?
Solved

Event Logger Poblem

Posted on 1998-12-28
6
Medium Priority
?
387 Views
Last Modified: 2013-12-03
I have a problem with this program.
For some resone it returns some EventID that are correct and some that are not. ( realy invalid values that dosn't make sense at all ). What might be the problem ????

      EVENTLOGRECORD *event;
      BYTE* bBuffer;
      DWORD uRead,uNeeded,cRecords = 0;
      HANDLE m_hHandle = 0;

      m_hHandle = OpenEventLog(NULL,"System");
    if (m_hHandle == 0)
            return;

      ReadEventLog(m_hHandle,
                         EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                        0,
                        event,
                        0,
                        &uRead,
                        &uNeeded);
      

      bBuffer = new BYTE[uNeeded];

      event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      while( event->EventID != 20032 )
      {

             ReadEventLog(m_hHandle,
                                    EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                                    0,
                                    event,
                                    uNeeded,
                                    &uRead,
                                    &uNeeded);
      
            switch (event->EventID)
            {
                  case 4 :
                        printf("error 4\n");
                        break;
                  case 7024:
                        printf("error 7024\n");
                        break;
                  default:
                        break;

            }
            
            event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      }

      CloseEventLog(m_hHandle);
      delete bBuffer;
}
0
Comment
Question by:sector
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 6

Accepted Solution

by:
stsanz earned 440 total points
ID: 1417752
Your allocation method is a bit odd.
First, event pointer must not be NULL before the first call of ReadEventLog, even if nNumberOfBytesToRead is 0 (see ReadEventLog online help)
Secondly, you allocate a bBuffer for a uNeeded size that is valid only for the first call, and never reallocate it.

Try with the following piece of code :

{
EVENTLOGRECORD*  event;
DWORD  uRead,uNeeded,cRecords = 0;
HANDLE  m_hHandle = 0;
BOOL  bRes ;
DWORD  dwError ;
DWORD  dwBufSize = 4096 ;

m_hHandle = OpenEventLog(NULL,"System");
if (m_hHandle == 0)
  return ;

printf("Event log opened\n") ;

event = (EVENTLOGRECORD*)new BYTE[dwBufSize] ;

while (TRUE)
{
bRes = ReadEventLog(m_hHandle,
  EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
  0,
  event,
  dwBufSize,
  &uRead,
  &uNeeded);

if (!bRes)
  {
  dwError = GetLastError();
  if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    }

  // Buffer is not long enough : reallocate
  delete event ;
  event = (EVENTLOGRECORD*)new BYTE[uNeeded] ;
  break ;
  }

switch (event->EventID)
  {
  case 4 :
    printf("error 4\n");
    break;
  case 7024:
    printf("error 7024\n");
    break;
  default:
    printf("Default case\n") ;
    break;
  }
}
}

Hope this helps.
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417753
Sorry, I have forgotten a return statement in :

if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    return ;
    }

0
 

Author Comment

by:sector
ID: 1417754
The buffer is always empty.
I still don't get the event ID as shown in the Event Viewe.
For some reason only the eventID 20032 I can see ,
other numbers are strange numbers like : 3221487640,2147490651 etc...
I realy don't understand it.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:sector
ID: 1417755
Well ?????
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417756
I have made some tests : my event log is correct but contains eventIDs that must be interpretated as hex numbers in the format 0x8000nnnn where nnnn is the event identifier as displayed in the event viewer.
So, to display the right event id, use :
(event->EventID & 0x0000FFFF)

Moreover, the ReadEventLog API can return several event descriptors if the buffer is big enough (indicated by nNumberOfBytesToRead parameter).
After a call to ReadEventLog, *pnBytesRead indicates how many bytes were returned in the buffer, each event descriptor having a variable length.
So, after each ReadEventLog call, you should browse the event buffer, using a piece of code of the following kind :

BYTE *buffer ;

buffer = (BYTE*)event ;
while (uRead > 0)        
{
  printf("EventID:0x%08X ",((EVENTLOGRECORD*)buffer)->EventID) ;
  uRead -= ((EVENTLOGRECORD*)buffer)->Length ;
  buffer += ((EVENTLOGRECORD*)buffer)->Length ;
}

Hope this helps.

0
 

Author Comment

by:sector
ID: 1417757
Thank you very much stsanz
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question