Getting to windows event logger

[Jack]

Here is a code I found that notifies if an event has been generated. I
still can't find anything that would actually grab the event and export
it a file which is what I am trying to do

#include <windows.h>
#include <stdio.h>

BOOL notifyChange(LPCTSTR logSource)
{
BOOL bSuccess;
HANDLE hEventLog, hEvent;
DWORD dwWaitResult;

hEventLog = OpenEventLog(NULL, // local machine
logSource); // event log source name
if (hEventLog == NULL)
{
printf("Could not open event log.");
return FALSE;
}

hEvent = CreateEvent(NULL, // default security attributes
FALSE, // no manual reset
FALSE, // create as not signaled
NULL); // no event name

NotifyChangeEventLog(hEventLog, hEvent);

dwWaitResult = WaitForSingleObject(hEvent, INFINITE);
if (dwWaitResult == WAIT_FAILED)
bSuccess = FALSE;
else bSuccess = TRUE;

CloseHandle(hEvent);
CloseEventLog(hEventLog);
return bSuccess;

}

What i am stuck on right now is the "LPCTSTR logSource". Where do I
find the source of the log and how do I pass store it in a LPCTSTR.

Can anyone give me a better suggestion. i am basically trying to grab
any info that is generated by Windows Event logger (event ID, type of
event, message, user, etc) to a text file.

 

[William DePalo [MVP VC++]]

What i am stuck on right now is the "LPCTSTR logSource". Where do I
find the source of the log and how do I pass store it in a LPCTSTR.

Can anyone give me a better suggestion. i am basically trying to grab
any info that is generated by Windows Event logger (event ID, type of
event, message, user, etc) to a text file.

Go to the Control Panel, select the Administrative Tools icon, and open the
Event Viewer. There you will find the names of the event logs of the system
on which you do that.

That said, many applications just sprinkle their events along with all the
others you find there.

As for the type

LP = (long) pointer
C = constant
T = text
STR = C language character string = null terminated array

So what you need to pass is a pointer to the first of a string of
characters. In an ANSI build, you use 8 bit characters, and in a UNICODE
build 16. That said, one of "Application" or L"Application" may fit the
bill.

Regards,
Will

 

[Ben Voigt]

Go to the Control Panel, select the Administrative Tools icon, and open
the Event Viewer. There you will find the names of the event logs of the
system on which you do that.

That said, many applications just sprinkle their events along with all the
others you find there.

As for the type

LP = (long) pointer
C = constant
T = text
STR = C language character string = null terminated array

So what you need to pass is a pointer to the first of a string of
characters. In an ANSI build, you use 8 bit characters, and in a UNICODE
build 16. That said, one of "Application" or L"Application" may fit the
bill.

_T("Application") will -Do The Right Thing- for both ANSI and UNICODE.

 

[William DePalo [MVP VC++]]

_T("Application") will -Do The Right Thing- for both ANSI and UNICODE.

I know, perhaps you meant to tell the OP.

FWIW: I despise those ugly macros. I, for one, am willing to forego forever
the possibility of running on '9x. With that possibility out of the way, I
can't see a good reason to litter source code with such _stuff_. YMMV.

Regards,
Will

 

[Ben Voigt]

I know, perhaps you meant to tell the OP.

FWIW: I despise those ugly macros. I, for one, am willing to forego
forever the possibility of running on '9x. With that possibility out of
the way, I can't see a good reason to litter source code with such
_stuff_. YMMV.

Point taken. But that *ugly macro* is completely general to both ANSI and
UNICODE, is in fact the correct solution anywhere a TSTR is used, and beats
'one of "Application" or L"Application" may fit the bill' any day. If you
don't care about Win9x, you should use L"string" and WSTR and function names
ending in W exclusively and not have any TSTR at all.

 

[William DePalo [MVP VC++]]

If you don't care about Win9x, you should use L"string" and WSTR and
function names ending in W exclusively and not
have any TSTR at all.

Those macros are anachronisms. I'll have none of them, thanks.

