWMI.ExecQuery ("Select * from Win32_NTEventLogFile where LogfileName ='Security'",,48) message = "Security Log Settings" & vbcrlf & string(30,"=") For each objLogfile In colLogFiles message = message & VbCrLf & "Max Size: " & objLogFile.MaxFileSize /1024 /1024 & " MB" message = message & VbCrLf & "Current Size: " & objLogFile.FileSize /1024 /1024 & " MB" message = message & vbcrlf & "Pct Full: " & FormatPercent(objLogFile.FileSize/objLogFile.MaxFileSize,2) If objLogfile.OverWriteOutdated > 365 Then strOverWrite = "Never" ElseIf objLogfile.OverWriteOutdated = 0 Then strOverWrite= "As needed" Else strOverWrite = objLogfile.OverWriteOutdated & " days" End If message = message & vbcrlf & "Overwrite Outdated:" & strOverWrite SecRecords = objLogfile.NumberOfRecords Next Set colLoggedEvents = oWMI.ExecQuery( "Select * from Win32_NTLogEvent Where Logfile = 'Security'") For Each objEvent in colLoggedEvents HighestRecordNumber = objEvent.RecordNumber LowestRecordNumber = HighestRecordNumber - SecRecords + 1 Exit For Next Set colLoggedEvents = oWMI.ExecQuery( "Select * from Win32_NTLogEvent Where Logfile = 'Security' And RecordNumber = " & HighestRecordNumber) For Each objEvent In colLoggedEvents strNewestTime = decDateTime(objEvent.TimeWritten) Exit For Next 'On a very busy box, events can be overwritten at a high rate 'looping by less than 25 may be too slow. Do While len(strOldestTime) = 0 Set colLoggedEvents = oWMI.ExecQuery( "Select * from Win32_NTLogEvent Where Logfile = 'Security' And RecordNumber = " & LowestRecordNumber) For Each objEvent In colLoggedEvents strOldestTime = decDateTime(objEvent.TimeWritten) If len(strOldestTime) > 0 Then Exit For Next LowestRecordNumber = LowestRecordNumber + 25 Loop message = message & vbcrlf & "Total Records " & HighestRecordNumber - LowestRecordNumber message = message & vbcrlf & "Newest Record: " & strNewestTime message = message & vbcrlf & "Oldest Record: " & strOldestTime If DateDiff("d", strOldestTime, strNewestTime) >1 Then message = message & vbcrlf & "Oldest age in days: " & DateDiff("d", strOldestTime, strNewestTime) Else message = message & vbcrlf & "Oldest age in hours: " & DateDiff ("h", strOldestTime, strNewestTime) End If MsgBox message, vbOKOnly, strComputer Function decDateTime(strPropValue) 'PrimalScript Dim dateTime If Not IsNull (strPropValue) Then Set dateTime = CreateObject("WbemScripting.SWbemDateTime") if IsArray(strPropValue) Then For Each dtValue in strPropValue decDateTime = decDateTime & + " / " & decDateTime(dtValue) Next Else dateTime.Value = strPropValue decDateTime = dateTime.GetVarDate End If End If End Function