'==========================================================================
' NAME: <ReadSecurityEventLogHeader.vbs>
'
' AUTHOR: Ed Wilson , MS
' DATE  : 4/23/2006
' ver.1.2 modified where clause, added two functions
' COMMENT: <Reads the SecurityEvent Log>
'1. Uses SWbemSecurity to add security priviledge to read EventSecurity Log
'2. I did not GET an access Denied message WITHOUT the security Priviledge, 
'3. Just no Records. The interesting THING Here is the construction of the 
'4. Security Line -- INSTEAD of using the MONIKER
'5. Uses the Win32_NTLogEvent Class
'6. Refer to the SWbemPrivilegeSet.AddAsString article in SDK 
'==========================================================================

Option Explicit 
'On Error Resume Next
dim strComputer 'can be any computer
dim wmiNS 'the wmi name space - root\cimv2 is where win32_NTLogEvent resides
dim wmiQuery 'the actual wmi query itself
dim objWMIService 'connection into wmi
dim colItems 'collection of events
dim objItem 'used to walk through the collection
Dim IntEvent 'event code to look For
Dim dteDate		'the date to search from in log.
Dim startTime, endTime 'Used with timer Function

strComputer = "."
dteDate = DateSerial(2006,04,25) 'year,month,day for date to convert
IntEvent = "576" 'Event Code. We do not require ' here
wmiNS = "\root\cimv2"
startTime = Timer
wmiQuery = "SELECT * FROM Win32_NTLogEvent WHERE EventCode = " & _
	IntEvent & " and Logfile = 'security' and timegenerated > " & _
	funUTC(dteDate)

Set objWMIService = GetObject("winmgmts:\\" & strComputer & wmiNS)
objWMIService.security_.Privileges.addASstring "SeSecurityPrivilege"
Set colItems = objWMIService.ExecQuery(wmiQuery)

WScript.Echo wmiQuery & VbCrLf & funline("There are " & _
	colItems.Count & " Events related to eventCode " & IntEvent) & _
	 vbNewLine

For Each objItem In colItems
    Wscript.Echo "TimeGenerated: " & funTime(objItem.TimeGenerated) 
    Wscript.Echo "message: " & objItem.message
    Wscript.Echo "EventCode: " & objItem.EventCode
    Wscript.Echo "CategoryString  : " & objItem.CategoryString  
Next
endTime = Timer
WScript.echo "It took " & endTime-startTime

' *** functions below ***
Function funline(strIn)
	funline = Len(strIN)+1
	funline = strIN & VbCrLf & String(funLine,"=")
End Function

Function FunTime(wmiTime)
Dim objSWbemDateTime 'holds an swbemDateTime object. Used to translate Time
	Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
  	objSWbemDateTime.Value= wmiTime
	FunTime = objSWbemDateTime.GetVarDate
End Function

Function funUTC(mydate) 'added ' to before and after utc date for WMI query
Dim dateTime
Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
dateTime.SetVarDate(mydate)
funUTC= "'" & dateTime & "'"
End Function