PureBasic Forums - English

Posted: **Wed Oct 09, 2002 10:16 pm**

Restored from previous forum. Originally posted by Berikco.

Hi,

Here example for reading the event logs.
Will not work in 3.30, Structure TIME_ZONE_INFORMATION is faulty
and no date() functions.

Some messages must be formated using information in the registry
and a resource from the app that generated the event.
This part is not included, looks dificult

Code: Select all


#EVNT_SYSTEM = "System" 
#EVNT_APP = "Application" 
#EVNT_SECURITY = "Security"
#EVENTLOG_SEQUENTIAL_READ = $1
#EVENTLOG_SEEK_READ = $2
#EVENTLOG_FORWARDS_READ = $4
#EVENTLOG_BACKWARDS_READ = $8

Global timezone.TIME_ZONE_INFORMATION
Global UTCtime.SYSTEMTIME
Global localtime.SYSTEMTIME
  
GetTimeZoneInformation_(@timezone)

Procedure ReadEvents(ServerName,EventType$)
  
  rBuff.EVENTLOGRECORD
  
  StrucLen = SizeOf(EVENTLOGRECORD)
  
  *eBuff=AllocateMemory(1, 16384, 0)
  
  EvtReadFlags = #EVENTLOG_SEQUENTIAL_READ | #EVENTLOG_FORWARDS_READ
  
  
  EventLogHwd = OpenEventLog_(Servername, EventType$)
  
  If EventLogHwd = 0 
    ProcedureReturn 0
  EndIf
  
  EvtRecNo=0
  ret = GetNumberOfEventLogRecords_(EventLogHwd, @EvtRecNo)
  
  If ret = 0 
    ProcedureReturn 0
  EndIf
    
  rBytesRead=0
  rBytesNeeded=0
  
  While rBuff\RecordNumber  EvtRecNo
  
    ret = ReadEventLog_(EventLogHwd, EvtReadFlags, rBuff\RecordNumber, *eBuff, 16384, @rBytesRead, @rBytesNeeded)
    If ret = 0 
      ProcedureReturn 0
    EndIf
    
    eBytePointer = 0
        While eBytePointer  0 
  
          c$=""  
          l=0
          For r = 1 To rBuff\NumStrings
    
            datum = rBuff\TimeGenerated                 
            UTCtime\wDay = Day(datum)
            UTCtime\wMonth = Month(datum)
            UTCtime\wYear = Year(datum)
            UTCtime\wHour = Hour(datum)
            UTCtime\wMinute = Minute(datum)
            UTCtime\wSecond = Second(datum)
              
            SystemTimeToTzSpecificLocalTime_(timezone, UTCtime, localtime)
   
            datum = Date(localtime\wYear, localtime\wMonth, localtime\wDay, localtime\wHour, localtime\wMinute, localtime\wSecond)
   
            c$= PeekS(*eBuff + eBytePointer+l + rBuff\StringOffset)

            WriteStringN(FormatDate("%YYYY/%mm/%dd  %hh:%ii:%ss  ", datum)+B$+"  "+a$+"  "+c$)
            
            l+Len(c$)+1
          Next r
    
        EndIf
  
      ;EndIf
      eBytePointer + EvtRecLen
    Wend
  Wend

  CloseEventLog_(EventLogHwd)

  ProcedureReturn 1

EndProcedure

If CreateFile(1,"Eventlog.txt")
  ReadEvents(0,#EVNT_APP)
 CloseFile(1)
EndIf
End

Regards,

Berikco

http://www.benny.zeb.be

Posted: **Thu May 24, 2007 11:27 am**

I up this post to update the code for the V4 :

Code: Select all

#EVNT_SYSTEM = "System" 
#EVNT_APP = "Application" 
#EVNT_SECURITY = "Security"
#EVENTLOG_SEQUENTIAL_READ = $1
#EVENTLOG_SEEK_READ = $2
#EVENTLOG_FORWARDS_READ = $4
#EVENTLOG_BACKWARDS_READ = $8

