Using WMI to query the Eventlog

After some testing on various ways to query the eventlog I found that a WMI query is the easiest way to query the Eventlog of any (remote) machine. There is very little information about WMI on the internet so I thought it was nice to post this sample snippet. (If you see anything that should be improved please reply on this post)

Public Function QueryLog(ByVal ServerName As String, ByVal LogNames As String, Optional ByVal UserName As String = "", Optional ByVal PassWord As String = "") As Collection

'Set up the new collection
QueryLog = New Collection

'Set the WMI scope options
Dim oWMI_Scope As New ManagementScope
oWMI_Scope.Path.Server = ServerName
oWMI_Scope.Path.Path = "\\" & ServerName & "\root\CIMV2"
oWMI_Scope.Path.NamespacePath = "root\CIMV2"

' Use the username and passowrd if they are supplied
If UserName = String.Empty And PassWord = String.Empty Then
   oWMI_Scope.Options.Username = UserName
   oWMI_Scope.Options.Password = PassWord
End If

' Set impersonation level
oWMI_Scope.Options.Authentication = AuthenticationLevel.Default
oWMI_Scope.Options.Impersonation = ImpersonationLevel.Impersonate
oWMI_Scope.Options.EnablePrivileges = True

'Define the WMI query
Dim oWMI_Query As New ObjectQuery

oWMI_Query.QueryString = "SELECT * FROM Win32_NTLogEvent WHERE " + GetLogNames(LogNames) + " AND TimeGenerated > '" + LastEventTime + "'"

'Create the WMI search engine
Dim oWMI_Results As New ManagementObjectSearcher(oWMI_Scope, oWMI_Query)

' Iterate through the resulting collection
Dim oWMI_Object As Object
For Each oWMI_Object In oWMI_Results.Get()
   ' Get the Individual EventLog entries
   Dim MyEventClass As New EventLogEntry(oWMI_Object)
   ' Add the Eventlogentry to the collection
   QueryLog.Add(MyEventClass.ToXML)
   ' Check if the Time of the generated event is greater
   ' then the last time we executed the query if so update that time
   If MyEventClass.TimeGenerated > LastEventTime Then
      LastEventTime = MyEventClass.TimeGenerated
   End If
   'Clean up
   MyEventClass = Nothing
Next oWMI_Object

' Clean up
oWMI_Object = Nothing
oWMI_Scope = Nothing
oWMI_Query = Nothing
oWMI_Results = Nothing

End Function

 

 

Published 04-08-2005 12:28 PM by Patrick Wellink
Filed under: ,

Comments

# re: Using WMI to query the Eventlog

Friday, April 08, 2005 8:15 PM by Patrick Wellink
Improvement could be:
- use overloaders instead of optional parameters

more important is:
- call dispose on the ManagementObjectSearcher and EventLogEntry to release resources

# re: Using WMI to query the Eventlog

Saturday, April 09, 2005 6:14 PM by Patrick Wellink
Improvement could be:
- use overloaders instead of optional parameters

Well Pascal... remeber it still is VB.Net .... if it was c# jou would be right about that....

I have looked for the Dispose but I don't think there is one ......

# re: Using WMI to query the Eventlog

Monday, April 11, 2005 8:26 AM by Patrick Wellink
Can anyone tell me why Microsoft has kept optional parameters in VB.NET?! As far as I know, these methods aren't available to the other .NET languages.

# re: Using WMI to query the Eventlog

Monday, April 11, 2005 11:18 AM by Patrick Wellink
You asked for improvements and using overloadsers is an improvement when using overloaders.

dispose must be called on both classes i mentioned above.

in your case it will look like this:
...
MyEventClass.Dispose
...
oWMI_Results.Dispose

# re: Using WMI to query the Eventlog

Tuesday, April 12, 2005 10:51 AM by Patrick Wellink
I removed the overloads

And i could only call dispose on oWMI_Results...

The EventLogEntry class is a class of my own wich doesn't have a dispose...

Thanks for your help....