Solved

Reading the NT Event Log in VB

Posted on 1997-04-17
9
463 Views
Last Modified: 2008-03-06
How do you read the NT Event Log in VB?  The following C code (from MSDN) shows how to do it.  Could someone translate this into VB and I can take it from there.

EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, cRecords, dwThisRecord = 0;
 
    /* Open the Application event log. */
 
    h = OpenEventLog(NULL,  /* uses local computer      */
        "Application");     /* source name              */
    if (h == NULL)
        ErrorExit("could not open Application event log");
 
    pevlr = (EVENTLOGRECORD *) &bBuffer;
 
    /*
     * Opening the event log positions the file pointer
     * for this handle at the beginning of the log.
     *
     * Read records sequentially until there
     * are no more.
     */
 
    while (ReadEventLog(h,                /* event log handle */
                EVENTLOG_FORWARDS_READ |  /* reads forward    */
                EVENTLOG_SEQUENTIAL_READ, /* sequential read  */
                0,            /* ignored for sequential reads */
                pevlr,        /* address of buffer            */
                BUFFER_SIZE,  /* size of buffer               */
                &dwRead,      /* count of bytes read          */
                &dwNeeded)) { /* bytes in next record         */
 
        while (dwRead > 0) {
 
            /*
             * Print the event ID, type, and source name.
             * The source name is just past the end of the
             * formal structure.
             */
 
            printf("%02d  Event ID: 0x%08X ",
                dwThisRecord++, pevlr->EventID);
            printf("EventType: %d Source: %s\n",
                pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
                sizeof(EVENTLOGRECORD)));
 
            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)
                ((LPBYTE) pevlr + pevlr->Length);
        }
 
        pevlr = (EVENTLOGRECORD *) &bBuffer;
    }
 
    CloseEventLog(h);
0
Comment
Question by:russellm
  • 6
  • 3
9 Comments
 
LVL 1

Accepted Solution

by:
advapp earned 100 total points
ID: 1425469
Option Explicit

Type EVENTLOGRECORD
     Length As Long     '  Length of full record
     Reserved As Long     '  Used by the service
     RecordNumber As Long     '  Absolute record number
     TimeGenerated As Long     '  Seconds since 1-1-1970
     TimeWritten As Long     'Seconds since 1-1-1970
     EventID As Long
     EventType As Integer
     NumStrings As Integer
     EventCategory As Integer
     ReservedFlags As Integer     '  For use with paired events (auditing)
     ClosingRecordNumber As Long     'For use with paired events (auditing)
     StringOffset As Long     '  Offset from beginning of record
     UserSidLength As Long
     UserSidOffset As Long
     DataLength As Long
     DataOffset As Long     '  Offset from beginning of record
End Type
Declare Function OpenEventLog Lib "advapi32.dll" (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long
Declare Function ReadEventLog Lib "advapi32.dll" Alias "ReadEventLogA" (ByVal hEventLog As Long, ByVal dwReadFlags As Long, ByVal dwRecordOffset As Long, lpBuffer As EVENTLOGRECORD, ByVal nNumberOfBytesToRead As Long, pnBytesRead As Long, pnMinNumberOfBytesNeeded As Long) As Long
Declare Function CloseEventLog Lib "advapi32.dll" (ByVal hEventLog As Long) As Long

Declare Function GetLastError Lib "kernel32" () As Long

Sub Main()
Dim rtn As Long
Dim dwThisRecord As Long
Dim lpUNCServerName As String
Dim lpSourceName As String
Dim hEventLog As Long
Dim dwReadFlags As Long
Dim dwRecordOffset As Long
Dim lpBuffer As EVENTLOGRECORD
Dim nNumberOfBytesToRead As Long
Dim pnBytesRead As Long
Dim pnMinNumberOfBytesNeeded As Long

lpUNCServerName = Chr(0)      'Use local computer
lpSourceName = "Application"  'Open application error log

hEventLog = OpenEventLog(lpUNCServerName, lpSourceName)
If hEventLog = Chr(0) Then
   MsgBox = "Error: " & GetLastError
End If

dwThisRecord = 0
dwReadFlags = EVENTLOG_FORWARDS_READ Or EVENTLOG_SEQUENTIAL_READ
dwRecordOffset = 0
nNumberOfBytesToRead = sizeof(lpBuffer)

