BigBrother Scripting

znx — Tue, 17 Mar 2009 22:40:13 +0000

I was recently asked if it was possible to monitor the Event Log for a single event and ensure that it was occurring regularly. It is rare that I handle Windows scripting and when I do I normally find myself cursing it, haha! In this case we want to ensure that a print server is constantly printing through the day, we expect that at least 1 print job will occur every 15 minutes, if not then we’d like a warning. Obviously this check should only run during work hours.

So the first step is relatively simple, access the Event Log and look for a single event by its event code.

set objWMIService = GetObject("winmgmts:\root\cimv2")
set colEvents = objWMIService.ExecQuery _
   ("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventCode = 10")

What we did here was grab all the events with event code of 10 (a print job!). So if we count the number of events within a range then we will have basically completed a huge part of the work.

So next step is to make an interval that will be 15 minutes back from whatever time is current.

set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateAdd("n",-15,Now()),True

And applying that into our statement:

set colEvents = objWMIService.ExecQuery _
   ("Select * from Win32_NTLogEvent Where Logfile = 'System' and EventCode = 10" _
   & " and TimeWritten >= '" & dtmStartDate & "'")

This means that we are now collecting the events that only occurred within the last fifteen minutes. So what next, well we need to have a statement to pass to BigBrother to indicate success or failure. Fortunately enough I have another script which monitors the cluster (thanks to the awesome DeadCat repository) and it has some code to help place the file that BigBrother collects.

const HKLM = &H80000002
strBBExtPathNew = "SOFTWARE\Quest Software\BigBrother\bbnt\ExternalPath"
strBBExtPathOld = "SOFTWARE\BigBrother\bbnt\ExternalPath"
set oReg = GetObject("winmgmts:\root\default:StdRegProv")
 
oReg.GetStringValue HKLM,strBBExtPathNew,,strExtPath
if isNull(strExtPath) then
  oReg.GetStringValue HKLM,strBBExtPathOld,,strExtPath
end if
if isNull(strExtPath) then
  WScript.Quit
end if

So now we have the path to put our file in, all we need to do now is write the file and add two simple checks to see that the time is within work ours (9-5).

On Error Resume Next
 
strState = "green Printing was active within the last 15 minutes"
strBBFileName = "print"
intEventCode = 10
 
' Find out where to put the BB log files
const HKLM = &H80000002
strBBExtPathNew = "SOFTWARE\Quest Software\BigBrother\bbnt\ExternalPath"
strBBExtPathOld = "SOFTWARE\BigBrother\bbnt\ExternalPath"
set oReg = GetObject("winmgmts:\root\default:StdRegProv")
 
' Check for the BB External Path, new then old otherwise quit
oReg.GetStringValue HKLM,strBBExtPathNew,,strExtPath
if isNull(strExtPath) then
  oReg.GetStringValue HKLM,strBBExtPathOld,,strExtPath
end if
if isNull(strExtPath) then
  WScript.Quit
end if
 
' Get Computer name
set WshNetwork = WScript.CreateObject("WScript.Network")
strComputerName = WshNetwork
 
' Prepare file
set fso = CreateObject("Scripting.FileSystemObject")
set f = fso.OpenTextFile(strExtPath & "\" & strBBFileName, 8, True)
 
' Run between 9 - 5
if Hour(Now()) < 9 then
  strState = "green Not checking as we are outwith work hours"
  f.Write strState
  set fso = Nothing
  set f = Nothing
  WScript.Quit
end if
if Hour(Now()) > 17 then
  strState = "green Not checking as we are outwith work hours"
  f.Write strState
  set fso = Nothing
  set f = Nothing
  WScript.Quit
end if
 
' Get a date 15 minutes in the past.
set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
dtmStartDate.SetVarDate DateAdd("n",-15,Now()),True
 
' Collect the events from eventlog within the last 15 minutes
set objWMIService = GetObject("winmgmts:\root\cimv2")
Set colEvents = objWMIService.ExecQuery _
   ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
   & "EventCode = '" & intEventCode _
   & "' and TimeWritten >= '" & dtmStartDate & "'")
 
' If no events then alert.
if colEvents.Count = 0 then
  strState = "red No print job within the last 15 minutes"
end if
 
' Output
f.Write strState
 
set fso = Nothing
set f = Nothing
WScript.Quit

Obviously you can adjust this script to monitor for any regular event and it works well on Windows 2003 and XP machines. It is at this point I thought that I was finished. Testing this script on a Windows XP machine, no issues it was doing exactly what it was meant to. However the server I was intending on running it under was a Windows 2000 server. So I was forced to make some more changes to the script to allow it to run. The changes I made unfortunately make the script slightly harder to adjust to make it work for any event.

The first change was to the statement to collect the print job.

Set colEvents = objWMIService.ExecQuery _
  ("Select * From Win32_NTLogEvent Where Type = 'information' " _
  & "and EventCode = " & intEventCode _
  & "TimeWritten >= '" & dtmStartDate & "'")

The next change I had to make was very strange, the Count method didn’t seem to exist (strange!?) so I was forced to loop to count:

' UGLY
set intCount = 0
For Each objEvent in colEvents
  intCount = intCount + 1
Next
if intCount = 0 then
  strState = "red No print job within the last 15 minutes"
end if

Those two changes allowed me to successfully monitor a single event. Same script in Linux would have taken me seconds! Anyway at least its a working model, let’s hope not a lot more requests come through for Windows issues, especially W2K ones!

No Znx! » vbs

BigBrother Scripting