Solved

Event Logger Poblem

Posted on 1998-12-28
6
378 Views
Last Modified: 2013-12-03
I have a problem with this program.
For some resone it returns some EventID that are correct and some that are not. ( realy invalid values that dosn't make sense at all ). What might be the problem ????

      EVENTLOGRECORD *event;
      BYTE* bBuffer;
      DWORD uRead,uNeeded,cRecords = 0;
      HANDLE m_hHandle = 0;

      m_hHandle = OpenEventLog(NULL,"System");
    if (m_hHandle == 0)
            return;

      ReadEventLog(m_hHandle,
                         EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                        0,
                        event,
                        0,
                        &uRead,
                        &uNeeded);
      

      bBuffer = new BYTE[uNeeded];

      event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      while( event->EventID != 20032 )
      {

             ReadEventLog(m_hHandle,
                                    EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
                                    0,
                                    event,
                                    uNeeded,
                                    &uRead,
                                    &uNeeded);
      
            switch (event->EventID)
            {
                  case 4 :
                        printf("error 4\n");
                        break;
                  case 7024:
                        printf("error 7024\n");
                        break;
                  default:
                        break;

            }
            
            event = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);

      }

      CloseEventLog(m_hHandle);
      delete bBuffer;
}
0
Comment
Question by:sector
  • 3
  • 3
6 Comments
 
LVL 6

Accepted Solution

by:
stsanz earned 110 total points
ID: 1417752
Your allocation method is a bit odd.
First, event pointer must not be NULL before the first call of ReadEventLog, even if nNumberOfBytesToRead is 0 (see ReadEventLog online help)
Secondly, you allocate a bBuffer for a uNeeded size that is valid only for the first call, and never reallocate it.

Try with the following piece of code :

{
EVENTLOGRECORD*  event;
DWORD  uRead,uNeeded,cRecords = 0;
HANDLE  m_hHandle = 0;
BOOL  bRes ;
DWORD  dwError ;
DWORD  dwBufSize = 4096 ;

m_hHandle = OpenEventLog(NULL,"System");
if (m_hHandle == 0)
  return ;

printf("Event log opened\n") ;

event = (EVENTLOGRECORD*)new BYTE[dwBufSize] ;

while (TRUE)
{
bRes = ReadEventLog(m_hHandle,
  EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
  0,
  event,
  dwBufSize,
  &uRead,
  &uNeeded);

if (!bRes)
  {
  dwError = GetLastError();
  if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    }

  // Buffer is not long enough : reallocate
  delete event ;
  event = (EVENTLOGRECORD*)new BYTE[uNeeded] ;
  break ;
  }

switch (event->EventID)
  {
  case 4 :
    printf("error 4\n");
    break;
  case 7024:
    printf("error 7024\n");
    break;
  default:
    printf("Default case\n") ;
    break;
  }
}
}

Hope this helps.
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417753
Sorry, I have forgotten a return statement in :

if (dwError != ERROR_INSUFFICIENT_BUFFER)
    {
    CloseEventLog(m_hHandle);
    delete event ;
    return ;
    }

0
 

Author Comment

by:sector
ID: 1417754
The buffer is always empty.
I still don't get the event ID as shown in the Event Viewe.
For some reason only the eventID 20032 I can see ,
other numbers are strange numbers like : 3221487640,2147490651 etc...
I realy don't understand it.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:sector
ID: 1417755
Well ?????
0
 
LVL 6

Expert Comment

by:stsanz
ID: 1417756
I have made some tests : my event log is correct but contains eventIDs that must be interpretated as hex numbers in the format 0x8000nnnn where nnnn is the event identifier as displayed in the event viewer.
So, to display the right event id, use :
(event->EventID & 0x0000FFFF)

Moreover, the ReadEventLog API can return several event descriptors if the buffer is big enough (indicated by nNumberOfBytesToRead parameter).
After a call to ReadEventLog, *pnBytesRead indicates how many bytes were returned in the buffer, each event descriptor having a variable length.
So, after each ReadEventLog call, you should browse the event buffer, using a piece of code of the following kind :

BYTE *buffer ;

buffer = (BYTE*)event ;
while (uRead > 0)        
{
  printf("EventID:0x%08X ",((EVENTLOGRECORD*)buffer)->EventID) ;
  uRead -= ((EVENTLOGRECORD*)buffer)->Length ;
  buffer += ((EVENTLOGRECORD*)buffer)->Length ;
}

Hope this helps.

0
 

Author Comment

by:sector
ID: 1417757
Thank you very much stsanz
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to programmatically preset the "Pages per Sheet" option that's available with most printer drivers.   This setting lets you do "n-Up" printing, where two, four, or more pages are printed on each sheet of paper. If your …
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question