Help with Auditing Script

[angeltlopez]

I'm having issues with some auditing batch files and was hoping someone could help me resolve them. I copied the files from another network and planned to run them on a new network, but for some reason I'm getting errors. When executing the 1_Run.bat file normally it'll prompt asking specifically what I want to do (ie. Copy, Delete). It starts out okay, but then says it cannot locate my computers.txt file which is present in the directory with the batch files and vbs files.

Please see the files that I'm using on my google drive:

Mod-edit: Link removed - it has audit access to the google drive.
Edit your security settings for the google drive folder so it is sharable but without audit access.

Code: Select all

:: 1_Run.bat  


@echo. 
@echo.
@echo *************** 
@echo !!!ATTENTION!!! 
@echo *************** 
@echo. 
@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified in computers.txt
@echo.
 
set clearLog=n 
set /p clearLog=Is this what you want to do? (y/[n]): 
if %clearLog% == y goto Proceed 

goto xit 

:Proceed 

set clrLog=n
@echo. 
set /p clrLog=Do you want to clear the logs? (y/[n]):
 

set fileName= computers.txt
@echo. 
set /p fileName=Enter computer list file name (default computers.txt):
@echo %fileName% 

@echo.
@echo Proceeding... 
@echo. 


For /f "tokens=1 delims=, \" %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir \\%%i\c$\Temp 

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Application.vbs %%i
%clrLog% 

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript System.vbs %%i %clrLog% 

For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Security.vbs %%i 
%clrLog% 

@echo. 
@echo Operation Completed.
@echo. 

set copyLogs=n
@echo. 
set /p copyLogs=Copy logs? (y/[n]): 
if %copyLogs% == n goto noCopy 

if not exist c:\Audits mkdir c:\Audits 
FOR /f "tokens=1 delims=,\ " %%i in (%fileName%) do copy \\%%i\c$\Temp\*.evt 
c:\Audits 


:noCopy 

set clrTemp=n

@echo. 

set /p clrTemp=Clear temporary logs? (y/[n]): 

if %clrTemp% == n goto noClear 

Code: Select all

:: 2_copy.bat  

if not exist c:\Audits mkdir c:\Audits 
FOR /f "tokens=l delims=,\ " %%i in (computers.txt) do copy \\%%i\c$\Temp\*.evt 
c:\Audits 

Code: Select all

 
:: 3_Clean.bat  

FOR /f "tokens=l delims=,\ "%%i in (servers.txt) do del \\%%i\c$\Temp\*.evt 
pause 

Code: Select all

' Application.vbs  

strComputer = Wscript.Arguments.Item(0)
strClearLog = Wscript.Arguments.Item(1) 

Wscript.Echo "Application::Computer: " & strComputer 

Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate, (Backup, Security)}!\\" & strComputer & "\root\cimv2") 

Set    colLogFiles = objWMIService.ExecQuery _ 
         ("Select* from win32_NTEventLogFile where LogFileName='Application'") 

For    Each objLogfile in colLogFiles
   FileName = strComputer & "-" & year(now) & "_" 
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-app.evt" 

   OutputFile = "C:\Temp\" & FileName 

   errBackupLog = objLogFile.BackupEventLog(OutputFile)

   If errBackupLog = 0 or errBackupLog = 183 Then 

          If strClearLog = "y" then 
      WScript.Echo "code:" & errBackupLog & ", clearing Log..." 
      objLogFile.clearEventLog()
   Else 
      wscript.Echo "Code:" & errBackupLog & ", log not cleared..." 
   
End If 

Else 

   WScript.Echo strComputer & ": The Application event log could not be backed up." 
   wscript.Echo "Error Number: " & errBackupLog
   End If 
      Next 

Code: Select all

:: computers.txt  
\\MyComputerName

Code: Select all

'  Security.vbs  

strComputer = WScript.Arguments.Item(O)
strClearLog = WScript.Arguments.Item(1) 

WScript.Echo "Security::Computer: " & strComputer
 
set objWMIService = GetObject("winmgmts:"_
   & "{impersonationLevel=impersonate, (Backup, Security)}!\\"_
      & strComputer & "\root\cimv2") 

set colLogFiles = objWMIService.ExecQuery _ 
   ("Select * from win32_NTEventLogFile where LogFileName='Security'")
 
For Each objLogfile in colLogFiles
   FileName = strComputer & "-" & year(now) & "_" 
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-sec.evt" 

OutputFile = "C:\Temp\" & FileName

errBackupLog = objLogFile.BackupEventLog(OutputFile)

If errBackupLog = 0 Or errBackupLog = 183 Then 

   If strClearLog = "y" then 
      WScript.Echo "Code:" & errBackupLog & ", clearing Log..." 
      objLogFile.ClearEventLog()
   Else 
      WScript.Echo "Code:" & errBackupLog & ", log not cleared..." 
   End If 
Else 
   WScript.Echo strComputer & ": The Application event log could not be backed up." 
   WScript.Echo "Error Number: " & errBackupLog
   End If 
Next 

Code: Select all

 
' System.vbs  

strComputer = WScript.Arguments.Item(O)
strClearLog = WScript.Arguments.Item(1) 

WScript.Echo "System::Computer: " & strComputer 

Set objWMIService = GetObject("winmgmts:"_
   & "{impersonationLevel=impersonate, (Backup, Security)}!\\"_
      & strComputer & "\root\cimv2") 

Set colLogFiles = objWMIService.ExecQuery _ 
   ("Select * from Win32_NTEventLogFile where LogFileName='System'") 

For Each objLogfile in colLogFiles
   FileName strComputer & "-" &year(now) & "_" 
   FileName = FileName & month(now) & "-" & Day(Now)
   FileName = FileName & "-sys.evt" 

outputFile = "C:\Temp\" & FileName 

errBackupLog = objLogFile.BackupEventLog(OutputFile)

If errBackupLog = 0 Or errBackupLog = 183 Then 
   If strClearLog = "y" then 
      WScript.Echo "Code:" & errBackupLog & ", clearing Log..." 
      objLogFile.clearEventLog()Else 
         WScript.Echo "Code:" & errBackupLog & ", log not cleared..." 