Regards,
Will

 

[Jack]

Sorry guy, I know this may be frustrating but, i tried what you said
and it didn't work, obviously I am not too familiar with the syntax.
here is what I have:

int main(){
bool test = false;

test = notifyChange("Application");
return 0;
}


BOOL notifyChange(LPCTSTR logSource){
BOOL bSuccess;
HANDLE hEventLog, hEvent;
DWORD dwWaitResult;

hEventLog = OpenEventLog(NULL, // local machine
logSource); // event log source name
if (hEventLog == NULL){
printf("Could not open event log.");
return FALSE;
}

hEvent = CreateEvent(NULL, // default security attributes
FALSE, // no manual reset
FALSE, // create as not signaled
NULL); // no event name

NotifyChangeEventLog(hEventLog, hEvent);

dwWaitResult = WaitForSingleObject(hEvent, INFINITE);
if (dwWaitResult == WAIT_FAILED)
bSuccess = FALSE;
else bSuccess = TRUE;

CloseHandle(hEvent);
CloseEventLog(hEventLog);
return bSuccess;
}

I also tried

test = notifyChange(L"Application");

and

test = notifyChange(_T"Application");

Thanks in advance for your help

J

 

[William DePalo [MVP VC++]]

Sorry guy, I know this may be frustrating but, i tried what you said
and it didn't work,

No problem, I'm not frustrated at all.

obviously I am not too familiar with the syntax.
here is what I have:

Well, syntax errors usually manifest themsleves at compile time while
semantic errors are presented at run time. If you receive an error, you need
to post it if you don't understand it.

First you will need to determine which log it is that contains the events
that interests you. Many applications just use the common "Application" log.

Second, you will need to start checking return codes. If you do that and you
don't understand what the code means you can post it here.

Third, you will find and example that demonstrates reading an event log
here:

http://msdn.microsoft.com/library/d...en-us/eventlog/base/reading_the_event_log.asp

Fourth, you need to understand how the notification works. When a record is
written to the log, the event you passed to NotifyChangeEventLog() is pulsed
(signalled and then reset). Further there is a cap of one pulse every five
seconds. So it is entirely possible, likely even, that another record is
written to the log before the next pulse. The upshot of that is that you
will "see" one notification even if there are multiple records to be read.
It is for this reason that records have numbers and that the log supports a
seek operation.

Finally, the code sample is your friend.

Regards,
Will

 

[Jack]

Ok I see that I am going about this all wrong. Here is what actually
want to do:

http://groups.google.ca/group/micro...741b3c43ac3/0a18b1e170bbf6a2#0a18b1e170bbf6a2

I am looking for a way to write all events that are generated either by
an application or the system (whether is for DNS, DOMAIN CONTROLLERS,
SECURITY ETC.) to a text file. So sort of like my own event viewer. I
need this to be live meaning I don't want to wait every 5 minutes and
then read any changes that have been to the Windows Event Log.

Any ideas on where to start, what to look at, where to look at. I
looked at the sample code and found the Event Notification, but again
as William described it isnot really live.

Thanks

J

 

[William DePalo [MVP VC++]]

I am looking for a way to write all events that are generated either by
an application or the system (whether is for DNS, DOMAIN CONTROLLERS,
SECURITY ETC.) to a text file. So sort of like my own event viewer. I
need this to be live meaning I don't want to wait every 5 minutes and
then read any changes that have been to the Windows Event Log.

Any ideas on where to start, what to look at, where to look at.

Yeah, build your own operating system.

I looked at the sample code and found the Event Notification, but again
as William described it isnot really live.

No, it's not. It's notification after the fact.

But because it is possible to get the oldest record in a log, to get the
number of records in a log, to seek to anywhere you like in the log, to read
any record in the log and to be notified of the arrival of new records you
could easily create the solution that you want.

On the other hand, if you look at the list of event log functions:

http://msdn.microsoft.com/library/d...en-us/eventlog/base/reading_the_event_log.asp

you will find nothing a ready made solution like the one that you want.

Regards,
Will