Global timezone.TIME_ZONE_INFORMATION
Global UTCtime.SYSTEMTIME
Global localtime.SYSTEMTIME
  
GetTimeZoneInformation_(@timezone)

Procedure ReadEvents(ServerName,EventType$)
  
  rBuff.EVENTLOGRECORD
  
  StrucLen = SizeOf(EVENTLOGRECORD)
  
  *eBuff=AllocateMemory(16384)
  
  EvtReadFlags = #EVENTLOG_SEQUENTIAL_READ | #EVENTLOG_FORWARDS_READ
  
  
  EventLogHwd = OpenEventLog_(Servername, EventType$)
  
  If EventLogHwd = 0 
    ProcedureReturn 0
  EndIf
  
  EvtRecNo=0
    ret = GetNumberOfEventLogRecords_(EventLogHwd, @EvtRecNo)
    
  If ret = 0 
    ProcedureReturn 0
  EndIf
    
  rBytesRead=0
  rBytesNeeded=0
  
  While rBuff\RecordNumber <> EvtRecNo
    ret = ReadEventLog_(EventLogHwd, EvtReadFlags, rBuff\RecordNumber, *eBuff, 16384, @rBytesRead, @rBytesNeeded)
    If ret = 0 
      ProcedureReturn 0
    EndIf
    
    eBytePointer = 0
    While eBytePointer < rBytesRead
      CopyMemory(*eBuff+eBytePointer, @rBuff, StrucLen)
      EvtRecLen = rBuff\Length
       
      If #PB_Compiler_Unicode = #True
        SourceName.s    = PeekS(*eBuff + eBytePointer + StrucLen, -1, #PB_Unicode)
        l.l             = (Len(SourceName)+1)*2
        ComputerName.s  = PeekS(*eBuff + eBytePointer + StrucLen + l, -1, #PB_Unicode)
      Else
        SourceName.s    = PeekS(*eBuff + eBytePointer + StrucLen)
        l.l             = Len(SourceName)+1
        ComputerName.s  = PeekS(*eBuff + eBytePointer + StrucLen + l)
      EndIf
      ;If a$="CIOArrayManagement"  ; name of source to filter
       
        If rBuff\NumStrings > 0 
  
          c.s = ""  
          l.l = 0
          For r = 1 To rBuff\NumStrings
    
            datum = rBuff\TimeGenerated                 
            UTCtime\wDay = Day(datum)
            UTCtime\wMonth = Month(datum)
            UTCtime\wYear = Year(datum)
            UTCtime\wHour = Hour(datum)
            UTCtime\wMinute = Minute(datum)
            UTCtime\wSecond = Second(datum)
              
            SystemTimeToTzSpecificLocalTime_(timezone, UTCtime, localtime)
   
            datum = Date(localtime\wYear, localtime\wMonth, localtime\wDay, localtime\wHour, localtime\wMinute, localtime\wSecond)
            
            If #PB_Compiler_Unicode = #True
              c = PeekS(*eBuff + eBytePointer + l + rBuff\StringOffset, -1, #PB_Unicode)
              l+ (Len(c)+1)*2
            Else
              c = PeekS(*eBuff + eBytePointer + l + rBuff\StringOffset)
              l+Len(c)+1
            EndIf
            Debug ">Name of Computer :<= " + ComputerName
            Debug FormatDate("%YYYY/%mm/%dd  %hh:%ii:%ss  ", datum) + ComputerName + "  " + SourceName + "  " + c 
            Debug "------------------"
            
          Next r
    
        EndIf
  
      ;EndIf
      eBytePointer + EvtRecLen
    Wend
  Wend

  CloseEventLog_(EventLogHwd)

  ProcedureReturn 1

EndProcedure

ReadEvents(0,"Antivirus")
;ReadEvents(0,#EVNT_SYSTEM)
;ReadEvents(0,#EVNT_APP)
End

PureBasic Forums - English

Reading NT-W2K-Xp event logs