how to use READEVENTLOG Api call??

[jayakumar]

hi,
can any one help me to read events from event log?

i.e. readEventLog()

[DJ_Catboy]

Hi,

I apologise for not knowing how to insert those "VB Code" tags into these posts, but heres some code that may help?

Private Const EVENTLOG_SUCCESS = &H0
Private Const EVENTLOG_ERROR_TYPE = &H1
Private Const EVENTLOG_WARNING_TYPE = &H2
Private Const EVENTLOG_INFORMATION_TYPE = &H4
Private Const EVENTLOG_AUDIT_SUCCESS = &H8
Private Const EVENTLOG_AUDIT_FAILURE = &H10
Private Const EVENTLOG_SEQUENTIAL_READ = &H1
Private Const EVENTLOG_SEEK_READ = &H2
Private Const EVENTLOG_FORWARDS_READ = &H4
Private Const EVENTLOG_BACKWARDS_READ = &H8
Private Type EVENTLOGRECORD
Length As Long ' Length of full record
Reserved As Long ' Used by the service
RecordNumber As Long ' Absolute record number
TimeGenerated As Long ' Seconds since 1-1-1970
TimeWritten As Long 'Seconds since 1-1-1970
EventID As Long
EventType As Integer
NumStrings As Integer
EventCategory As Integer
ReservedFlags As Integer ' For use with paired events (auditing)
ClosingRecordNumber As Long 'For use with paired events (auditing)
StringOffset As Long ' Offset from beginning of record
UserSidLength As Long
UserSidOffset As Long
DataLength As Long
DataOffset As Long ' Offset from beginning of record
End Type
Private Declare Function OpenEventLog Lib "advapi32.dll" Alias "OpenEventLogA" (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long
Private Declare Function CloseEventLog Lib "advapi32.dll" (ByVal hEventLog As Long) As Long
Private Declare Function BackupEventLog Lib "advapi32.dll" Alias "BackupEventLogA" (ByVal hEventLog As Long, ByVal lpBackupFileName As String) As Long
Private Declare Function ClearEventLog Lib "advapi32.dll" Alias "ClearEventLogA" (ByVal hEventLog As Long, ByVal lpBackupFileName As String) As Long
Private Declare Function GetNumberOfEventLogRecords Lib "advapi32.dll" (ByVal hEventLog As Long, NumberOfRecords As Long) As Long
Private Declare Function GetOldestEventLogRecord Lib "advapi32.dll" (ByVal hEventLog As Long, OldestRecord As Long) As Long
Private Declare Function ReportEvent Lib "advapi32.dll" Alias "ReportEventA" (ByVal hEventLog As Long, ByVal wType As Long, ByVal wCategory As Long, ByVal dwEventID As Long, lpUserSid As Any, ByVal wNumStrings As Long, ByVal dwDataSize As Long, lpStrings As String, lpRawData As Any) As Long
Private Sub Form_Load()
Dim hEventLog As Long, LogString As String, Ret As Long, ELR As EVENTLOGRECORD
Dim bBytes(1 To 1024) As Byte
'Open the event log
hEventLog = OpenEventLog(vbNullString, "c:\testlog.bak")
'Clear it, if there's already something in it
ClearEventLog hEventLog, vbNullString
'Report a new event
ReportEvent hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 0, ByVal 0&, 1, 0, "Hello World!", ByVal 0&
'Get the number of reported events
GetNumberOfEventLogRecords hEventLog, Ret
MsgBox "Events reported: " + CStr(Ret)
'Get the oldest event record
GetOldestEventLogRecord hEventLog, Ret
MsgBox "Oldest event record: " + CStr(Ret)
'Write the event log to a file
BackupEventLog hEventLog, "c:\testlog.bak"
'Close the event log
CloseEventLog hEventLog
End Sub

Hope this helps...?

DJ

[Kunchesm]

ur post doesnt contain info on how to 'READ' the entries in EventLog ..i.e how to use 'ReadEventLog' api??

[DJ_Catboy]

I looked for the ReadEventLog API and couldn't actually find it (i.e. does it really exist?). So, remind me in future not to try and be helpful!

[Kunchesm]

Reading the Event Log

The ReadEventLog function reads event records from an event log. It returns a buffer containing an EVENTLOGRECORD structure that describes a logged event. The following example reads all the records in the Application logfile and displays the event identifier, event type, and event source for each event log entry.


void DisplayEntries( )
{
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, cRecords, dwThisRecord;

// Open the Application event log.

h = OpenEventLog( NULL, // use local computer
"Application"); // source name
if (h == NULL)
ErrorExit("Could not open the Application event log.");

pevlr = (EVENTLOGRECORD *) &bBuffer;

// Get the record number of the oldest event log record.

GetOldestEventLogRecord(h, &dwThisRecord);

// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the event log records
// sequentially until the last record has been read.

while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the record number, event identifier, type,
// and source name.

printf("%02d Event ID: 0x%08X ",
dwThisRecord++, pevlr->EventID);
printf("EventType: %d Source: %s\n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD)));

dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}

pevlr = (EVENTLOGRECORD *) &bBuffer;
}

CloseEventLog(h);
}

[jayakumar]

*** bump ***(not resolved)

[angel of dark]

Well I got more or less the same doubt, but what I find that the event viewer is the program to see de event log, I got the same example and this make a copy of the event log, clear it and then makin an event and saving in the event log.I made some modifications, but I can enter directly to the event log.