domenic
asked on
How to use OpenEventLog?
(Platform: Win NT4.0 VC++ 5.0)
I am trying to retrieve a (card) driver's messages in the Event Log using OpenEventLog and ReadEventLog. The Registry shows the driver source name as being available.
../System/CurrentControlSe t/Services /EventLog/ System/Eic onCards
My call to OpenEventLog returns a valid handle and looks like this:
hEicon = OpenEventLog( NULL, "EiconCards" );
My first problem arises when I ask for the number of records using
GetNUmberOfEventLogRecords ( hEicon, &NumberOfRecords ).
The NumberOfRecords=700 but I only have 6 EiconCards related messages in the Event Log!? I think it returns the entire records available in Event Log. Should I expect only records for the Source Name I specify?
When I go ahead and use ReadEventLog, I do not get the Records associated with EiconCards but some other service.
Any suggestions concerning my problem?
I am trying to retrieve a (card) driver's messages in the Event Log using OpenEventLog and ReadEventLog. The Registry shows the driver source name as being available.
../System/CurrentControlSe
My call to OpenEventLog returns a valid handle and looks like this:
hEicon = OpenEventLog( NULL, "EiconCards" );
My first problem arises when I ask for the number of records using
GetNUmberOfEventLogRecords
The NumberOfRecords=700 but I only have 6 EiconCards related messages in the Event Log!? I think it returns the entire records available in Event Log. Should I expect only records for the Source Name I specify?
When I go ahead and use ReadEventLog, I do not get the Records associated with EiconCards but some other service.
Any suggestions concerning my problem?
According to the documentation, the second parameter of OpenEventLog "can be the Application, Security, or System logfile, or a custom registered logfile. If a custom registered logfile name cannot be found, the event logging service opens the Application logfile, however, there will be no associated message or category string file." I think the parameter is not for a source name. In your case, you actually opened the Application logfile.
ASKER
Chensu, to go over one point you said concerning it opening up the Application logfile, it didn't. If I look into the Event Log I match what my app has printed with entries in the System log including strings. The source name I specified is ( like I mentioned in the original message) a valid subkey of the System logfile.
So OpenEventLog opens up either the Application, the Security or the System logfile. I assumed it would go further and return only the records associated with the source name I specified. For example, if I specified "EiconCards", I expected only records in the System log that dealt with "EiconCards". Hence, I must parse thru each record in the System log to look for the corresponding "EiconCards" records. (Sounds time-consuming and I must keep the System log clean at all times to enhance performance. I will try to implement NotifyChangeEventLog to avoid queries)
If there is anything you can add I will appreciate it otherwise let us close this question and thanks again.
So OpenEventLog opens up either the Application, the Security or the System logfile. I assumed it would go further and return only the records associated with the source name I specified. For example, if I specified "EiconCards", I expected only records in the System log that dealt with "EiconCards". Hence, I must parse thru each record in the System log to look for the corresponding "EiconCards" records. (Sounds time-consuming and I must keep the System log clean at all times to enhance performance. I will try to implement NotifyChangeEventLog to avoid queries)
If there is anything you can add I will appreciate it otherwise let us close this question and thanks again.
Just in case you haven't read it, I copied the following example useful for you from the documentation.
Reading the Event Log
The following example reads all the records in the Application log file and displays the event identifier, event type, and event source for each event log entry.
void DisplayEntries( )
{
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, cRecords, dwThisRecord = 0;
// Open the Application event log.
h = OpenEventLog( NULL, // use local computer
"Application"); // source name
if (h == NULL)
ErrorExit("Could not open the Application event log.");
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the records
// sequentially until there are no more.
while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the event identifier, type, and source name.
// The source name is just past the end of the
// formal structure.
printf("%02d Event ID: 0x%08X ",
dwThisRecord++, pevlr->EventID);
printf("EventType: %d Source: %s\n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD)));
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
}
Reading the Event Log
The following example reads all the records in the Application log file and displays the event identifier, event type, and event source for each event log entry.
void DisplayEntries( )
{
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, cRecords, dwThisRecord = 0;
// Open the Application event log.
h = OpenEventLog( NULL, // use local computer
"Application"); // source name
if (h == NULL)
ErrorExit("Could not open the Application event log.");
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the records
// sequentially until there are no more.
while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the event identifier, type, and source name.
// The source name is just past the end of the
// formal structure.
printf("%02d Event ID: 0x%08X ",
dwThisRecord++, pevlr->EventID);
printf("EventType: %d Source: %s\n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD)));
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
}
ASKER
I have seen and read this sample code and it did come in handy. (BUFFER_SIZE ?)
The documentation does not say the value of BUFFER_SIZE. It may be 1024 or 2048.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks AlanB. You suggestions are accurate but I have completed this problem already. I did want Chensu to close it ( see 2nd Comment before this one) because I was done with this issue. Thanks anyway.
ASKER