Solved

Reading System Event Log

Posted on 1998-11-24
7
526 Views
Last Modified: 2013-12-28
Hello, I need to read through the System Event Log, I have the following method:

PDWORD NumberOfRecords= new DWORD;
 EVENTLOGRECORD *evRec;
 char* buffer= new char[10000];
 evRec= (EVENTLOGRECORD*)buffer;
 DWORD pnBytesRead;
 DWORD pnMinNumberOfBytesNeeded;
 DWORD errorCode= 0;


 HANDLE hd= OpenEventLog(  "comp_name",  // pointer to server name
  "System" );

 // set status
    if (hd!= NULL) m_Status= 1;
 UpdateData(false);

 if (
 !ReadEventLog(  hd,
  EVENTLOG_FORWARDS_READ ,   // specifies how to read log
  0,       // number of first record
  buffer,    // address of buffer for read data
  10000,      // number of bytes to read
  &pnBytesRead,    // number of bytes read
  &pnMinNumberOfBytesNeeded
                               // number of bytes required for next
                               // record
          ))
 errorCode= GetLastError();


 delete NumberOfRecords;
 delete buffer;

when I execute the code, I'm getting error with code 87, what means invalid parameter. I'm using VStudio 98 under NT SP3
What I'm doing wrong?
0
Comment
Question by:liutauras
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 7

Expert Comment

by:BlackMan
Comment Utility
You might get more help if you post the question in the Windows Programming group...
0
 

Expert Comment

by:avigon
Comment Utility
It is a programming question, but...
 What does it matter if "hd" is NULL? I don´t  know much of it but I think that you are trying to ReadEventLog of a NULL File descriptor, and that is the invalid parameter...
0
 

Author Comment

by:liutauras
Comment Utility
I'm checking the variable m_Status to be 1 and while debugging, I checked also that hd isn't NULL.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Expert Comment

by:avigon
Comment Utility
But anyway check your code, because you are not conditioning the ReadEventLog to the value of the file descriptor... After you open the log file, you should use the NULL test to Read or not a register of the file.
0
 
LVL 15

Expert Comment

by:Tommy Hui
Comment Utility
You can't read from record 0. You need to get the the oldest record number with GetOldestEventLogRecord().

You also have to get the number of records with GetNumberOfEventLogRecords().

So the starting point is oldestEventLogRecord - numberOfRecords.


0
 

Author Comment

by:liutauras
Comment Utility
This is what I did:
      PDWORD NumberOfRecords= new DWORD;
      EVENTLOGRECORD *evRec;
      char* buffer= new char[10000];
      evRec= (EVENTLOGRECORD*)buffer;
      DWORD pnBytesRead;      
      DWORD pnMinNumberOfBytesNeeded;
      DWORD errorCode= 0;
      DWORD nNumberOfRecords;
      DWORD nOldestRecord;
      DWORD nStartingPoint;


      HANDLE hd= OpenEventLog(  "liutas",  // pointer to server name
            "System" );

      if (!hd ) return 1;

      GetNumberOfEventLogRecords(hd, &nNumberOfRecords);
      GetOldestEventLogRecord(hd, &nOldestRecord);

      nStartingPoint= nNumberOfRecords- nOldestRecord;

      if (
            !::ReadEventLog(  hd,
            EVENTLOG_FORWARDS_READ ,   // specifies how to read log
            nStartingPoint,            //number of first record
            buffer,                        // address of buffer for read data
            10000,                                    // number of bytes to read
            &pnBytesRead,                        // number of bytes read
            &pnMinNumberOfBytesNeeded
                               // number of bytes required for next
                               // record
                                             ))
      errorCode= GetLastError();

      delete NumberOfRecords;
      delete buffer;

Though the situation is still the same... :(, I get error 87
0
 
LVL 7

Accepted Solution

by:
BlackMan earned 150 total points
Comment Utility
Try to add the Sequential-flag to your ReadEventLog command, I think that will solve your problem...
Like this:
if (
!::ReadEventLog(  hd,
EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ ,   // specifies how to read log
nStartingPoint, //number of first record
buffer, // address of buffer for read data
10000, // number of bytes to read
&pnBytesRead, // number of bytes read
&pnMinNumberOfBytesNeeded
                               // number of bytes required for next
                               // record
   ))

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now