We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How to use OpenEventLog?

domenic
domenic asked
on
Medium Priority
3,293 Views
Last Modified: 2008-02-01
(Platform: Win NT4.0 VC++ 5.0)
I am trying to retrieve a (card) driver's messages in the Event Log using OpenEventLog and ReadEventLog. The Registry shows the driver source name as being available.
../System/CurrentControlSet/Services/EventLog/System/EiconCards

My call to OpenEventLog returns a valid handle and looks like this:
hEicon = OpenEventLog( NULL, "EiconCards" );

My first problem arises when I ask for the number of records using
GetNUmberOfEventLogRecords( hEicon, &NumberOfRecords ).

The NumberOfRecords=700 but  I only have 6 EiconCards related messages in the Event Log!? I think it returns the entire records available in Event Log. Should I expect only records for the Source Name I specify?

When I go ahead and use ReadEventLog, I do not get the Records associated with EiconCards but some other service.

Any suggestions concerning my problem?
Comment
Watch Question

Author

Commented:
Edited text of question

Commented:
According to the documentation, the second parameter of OpenEventLog "can be the Application, Security, or System logfile, or a custom registered logfile. If a custom registered logfile name cannot be found, the event logging service opens the Application logfile, however, there will be no associated message or category string file." I think the parameter is not for a source name. In your case, you actually opened the Application logfile.

Author

Commented:
Chensu, to go over one point you said concerning it opening up the Application logfile, it didn't. If I look into the Event Log I match what my app  has printed with entries in the System log including strings. The source name I specified is ( like I mentioned in the original message) a valid subkey of the System logfile.

So OpenEventLog opens up either the Application, the Security or the System logfile. I assumed it would go further and return only the records associated with the source name I specified. For example, if I specified "EiconCards", I expected only records in the System log that dealt with "EiconCards".  Hence, I must parse thru each record in the System log to look for the corresponding "EiconCards" records. (Sounds time-consuming and I must keep the System log clean at all times to enhance performance.  I will try to implement NotifyChangeEventLog to avoid queries)

If there is anything you can add I will appreciate it otherwise let us close this question and thanks again.

Commented:
Just in case you haven't read it, I copied the following example useful for you from the documentation.

Reading the Event Log
The following example reads all the records in the Application log file and displays the event identifier, event type, and event source for each event log entry.

void DisplayEntries( )
{
    HANDLE h;
    EVENTLOGRECORD *pevlr;
    BYTE bBuffer[BUFFER_SIZE];
    DWORD dwRead, dwNeeded, cRecords, dwThisRecord = 0;
 
    // Open the Application event log.
 
    h = OpenEventLog( NULL,             // use local computer
             "Application");   // source name
    if (h == NULL)
        ErrorExit("Could not open the Application event log.");
 
    pevlr = (EVENTLOGRECORD *) &bBuffer;
 
    // Opening the event log positions the file pointer for this
    // handle at the beginning of the log. Read the records
    // sequentially until there are no more.
 
    while (ReadEventLog(h,                // event log handle
                EVENTLOG_FORWARDS_READ |  // reads forward
                EVENTLOG_SEQUENTIAL_READ, // sequential read
                0,            // ignored for sequential reads
                pevlr,        // pointer to buffer
                BUFFER_SIZE,  // size of buffer
                &dwRead,      // number of bytes read
                &dwNeeded))   // bytes in next record
    {
        while (dwRead > 0)
        {
            // Print the event identifier, type, and source name.
            // The source name is just past the end of the
            // formal structure.
 
            printf("%02d  Event ID: 0x%08X ",
                dwThisRecord++, pevlr->EventID);
            printf("EventType: %d Source: %s\n",
                pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
                sizeof(EVENTLOGRECORD)));
 
            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)
                ((LPBYTE) pevlr + pevlr->Length);
        }
 
        pevlr = (EVENTLOGRECORD *) &bBuffer;
    }
 
    CloseEventLog(h);
}

Author

Commented:
I have seen and read this sample code and it did come in handy.  (BUFFER_SIZE ?)

Commented:
The documentation does not say the value of BUFFER_SIZE. It may be 1024 or 2048.
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks AlanB. You suggestions are accurate but I have completed this problem already. I did want Chensu to close it ( see 2nd Comment before this one) because I was done with this issue. Thanks anyway.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.