Solved

Event Logger Poblem

Posted on 1998-12-28
6
380 Views
Last Modified: 2013-12-03
I have a problem with this program.
For some resone it returns some EventID that are correct and some that are not. ( realy invalid values that dosn't make sense at all ). What might be the problem ????

      EVENTLOGRECORD *event;
      BYTE* bBuffer;
      DWORD uRead,uNeeded,cRecords = 0;
      HANDLE m_hHandle = 0;

      m_hHandle = OpenEventLog(NULL,"System");
    if (m_hHandle == 0)
            return;

      ReadEventLog(m_hHandle,
                         EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                        0,
                        event,
                        0,
                        &uRead,
                        &uNeeded);
      

      bBuffer = new BYTE[uNeeded];

      event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      while( event->EventID != 20032 )
      {

             ReadEventLog(m_hHandle,
                                    EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                                    0,
                                    event,
                                    uNeeded,
                                    &uRead,
                                    &uNeeded);
      
            switch (event->EventID)
            {
                  case 4 :
                        printf("error 4\n");
                        break;
                  case 7024:
                        printf("error 7024\n");
                        break;
                  default:
                        break;

            }
            
            event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      }

      CloseEventLog(m_hHandle);
      delete bBuffer;
}
0
Comment
Question by:sector
  • 3
  • 3
6 Comments
 
LVL 6

Accepted Solution

by:
stsanz earned 110 total points
ID: 1417752
Your allocation method is a bit odd.
First, event pointer must not be NULL before the first call of ReadEventLog, even if nNumberOfBytesToRead is 0 (see ReadEventLog online help)
Secondly, you allocate a bBuffer for a uNeeded size that is valid only for the first call, and never reallocate it.

Try with the following piece of code :

{
EVENTLOGRECORD*  event;
DWORD  uRead,uNeeded,cRecords = 0;
HANDLE  m_hHandle = 0;
BOOL  bRes ;
DWORD  dwError ;
DWORD  dwBufSize = 4096 ;

m_hHandle = OpenEventLog(NULL,"System");
if (m_hHandle == 0)
  return ;

printf("Event log opened\n") ;

event = (EVENTLOGRECORD*)new BYTE[dwBufSize] ;

while (TRUE)
{
bRes = ReadEventLog(m_hHandle,
  EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
  0,
  event,
  dwBufSize,
  &uRead,
  &uNeeded);

if (!bRes)
  {
  dwError = GetLastError();
  if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    }

  // Buffer is not long enough : reallocate
  delete event ;
  event = (EVENTLOGRECORD*)new BYTE[uNeeded] ;
  break ;
  }

switch (event->EventID)
  {
  case 4 :
    printf("error 4\n");
    break;
  case 7024:
    printf("error 7024\n");
    break;
  default:
    printf("Default case\n") ;
    break;
  }
}
}

Hope this helps.
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417753
Sorry, I have forgotten a return statement in :

if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    return ;
    }

0
 

Author Comment

by:sector
ID: 1417754
The buffer is always empty.
I still don't get the event ID as shown in the Event Viewe.
For some reason only the eventID 20032 I can see ,
other numbers are strange numbers like : 3221487640,2147490651 etc...
I realy don't understand it.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:sector
ID: 1417755
Well ?????
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417756
I have made some tests : my event log is correct but contains eventIDs that must be interpretated as hex numbers in the format 0x8000nnnn where nnnn is the event identifier as displayed in the event viewer.
So, to display the right event id, use :
(event->EventID & 0x0000FFFF)

Moreover, the ReadEventLog API can return several event descriptors if the buffer is big enough (indicated by nNumberOfBytesToRead parameter).
After a call to ReadEventLog, *pnBytesRead indicates how many bytes were returned in the buffer, each event descriptor having a variable length.
So, after each ReadEventLog call, you should browse the event buffer, using a piece of code of the following kind :

BYTE *buffer ;

buffer = (BYTE*)event ;
while (uRead > 0)        
{
  printf("EventID:0x%08X ",((EVENTLOGRECORD*)buffer)->EventID) ;
  uRead -= ((EVENTLOGRECORD*)buffer)->Length ;
  buffer += ((EVENTLOGRECORD*)buffer)->Length ;
}

Hope this helps.

0
 

Author Comment

by:sector
ID: 1417757
Thank you very much stsanz
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
What my article will show is if you ever had to do processing to a listbox without being able to just select all the items in it. My software Visual Studio 2008 crystal report v11 My issue was I wanted to add crystal report to a form and show…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question