Rank: Guest
Groups: Guest
Joined: 9/17/2007
Posts: 11,670
Points: -1,200
|
Date parsed: 17/04/2008 21:18:48
Date: Thu, 17 Apr 2008 20:18:48 +0100
Hi,
You may be better of with
microsoft.public.dotnet.framework.wmi
in future for this type of thing.
I can't help with the .NET side, as I don't use it, but a couple of
things jump out at me from your post.
1. If the user is the "where the button" type, why are they allowed
anywhere NEAR a security log. They'd need full admin rights for a start,
and you've just lost your audit trail.
2. If the old version was working, and they just need a "button", why
can't they just have shortcut to click on?
3. If it's for lots of users, why not just have a button on an intranet
page where they click, and based on valid user authentication, this
would start a new process in a new security context that would clear the
log.
4. Why not just have a scheduled job to backup the log and then clear it?
JohnBates wrote:
> Problem:
> I need to backup and clear the security event log. I have this working via
> a vbsscript which I will post below. However while I can use this script
> manually it is not user friendly and my end users who have to perform the
> backup and clear chore weekly are the "where is the button" types.
>
> I have written a vb.net 2005 gui as a front end that can launch my script
> and run it ok but the problem is since it is a script running in a shell
> object I have no way to return status to my vb.net program saying it succeded
> or failed or even to know when the shell exits.
>
> So I decided to look into writing performing the steps via vb.net code. I
> can successfully create a WMI connection and (on the local machine) I can
> even list out all log files by code shown below. What I cannot do is execute
> the BackupEventLog method via WMI. I get access denied, which I have
> researched and I feel the reason is that the WMI connection does not have the
> privileges enabled for backup and security. If you look at the vbs script
> below you will see where it addes (Backup, security) into the moniker for the
> object and I believe allows the execution of the method.
>
> I did find out there that you are supposed to use the ".EnablePrivileges =
> True" option but I also found that .NET 1.1 messed that option up. Someone
> please help!
>
> CREATE CONNECTION CODE:
> ===================BEGIN
> Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles Button1.Click
>
> With myConnectionOptions
> .Impersonation = Management.ImpersonationLevel.Impersonate
>
> '* Use next line for XP
> .Authentication = System.Management.AuthenticationLevel.Packet
> .EnablePrivileges = True
>
> 'Cannot specify username/password for local connections
> '.Username = Me.txtUsername.Text
> '.Password = Me.txtPassword.Text
> End With
>
> '* "." is the string for a local connection
> Dim myServerName As String = Me.txtServer.Text
>
> myManagementScope = New System.Management.ManagementScope("\\" &
> myServerName & "\root\cimv2", myConnectionOptions)
>
> '* connect to WMI namespace
> myManagementScope.Connect()
> If myManagementScope.IsConnected = False Then
> rtbStatus.AppendText("Could not connect to WMI namespace on " &
> myServerName & ControlChars.Cr)
> Else
> rtbStatus.AppendText("Connected to WMI namespace on " &
> myServerName & ControlChars.Cr)
> End If
> End Sub
> ===================END
>
> LIST ALL LOG FILES CODE:
> ===================BEGIN
> Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles Button3.Click
> Dim logfileSearcher As System.Management.ManagementObjectSearcher
> Dim logfiles As System.Management.ManagementObjectCollection
> Dim logfile As System.Management.ManagementObject
>
> logfileSearcher = New
> System.Management.ManagementObjectSearcher(myManagementScope.Path.ToString,
> "Select * from win32_NTEventLogFile")
>
> '* execute query
> logfiles = logfileSearcher.Get()
>
> Try
>
> For Each logfile In logfiles
>
> rtbStatus.AppendText("Found logfile " &
> logfile.GetPropertyValue("FileName").ToString & " which is the " &
> logfile.GetPropertyValue("LogfileName").ToString & " event log" &
> ControlChars.Cr)
>
> 'INSERT BACKUP CODE HERE (SHOWN BELOW)
>
> Next
>
> Catch ex As Exception
> rtbStatus.AppendText("Error Encountered: " & ex.ToString &
> ControlChars.Cr)
> End Try
> End Sub
> ===================END
>
>
> FAILING BACKUP METHOD INVOCATION
> ===================BEGIN
> Dim inParams As Management.ManagementBaseObject =
> logfile.GetMethodParameters("BackupEventLog")
>
> inParams("ArchiveFileName") = "c:\testing.evt"
>
> Dim outParams As Management.ManagementBaseObject =
> logfile.InvokeMethod("BackupEventLog", inParams, Nothing)
> ===================END
>
>
> WORKING VBS SCRIPT
> ===================BEGIN
> 'Arguments
> fileName = WScript.Arguments.Item(0)
> logType = WScript.Arguments.Item(1)
> fullPathName = filename & ".evt"
>
> 'NOTE: for this to work on a normal user account they must have following
> rights
> 'Manage Auditing and Secuirty
> 'Generate Security Audits
>
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" &
> "{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
> "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
> Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
>
>
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog(fullPathName)
>
> If errBackupLog = 0 Then
> Wscript.Echo "The Security event log was backed up."
> objLogFile.ClearEventLog()
> End If
> If errBackupLog = 8 Then
> Wscript.Echo "Privilege missing!"
> End If
> If errBackupLog = 21 Then
> Wscript.Echo "Invalid Parameter in call"
> End If
>
> If errBackupLog = 183 Then
> Wscript.Echo "The archive file already exists."
> End If
> Next
> ===================END
--
Gerry Hickman (London UK)
|
