Link to home
Start Free TrialLog in
Avatar of russellm
russellm

asked on

Reading the NT Event Log in VB

How do you read the NT Event Log in VB?  The following C code (from MSDN) shows how to do it.  Could someone translate this into VB and I can take it from there.

EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, cRecords, dwThisRecord = 0;
 
    /* Open the Application event log. */
 
    h = OpenEventLog(NULL,  /* uses local computer      */
        "Application");     /* source name              */
    if (h == NULL)
        ErrorExit("could not open Application event log");
 
    pevlr = (EVENTLOGRECORD *) &bBuffer;
 
    /*
     * Opening the event log positions the file pointer
     * for this handle at the beginning of the log.
     *
     * Read records sequentially until there
     * are no more.
     */
 
    while (ReadEventLog(h,                /* event log handle */
                EVENTLOG_FORWARDS_READ |  /* reads forward    */
                EVENTLOG_SEQUENTIAL_READ, /* sequential read  */
                0,            /* ignored for sequential reads */
                pevlr,        /* address of buffer            */
                BUFFER_SIZE,  /* size of buffer               */
                &dwRead,      /* count of bytes read          */
                &dwNeeded)) { /* bytes in next record         */
 
        while (dwRead > 0) {
 
            /*
             * Print the event ID, type, and source name.
             * The source name is just past the end of the
             * formal structure.
             */
 
            printf("%02d  Event ID: 0x%08X ",
                dwThisRecord++, pevlr->EventID);
            printf("EventType: %d Source: %s\n",
                pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
                sizeof(EVENTLOGRECORD)));
 
            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)
                ((LPBYTE) pevlr + pevlr->Length);
        }
 
        pevlr = (EVENTLOGRECORD *) &bBuffer;
    }
 
    CloseEventLog(h);
ASKER CERTIFIED SOLUTION
Avatar of advapp
advapp
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Oops.  These got left out.
Public Const EVENTLOG_SEQUENTIAL_READ = &H1
Public Const EVENTLOG_SEEK_READ = &H2
Public Const EVENTLOG_FORWARDS_READ = &H4
Public Const EVENTLOG_BACKWARDS_READ = &H8

Avatar of russellm
russellm

ASKER

This looks promising, thank you.  There is one problem, however.  the line of code that says:

     nNumberOfBytesToRead = sizeof(lpBuffer)

what is "sizeof"?

Other than the minor syntactical problem with

     MsgBox = "Error: " & GetLastError

that should read

     MsgBox  ("Error: " & GetLastError)

I can't get the solution to work until I know what's missing with the "sizeof".  Looking forward to your answer.

Mike
  Oh well, almost got there!  You are of course correct on the MsgBox routine -- minor slip there, sorry.  And the sizeof(lpBuffer) should be a Len(lpBuffer).
   As you can probably tell, I didn't actually get time to test this translation but I've worked with the Win32 API enough to feel confident this is very close to correct.
Also, the 'Close' section should actually be:

   If Not CloseEventLog(hEventLog) Then
      MsgBox "Error: " & GetLastError
   End If

And the line:
   Dim rtn as long
can be deleted, it is unnecessary.
This is very close (I think) ...

There are two errors in the program that I've fixed:

The first is that the statement

Declare Function OpenEventLog Lib "advapi32.dll" (ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long

should probably read

Declare Function OpenEventLog Lib "advapi32.dll"  Alias "OpenEventLogA"(ByVal lpUNCServerName As String, ByVal lpSourceName As String) As Long

The second is that the statement

While dwread > 0

should probably read

While  pnBytesRead > 0

After making these two changes, and incorporating all the other changes from our discussions, the program still does not seem to pick up any information from the event log, ie the "While ReadEventLog ..." statement always return false.  It would be appreciated if I could have a tested version of the code, please.  This program still does not produce any results, yet.

Thanks

Mike
I've been playing with this as well.  The documentation is a bit shaky with regard to what exactly lpSourceName must be set.  The docs say that it should be the name of an event log as found under:
  HKEY_LOCAL_MACHINE  
    System
      CurrentControlSet
        Services
          EventLog
            Application

So, if there were an entry labeled "WinApp" in the Application branch "WinApp" would be a valid event log for assignment to lpSourceName.  However, I have yet to gain success.

This info may help you.  I'll let you know if I discover anything else.  And, yes, I found the same two errors you mentioned
I think lpSourceName should be one of
     "Application"
     "Security"
     "System"
as text.  That's about all the help I can offer.

Mike
The docs do not indicate that you can select that level.  The only example offerred is the one I cited; i.e., an entry _below_ the "Application" branch.  Anyway, I'll keep on it.  Unfortunately, I'll be out of town for a week or so.