While ReadEventLog(hEventLog, dwReadFlags, dwRecordOffset, lpBuffer, nNumberOfBytesToRead, pnBytesRead, pnMinNumberOfBytesNeeded)
   While dwread > 0
      'As long as there is something read...
      dwThisRecord = dwThisRecord + 1
      Debug.Print dwThisRecord & " Event ID: " & lpBuffer.EventID
      Debug.Print "Event Type: " & lpBuffer.EventType
      pnBytesRead = pnBytesRead - lpBuffer.Length
   Wend
Wend

rtn = CloseEventLog(hEventLog)
If hEventLog = Chr(0) Then
   MsgBox = "Error: " & GetLastError
End If

End Sub

0
 
LVL 1

Expert Comment

by:advapp
ID: 1425470
Oops.  These got left out.
Public Const EVENTLOG_SEQUENTIAL_READ = &H1
Public Const EVENTLOG_SEEK_READ = &H2
Public Const EVENTLOG_FORWARDS_READ = &H4
Public Const EVENTLOG_BACKWARDS_READ = &H8

0
 

Author Comment

by:russellm
ID: 1425471
This looks promising, thank you.  There is one problem, however.  the line of code that says:

     nNumberOfBytesToRead = sizeof(lpBuffer)

what is "sizeof"?

Other than the minor syntactical problem with

     MsgBox = "Error: " & GetLastError

that should read

     MsgBox  ("Error: " & GetLastError)

I can't get the solution to work until I know what's missing with the "sizeof".  Looking forward to your answer.

Mike
0
 
LVL 1

Expert Comment

by:advapp
ID: 1425472
  Oh well, almost got there!  You are of course correct on the MsgBox routine -- minor slip there, sorry.  And the sizeof(lpBuffer) should be a Len(lpBuffer).
   As you can probably tell, I didn't actually get time to test this translation but I've worked with the Win32 API enough to feel confident this is very close to correct.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:advapp
ID: 1425473
Also, the 'Close' section should actually be:

   If Not CloseEventLog(hEventLog) Then
      MsgBox "Error: " & GetLastError
   End If

And the line:
   Dim rtn as long
can be deleted, it is unnecessary.
0
 

Author Comment

by:russellm
ID: 1425474
This is very close (I think) ...

There are two errors in the program that I've fixed:

The first is that the statement

Declare Function OpenEventLog Lib "advapi32.dll" (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long

should probably read

Declare Function OpenEventLog Lib "advapi32.dll"  Alias "OpenEventLogA"(ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long

The second is that the statement

While dwread > 0

should probably read

While  pnBytesRead > 0

After making these two changes, and incorporating all the other changes from our discussions, the program still does not seem to pick up any information from the event log, ie the "While ReadEventLog ..." statement always return false.  It would be appreciated if I could have a tested version of the code, please.  This program still does not produce any results, yet.

Thanks

Mike
0
 
LVL 1

Expert Comment

by:advapp
ID: 1425475
I've been playing with this as well.  The documentation is a bit shaky with regard to what exactly lpSourceName must be set.  The docs say that it should be the name of an event log as found under:
  HKEY_LOCAL_MACHINE  
    System
      CurrentControlSet
        Services
          EventLog
            Application

So, if there were an entry labeled "WinApp" in the Application branch "WinApp" would be a valid event log for assignment to lpSourceName.  However, I have yet to gain success.

This info may help you.  I'll let you know if I discover anything else.  And, yes, I found the same two errors you mentioned
0
 

Author Comment

by:russellm
ID: 1425476
I think lpSourceName should be one of
     "Application"
     "Security"
     "System"
as text.  That's about all the help I can offer.

Mike
0
 
LVL 1

Expert Comment

by:advapp
ID: 1425477
The docs do not indicate that you can select that level.  The only example offerred is the one I cited; i.e., an entry _below_ the "Application" branch.  Anyway, I'll keep on it.  Unfortunately, I'll be out of town for a week or so.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Introduction In a recent article (http://www.experts-exchange.com/A_7811-A-Better-Concatenate-Function.html) for the Excel community, I showed an improved version of the Excel Concatenate() function.  While writing that article I realized that no o…
The debugging module of the VB 6 IDE can be accessed by way of the Debug menu item. That menu item can normally be found in the IDE's main menu line as shown in this picture.   There is also a companion Debug Toolbar that looks like the followin…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now