Help with Auditing Script

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
angeltlopez
Posts: 2
Joined: 19 Oct 2016 13:10

Help with Auditing Script

#1 Post by angeltlopez » 19 Oct 2016 13:26

I'm having issues with some auditing batch files and was hoping someone could help me resolve them. I copied the files from another network and planned to run them on a new network, but for some reason I'm getting errors. When executing the 1_Run.bat file normally it'll prompt asking specifically what I want to do (ie. Copy, Delete). It starts out okay, but then says it cannot locate my computers.txt file which is present in the directory with the batch files and vbs files.

Please see the files that I'm using on my google drive:

Mod-edit: Link removed - it has audit access to the google drive.
Edit your security settings for the google drive folder so it is sharable but without audit access.


Code: Select all

:: 1_Run.bat  


@echo.
@echo.
@echo ***************
@echo !!!ATTENTION!!!
@echo ***************
@echo.
@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified in computers.txt
@echo.
 
set clearLog=n
set /p clearLog=Is this what you want to do? (y/[n]):
if %clearLog% == y goto Proceed

goto xit

:Proceed

set clrLog=n
@echo.
set /p clrLog=Do you want to clear the logs? (y/[n]):
 

set fileName= computers.txt
@echo.
set /p fileName=Enter computer list file name (default computers.txt):
@echo %fileName%

@echo.
@echo Proceeding...
@echo.


For /f "tokens=1 delims=, \" %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir \\%%i\c$\Temp

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Application.vbs %%i
%clrLog%

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript System.vbs %%i %clrLog%

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Security.vbs %%i
%clrLog%

@echo.
@echo Operation Completed.
@echo.

set copyLogs=n
@echo.
set /p copyLogs=Copy logs? (y/[n]):
if %copyLogs% == n goto noCopy

if not exist c:\Audits mkdir c:\Audits
FOR /f "tokens=1 delims=,\ " %%i in (%fileName%) do copy \\%%i\c$\Temp\*.evt
c:\Audits


:noCopy

set clrTemp=n

@echo.

set /p clrTemp=Clear temporary logs? (y/[n]):

if %clrTemp% == n goto noClear

Code: Select all

:: 2_copy.bat  

if not exist c:\Audits mkdir c:\Audits
FOR /f "tokens=l delims=,\ " %%i in (computers.txt) do copy \\%%i\c$\Temp\*.evt
c:\Audits

Code: Select all

 
:: 3_Clean.bat 

FOR /f "tokens=l delims=,\ "%%i in (servers.txt) do del \\%%i\c$\Temp\*.evt
pause

Code: Select all

' Application.vbs  

strComputer = Wscript.Arguments.Item(0)
strClearLog = Wscript.Arguments.Item(1)

Wscript.Echo "Application::Computer: " & strComputer

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2")

Set    colLogFiles = objWMIService.ExecQuery _
         ("Select* from win32_NTEventLogFile where LogFileName='Application'")

For    Each objLogfile in colLogFiles
   FileName = strComputer & "-" & year(now) & "_"
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-app.evt"

   OutputFile = "C:\Temp\" & FileName

   errBackupLog = objLogFile.BackupEventLog(OutputFile)

   If errBackupLog = 0 or errBackupLog = 183 Then

          If strClearLog = "y" then
      WScript.Echo "code:" & errBackupLog & ", clearing Log..."
      objLogFile.clearEventLog()
   Else
      wscript.Echo "Code:" & errBackupLog & ", log not cleared..."
   
End If

Else

   WScript.Echo strComputer & ": The Application event log could not be backed up."
   wscript.Echo "Error Number: " & errBackupLog
   End If
      Next

Code: Select all

:: computers.txt  
\\MyComputerName

Code: Select all

'  Security.vbs  

strComputer = WScript.Arguments.Item(O)
strClearLog = WScript.Arguments.Item(1)

WScript.Echo "Security::Computer: " & strComputer
 
set objWMIService = GetObject("winmgmts:"_
   & "{impersonationLevel=impersonate, (Backup, Security)}!\\"_
      & strComputer & "\root\cimv2")

set colLogFiles = objWMIService.ExecQuery _
   ("Select * from win32_NTEventLogFile where LogFileName='Security'")
 
For Each objLogfile in colLogFiles
   FileName = strComputer & "-" & year(now) & "_"
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-sec.evt"

OutputFile = "C:\Temp\" & FileName

errBackupLog = objLogFile.BackupEventLog(OutputFile)

If errBackupLog = 0 Or errBackupLog = 183 Then

   If strClearLog = "y" then
      WScript.Echo "Code:" & errBackupLog & ", clearing Log..."
      objLogFile.ClearEventLog()
   Else
      WScript.Echo "Code:" & errBackupLog & ", log not cleared..."
   End If
Else
   WScript.Echo strComputer & ": The Application event log could not be backed up."
   WScript.Echo "Error Number: " & errBackupLog
   End If
Next

Code: Select all

 
' System.vbs 

strComputer = WScript.Arguments.Item(O)
strClearLog = WScript.Arguments.Item(1)

WScript.Echo "System::Computer: " & strComputer

Set objWMIService = GetObject("winmgmts:"_
   & "{impersonationLevel=impersonate, (Backup, Security)}!\\"_
      & strComputer & "\root\cimv2")

Set colLogFiles = objWMIService.ExecQuery _
   ("Select * from Win32_NTEventLogFile where LogFileName='System'")

For Each objLogfile in colLogFiles
   FileName strComputer & "-" &year(now) & "_"
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-sys.evt"

outputFile = "C:\Temp\" & FileName

errBackupLog = objLogFile.BackupEventLog(OutputFile)

If errBackupLog = 0 Or errBackupLog = 183 Then
   If strClearLog = "y" then
      WScript.Echo "Code:" & errBackupLog & ", clearing Log..."
      objLogFile.clearEventLog()Else
         WScript.Echo "Code:" & errBackupLog & ", log not cleared..."