      End If 

   Else 

      WScript.Echo strComputer & ": The Application event log could not be backed up." 
      WScript.Echo "Error Number: " & errBackupLog
   End If 
Next 

Any help would be greatly appreciated.

[foxidrive]

There is a potential flaw here in that a space exists before text in the predefined variable called filename.

Code: Select all

set fileName= computers.txt

The main problem is in statements like this

FOR /f "tokens=l delims=,\ " %%i in (computers.txt) do copy \\%%i\c$\Temp\*.evt

For robust code where computers.txt could be in a different location: add the usebackq and the double quotes around "%filename%" and also the plain filename you have here "computers.txt"

Code: Select all

FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt 

There is an additional problem in lines like this:
For /f "tokens=1 delims=, \" %%i in (%fileName%) do cscript Application.vbs %%i

where the space in the delims section must always be the last item. It will throw an error in the way it has the space before the \

Code: Select all

For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i

[angeltlopez]

Thank you for the quick reply and fix recommendations. I have implemented the fixes as suggested Now after running the 1_Run.bat file I'm still getting errors. Please see current 1_run.bat file and copy of code during execution.

Current 1_run.bat config

Code: Select all

@echo off 


@echo. 

@echo.

@echo *************** 

@echo !!!ATTENTION!!! 

@echo *************** 

@echo. 

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified 

in computers.txt

@echo.
 

set clearLog=n 

set /p clearLog=Is this what you want to do? (y/[n]): 

if %clearLog% == y goto Proceed 

goto xit 

:Proceed 

set clrLog=n
@echo. 

set /p clrLog=Do you want to clear the logs? (y/[n]):
 

set fileName=computers.txt

@echo. 

set /p fileName=Enter computer list file name (default computers.txt):

@echo %fileName% 

@echo.
@echo Proceeding... 
@echo. 


For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir 
\\%%i\c$\Temp 

For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i
%clrLog% 

For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript System.vbs %%i %clrLog% 

For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript Security.vbs %%i 
%clrLog% 

@echo. 

@echo Operation Completed.

@echo. 

set copyLogs=n
@echo. 

set /p copyLogs=Copy logs? (y/[n]): 

if %copyLogs% == n goto noCopy 

if not exist c:\Audits mkdir c:\Audits 
FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt
c:\Audits 


:noCopy 

set clrTemp=n

@echo. 

set /p clrTemp=Clear temporary logs? (y/[n]): 

if %clrTemp% == n goto noclear 

1_run.bat during execution

Code: Select all

***************
!!!ATTENTION!!!
***************

The purpose of this script is to CLEAR and ZIP logs on all systems identified
'in' is not recognized as an internal or external command,
operable program or batch file.

Is this what you want to do? (y/[n]): y

Do you want to clear the logs? (y/[n]):y

Enter computer list file name (default computers.txt):
computers.txt

Proceeding...

The syntax of the command is incorrect.
The syntax of the command is incorrect.
The network path was not found.
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

'y' is not recognized as an internal or external command,
operable program or batch file.
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29) Microsoft VBScript compilation error: Must be first statement on the line

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Security.vbs(2, 1) Microsoft VBScript runtime error: Subscript out of range

'y' is not recognized as an internal or external command,
operable program or batch file.

Operation Completed.


Copy logs? (y/[n]):

[penpen]

Some errors seem to be provoked by line endings within an instruction, for example:

Code: Select all

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified 

in computers.txt

Probably you wanted to do something like this:

Code: Select all

@echo The purpose of this script is to CLEAR and ZIP logs on all systems identified in computers.txt

The other errors might be provoked by wrong vbs scripts (line, character):
- "C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\Application.vbs(2, 1)"
- "C:\Users\Angel\Desktop\Log Files\Scripts for Monterey\System.vbs(25, 29)"
(But it is also possible, that a missing argument - created "using" the above errors - could be the reaoson of these errors.)


penpen

[Squashman]

This label does not exist.

Code: Select all

goto xit

This is wrong. Code is on two lines.

Code: Select all

For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir 
\\%%i\c$\Temp 

What were you expecting this to do? The variable expands to n or y which is not valid command.

Code: Select all

%clrLog% 

And you did it again.

Code: Select all

%clrLog% 

Tokens needs to be a numeric value.

Code: Select all

FOR /f "usebackq tokens=l delims=,\ " %%i in ("computers.txt") do copy \\%%i\c$\Temp\*.evt

What are you trying to do here? This is an invalid command.

Code: Select all

c:\Audits

[foxidrive]

Thank you for the quick reply and fix recommendations. I have implemented the fixes as suggested

Code: Select all

For /f "tokens=1 delims=,\ " %%i in (%fileName%) do if not exist \\%%i\c$\Temp mkdir \\%%i\c$\Temp 
For /f "usebackq tokens=1 delims=,\ " %%i in ("%fileName%") do cscript Application.vbs %%i %clrLog% 
For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript System.vbs %%i %clrLog% 
For /f "usebackq tokens=1 delims=,\ " %%i in (%fileName%) do cscript Security.vbs %%i  %clrLog% 

In the four lines above only one of them has %filename% double quoted.
The top one is missing the usebackq

Your lines wrapped so check if it is wrapped in your script.