Announcement

**Don Dickinson** · 19 Jun 2001, 07:33 AM

Hard to debug without your variable declarations and the function declaration you're using for ReadEventLog - please post this even if it's in win32api.inc - I might have a diffent one than you have.

--Don

------------------
dickinson.basicguru.com

**Scott Turchin** · 19 Jun 2001, 12:10 PM

Ah yes

Code:

DECLARE FUNCTION ReadEventLog LIB "ADVAPI32.DLL" ALIAS "ReadEventLogA" (BYVAL hEventLog AS LONG, BYVAL dwReadFlags AS LONG, BYVAL dwRecordOffset AS LONG, lpBuffer AS EVENTLOGRECORD, BYVAL nNumberOfBytesToRead AS LONG, pnBytesRead AS LONG, _
                 pnMinNumberOfBytesNeeded AS LONG) AS LONG

'
'
'
'Type EVENTLOGRECORD
'  Length As Dword              ' Length of full record
'  Reserved As Dword            ' Used by the service
'  RecordNumber As Dword        ' Absolute record number
'  TimeGenerated As Dword       ' Seconds since 1-1-1970
'  TimeWritten As Dword         ' Seconds since 1-1-1970
'  EventID As Dword
'  EventType As Word
'  NumStrings As Word
'  EventCategory As Word
'  ReservedFlags As Word        ' For use with paired events (auditing)
'  ClosingRecordNumber As Dword ' For use with paired events (auditing)
'  StringOffset As Dword        ' Offset from beginning of record
'  UserSidLength As Dword
'  UserSidOffset As Dword
'  DataLength As Dword
'  DataOffset As Dword          ' Offset from beginning of record
  '
  ' Then follow:
  '
'  SourceName As Asciiz * 128
'  Computername As Asciiz * 17
  ' SID   UserSid
  ' WCHAR Strings[]
  ' BYTE  Data[]
  ' CHAR  Pad[]
  ' DWORD Length;
'End Type

'
'
'
'
And my code to date:
#Compile Exe
#Register None
#Dim All
#Option Version5
#Include "WIN32API.INC"

Function WinMain (ByVal hCurInstance     As Long, _
                  ByVal hPrevInstance As Long, _
                  lpCmdLine           As Asciiz Ptr, _
                  ByVal iCmdShow      As Long) As Long

Dim lpBuffer  As EVENTLOGRECORD
Local lpSourceName      As Asciiz * 16
Local lResult           As Long
Local lLoop             As Long

'Open Event log
Local hEventLog         As Long
Local lEventLogRecordCount  As Long
Local lpOldestRecord    As Long

'Read event log
Local nNumberOfBytesToRead  As Long
Local pnBytesRead       As Long
Local pnMinNumberOfBytesNeeded  As Long

lpSourceName = "Application" ' 'Security, System

hEventLog = OpenEventLog("",lpSourceName)
If IsFalse hEventLog Then
   MsgBox "Could not read the event log",%MB_ICONSTOP,"Error reading event log"
   Exit Function
End If

lResult = GetNumberOfEventLogRecords(hEventLog, lEventLogRecordCount)
lResult = GetOldestEventLogRecord(ByVal hEventLog, lpOldestRecord)

MsgBox "Number of event log events: " & Format$(lEventLogRecordCount) & $CRLF & "Oldest Record: " & Format$(lpOldestRecord)


'Read the event log
For lLoop = 1 To lEventLogRecordCount
    lResult = ReadEventLog(ByVal hEventLog, _
                           ByVal %EVENTLOG_SEEK_READ Or %EVENTLOG_SEQUENTIAL_READ, _
                           ByVal 0, _
                           lpBuffer,_
                           ByVal SizeOf(lpBuffer),_
                           pnBytesRead, _
                           pnMinNumberOfBytesNeeded)

     If lLoop = 1 Then MsgBox Format$(lpBuffer.eventid)
Next
lResult = CloseEventLog(ByVal hEventLog)
End Function

------------------
Scott

**Scott Turchin** · 20 Jun 2001, 09:25 AM

Do those declares help? THis topic was fading fast but I have not resolved this thing yet.