      End If

   Else

      WScript.Echo strComputer & ": The Application event log could not be backed up."
      WScript.Echo "Error Number: " & errBackupLog
   End If
Next



Any help would be greatly appreciated.

foxidrive
Expert
Posts: 6033
Joined: 10 Feb 2012 02:20

Re: Help with Auditing Script

#2 Post by foxidrive » 20 Oct 2016 06:19

There is a potential flaw here in that a space exists before text in the predefined variable called filename.

Code: Select all

set fileName= computers.txt


The main problem is in statements like this

FOR /f "tokens=l delims=,\ " %%i in (computers.txt) do copy \\%%i\c$\Temp\*.evt

For robust code where computers.txt could be in a different location: add the usebackq and the double quotes around "%filename%" and also the plain filename you have here "computers.txt"

Code: Select all

FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt 


There is an additional problem in lines like this:
For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Application.vbs %%i

where the space in the delims section must always be the last item. It will throw an error in the way it has the space before the \

Code: Select all

For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i

angeltlopez
Posts: 2
Joined: 19 Oct 2016 13:10

Re: Help with Auditing Script

#3 Post by angeltlopez » 20 Oct 2016 16:13

Thank you for the quick reply and fix recommendations. I have implemented the fixes as suggested Now after running the 1_Run.bat file I'm still getting errors. Please see current 1_run.bat file and copy of code during execution.

Current 1_run.bat config

Code: Select all

@echo off 


@echo.

@echo.

@echo ***************

@echo !!!ATTENTION!!!

@echo ***************

@echo.

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified

in computers.txt

@echo.
 

set clearLog=n

set /p clearLog=Is this what you want to do? (y/[n]):

if %clearLog% == y goto Proceed

goto xit

:Proceed

set clrLog=n
@echo.

set /p clrLog=Do you want to clear the logs? (y/[n]):
 

set fileName=computers.txt

@echo.

set /p fileName=Enter computer list file name (default computers.txt):

@echo %fileName%

@echo.
@echo Proceeding...
@echo.


For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir
\\%%i\c$\Temp

For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i
%clrLog%

For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript System.vbs %%i %clrLog%

For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript Security.vbs %%i
%clrLog%

@echo.

@echo Operation Completed.

@echo.

set copyLogs=n
@echo.

set /p copyLogs=Copy logs? (y/[n]):

if %copyLogs% == n goto noCopy

if not exist c:\Audits mkdir c:\Audits
FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt
c:\Audits


:noCopy

set clrTemp=n

@echo.

set /p clrTemp=Clear temporary logs? (y/[n]):

if %clrTemp% == n goto noclear





1_run.bat during execution

Code: Select all

***************
!!!ATTENTION!!!
***************

The purpose of this script is to CLEAR and ZIP logs on all systems identified
'in' is not recognized as an internal or external command,
operable program or batch file.

Is this what you want to do? (y/[n]): y

Do you want to clear the logs? (y/[n]):y

Enter computer list file name (default computers.txt):
computers.txt

Proceeding...

The syntax of the command is incorrect.
The syntax of the command is incorrect.
The network path was not found.
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

'y' is not recognized as an internal or external command,
operable program or batch file.
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

'y' is not recognized as an internal or external command,
operable program or batch file.

Operation Completed.


Copy logs? (y/[n]):

penpen
Expert
Posts: 1714
Joined: 23 Jun 2013 06:15
Location: Germany

Re: Help with Auditing Script

#4 Post by penpen » 20 Oct 2016 17:51

Some errors seem to be provoked by line endings within an instruction, for example:

Code: Select all

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified 

in computers.txt

Probably you wanted to do something like this:

Code: Select all

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified in computers.txt


The other errors might be provoked by wrong vbs scripts (line, character):
- "C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1)"
- "C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29)"
(But it is also possible, that a missing argument - created "using" the above errors - could be the reaoson of these errors.)


penpen

Squashman
Expert
Posts: 4107
Joined: 23 Dec 2011 13:59

Re: Help with Auditing Script

#5 Post by Squashman » 20 Oct 2016 20:49

This label does not exist.

Code: Select all

goto xit


This is wrong. Code is on two lines.

Code: Select all

For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir 
\\%%i\c$\Temp


What were you expecting this to do? The variable expands to n or y which is not valid command.

Code: Select all

%clrLog% 


And you did it again.

Code: Select all

%clrLog% 


Tokens needs to be a numeric value.

Code: Select all

FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt


What are you trying to do here? This is an invalid command.

Code: Select all

c:\Audits

foxidrive
Expert
Posts: 6033
Joined: 10 Feb 2012 02:20

Re: Help with Auditing Script

#6 Post by foxidrive » 21 Oct 2016 05:37

angeltlopez wrote:Thank you for the quick reply and fix recommendations. I have implemented the fixes as suggested

Code: Select all

For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir \\%%i\c$\Temp 
For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i %clrLog%
For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript System.vbs %%i %clrLog%
For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript Security.vbs %%i  %clrLog%



In the four lines above only one of them has %filename% double quoted.
The top one is missing the usebackq

Your lines wrapped so check if it is wrapped in your script.

Post Reply