Home > Archive > PERL Beginners > August 2005 > Win32::EventLog - Missing Events
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win32::EventLog - Missing Events
|
|
| Ryan Frantz 2005-08-31, 6:55 pm |
| Perlers,
I'm working on a script to check the application log on one of my
servers for a specific event using Win32::EventLog. For some reason, I
don't get all of the event entries returned. In this case I have 1196
entries, but only 353 are output by the script (so says $log->GetNumber
and wc -l). Does anyone know why this could be?
Using the documentation from CPAN and a few pages from 'Perl for System
Administration', I've written the following:
# Perl and Windows, sittin' in a tree...
use strict;
use warnings;
# the code snippet for Win32::EventLog was lifted from 'Perl for System
Administration', pg. 298
use Win32::EventLog;
# each event has a type, hash it
my %type = ( 1 => "ERROR",
2 => "WARNING",
4 => "INFORMATION",
8 => "AUDIT_SUCCESS",
16 => "AUDIT_FAILURE",);
# if this is set, we also retrieve the full text of every message on
each Read()
$Win32::EventLog::GetMessageText = 1;
# open the System log (try Application later)
#my $log = new Win32::EventLog("Application") or die "Unable to open
system log:$!\n";
my $log = new Win32::EventLog("System") or die "Unable to open system
log:$!\n";
# find the number of records in the log
$log->GetNumber(my $lastRec);
my $entry;
my $source2find = "APCPBEAgent";
my $id2find = "2000";
# set an arbitrary time for testing; will capture time at the end of
each run (in production)
#my $time2find = "1125272719";
# read one record at a time, starting with the first entry
# note: find docs on EVENTLOG_*...
while
($log-> Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_
FORWARDS_READ),1,$entry))
{
# the following print lines are for debugging, to make sure I really
have some output...
print"\n-------------------\n";
print "Time: " . $entry->{TimeGenerated} . "\n";
print scalar localtime($entry->{TimeGenerated}) . "\n";
print "Computer: " . $entry->{Computer} . "\n";
print "EventID: " . ($entry->{EventID} & 0xffff) . "\n";
print "Source: " . $entry->{Source}. "\n";
print "Event Type: " . $type{$entry->{EventType}} . "\n";
print "Message: " . $entry->{Message}. " \n";
# assign some variables
my $source = $entry->{Source};
my $time = $entry->{TimeGenerated};
my $eventid = $entry->{EventID};
# if ( $time > $time2find ) {
# if ( $source eq $source2find ) {
# if ( $eventid eq $id2find ) {
# print"\n-------------------\n";
# print "Time: " . $time . "\n";
# print "Source: " . $source . "\n";
# print "EventID: " . $eventid . "\n";
# }
# }
# }
}
print "Number of events: $lastRec\n";
Ryan
| |
| Ryan Frantz 2005-08-31, 6:55 pm |
| > -----Original Message-----
> From: Ryan Frantz
> Sent: Wednesday, August 31, 2005 11:57 AM
> To: beginners@perl.org
> Subject: Win32::EventLog - Missing Events
>=20
> Perlers,
>=20
>=20
>=20
> I'm working on a script to check the application log on one of my
> servers for a specific event using Win32::EventLog. For some reason,
I
> don't get all of the event entries returned. In this case I have 1196
> entries, but only 353 are output by the script (so says
$log->GetNumber
> and wc -l). Does anyone know why this could be?
>=20
>=20
>=20
> Using the documentation from CPAN and a few pages from 'Perl for
System
> Administration', I've written the following:
>=20
>=20
>=20
> # Perl and Windows, sittin' in a tree...
>=20
>=20
>=20
> use strict;
>=20
> use warnings;
>=20
>=20
>=20
> # the code snippet for Win32::EventLog was lifted from 'Perl for
System
> Administration', pg. 298
>=20
>=20
>=20
> use Win32::EventLog;
>=20
> # each event has a type, hash it
>=20
> my %type =3D ( 1 =3D> "ERROR",
>=20
> 2 =3D> "WARNING",
>=20
> 4 =3D> "INFORMATION",
>=20
> 8 =3D> "AUDIT_SUCCESS",
>=20
> 16 =3D> "AUDIT_FAILURE",);
>=20
>=20
>=20
> # if this is set, we also retrieve the full text of every message on
> each Read()
>=20
> $Win32::EventLog::GetMessageText =3D 1;
>=20
>=20
>=20
> # open the System log (try Application later)
>=20
> #my $log =3D new Win32::EventLog("Application") or die "Unable to open
> system log:$!\n";
>=20
> my $log =3D new Win32::EventLog("System") or die "Unable to open =
system
> log:$!\n";
>=20
>=20
Well, it's official: I'm an ass. My problem was that I opened the wrong
event log (see my own comment)... I wanted to open the Application log
but hadn't swapped the lines of code yet! Duh! Sorry for wasting the
list's time on this one.
In the meantime, however, though the number of records matches (1198
now), they aren't all output. I actually only get about 7 records
printed out. And they're anywhere from the beginning of the log to the
end. Do I need to specify that record offset? I thought that I did so
here:
($log-> Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_
FORWARDS_READ),1,$entry))
>=20
> # find the number of records in the log
>=20
> $log->GetNumber(my $lastRec);
>=20
>=20
>=20
> my $entry;
>=20
> my $source2find =3D "APCPBEAgent";
>=20
> my $id2find =3D "2000";
>=20
> # set an arbitrary time for testing; will capture time at the end of
> each run (in production)
>=20
> #my $time2find =3D "1125272719";
>=20
>=20
>=20
> # read one record at a time, starting with the first entry
>=20
> # note: find docs on EVENTLOG_*...
>=20
> while
>
($log-> Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_
FORWARDS_READ),1,$entry))
> {
>=20
>=20
>=20
> # the following print lines are for debugging, to make sure I really
> have some output...
>=20
> print"\n-------------------\n";
>=20
> print "Time: " . $entry->{TimeGenerated} . "\n";
>=20
> print scalar localtime($entry->{TimeGenerated}) . "\n";
>=20
> print "Computer: " . $entry->{Computer} . "\n";
>=20
> print "EventID: " . ($entry->{EventID} & 0xffff) . "\n";
>=20
> print "Source: " . $entry->{Source}. "\n";
>=20
> print "Event Type: " . $type{$entry->{EventType}} . "\n";
>=20
> print "Message: " . $entry->{Message}. " \n";
>=20
>=20
>=20
> # assign some variables
>=20
> my $source =3D $entry->{Source};
>=20
> my $time =3D $entry->{TimeGenerated};
>=20
> my $eventid =3D $entry->{EventID};
>=20
>=20
>=20
> # if ( $time > $time2find ) {
>=20
> # if ( $source eq $source2find ) {
>=20
> # if ( $eventid eq $id2find ) {
>=20
> # print"\n-------------------\n";
>=20
> # print "Time: " . $time . "\n";
>=20
> # print "Source: " . $source . "\n";
>=20
> # print "EventID: " . $eventid . "\n";
>=20
> # }
>=20
> # }
>=20
> # }
>=20
>=20
>=20
> }
>=20
>=20
>=20
> print "Number of events: $lastRec\n";
>=20
>=20
>=20
> Ryan
|
|
|
|
|