I'm wondering if this may be requied:
Local lpBuffer AS EVENTLOG Ptr

?

Scott

------------------
Scott

**Tom Hanlin** · 20 Jun 2001, 10:26 AM

If you examine the C code, you'll find that you need %EVENTLOG_FORWARDS_READ
rather than %EVENTLOG_SEEK_READ. If it still fails, checking the minimum length
count will probably inform you that the buffer is too small. As you may have
gathered by looking at EVENTLOGRECORD, this is not intended for use as a real
type: it's one of Microsoft's pseudo-types, used basically for documentation.
What you need to do is create something like a string buffer, pass that to the
function, and parse out the results. Only the fixed-length part of the results
are going to fit in the EVENTLOGRECORD structure. The rest "depends".

------------------
Tom Hanlin
PowerBASIC Staff

**Don Dickinson** · 20 Jun 2001, 10:53 AM

Scott,
I can verify that your declarations are correct
No, you should not declare the structure as a structure pointer, the way you have it will match the declare.
The explict ByVal's you're adding to each parameter are unnecessary as your declare already has byval in it.
I haven't had time to review what's actually going wrong - at first look, everything appears to be correct.
--Don

------------------
dickinson.basicguru.com

**Guest** · 20 Jun 2001, 11:11 AM

Scott, as Tom stated, do not pass the address of your eventlog record since it is a variable length (pseudo) structure. I use a Byte array.

Here's a link to some vb code for reading the eventlog. http://www.mediadev.fr/articles/Administration_Web_distante/Administration_Web_dist ante.htm

You'll need to copy the data from your (byte?) buffer into the READEVENTLOG structure and variables suitable for the data which is not part of the defined structure.

[This message has been edited by Ron Pierce (edited June 20, 2001).]

**Scott Turchin** · 20 Jun 2001, 11:20 AM

Here is the entire C source that a person sent me, (Unnamed in case he wants to remain private)...

Code:

Reading the Event Log
The following example reads All the records In the Application Log file And displays the event identifier, event Type, And event source For each event Log entry.
void DisplayEntries( )
{
    Handle h;
    EVENTLOGRECORD *pevlr;
    Byte bBuffer[BUFFER_SIZE];
    Dword dwRead, dwNeeded, cRecords, dwThisRecord = 0;

    // Open the Application event log.

    h = OpenEventLog( Null,             // use Local computer
             "Application");   // source Name
    If (h == Null)
        ErrorExit("Could not open the Application event log.");

    pevlr = (EVENTLOGRECORD *) &bBuffer;

    // Opening the event Log positions the file pointer For this
    // Handle At the beginning of the log. Read the records
    // sequentially Until there are no more.

    While (ReadEventLog(h,                // event Log Handle
                EVENTLOG_FORWARDS_READ |  // reads forward
                EVENTLOG_SEQUENTIAL_READ, // sequential Read
                0,            // ignored For sequential reads
                pevlr,        // pointer To buffer
                BUFFER_SIZE,  // Size of buffer
                &dwRead,      // number of bytes Read
                &dwNeeded))   // bytes In Next record
    {
        While (dwRead > 0)
        {
            // Print the event identifier, Type, And source name.
            // The source Name is just past the End of the
            // formal structure.

            printf("%02d  Event ID: 0x%08X ",
                dwThisRecord++, pevlr->EventID);
            printf("EventType: %d Source: %s\n",
                pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
                SizeOf(EVENTLOGRECORD)));

            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)
                ((LPBYTE) pevlr + pevlr->Length);
        }

        pevlr = (EVENTLOGRECORD *) &bBuffer;
    }

    CloseEventLog(h);
}
=====================================================================================================================

------------------
Scott

Announcement

Pointer question

Pointer question

Comment

Comment

Comment

Comment

Comment

Comment

Comment