Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Win32::EventLog not returning all events?

by syphon (Initiate)
on Oct 12, 2011 at 00:05 UTC ( [id://930894]=perlquestion: print w/replies, xml ) Need Help??

syphon has asked for the wisdom of the Perl Monks concerning the following question:

I'm using Win32::EventLog to parse the event log of some servers. I've run into a really weird issue where it's not giving me all the events when I try to iterate over them! Here's a sample script:
#!perl

use strict;
use Win32::EventLog;

# open the System event log 
my $log = new Win32::EventLog("Application") 
    or die "Unable to open application log:$^En"; 

my $SupposedCount = 0;
my $ActualCount = 0;

#populate the Supposed Count
$log->GetNumber($SupposedCount);

# Now populate the ACTUAL count of events!
while ($log->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),1
+, my $entry)) { 
    $ActualCount++;
}

print "Supposed Count: $SupposedCount\n";
print "Actual Count: $ActualCount\n";

[download]
So in this script, I would expect $SupposedCount and $ActualCount to be identical, however, this is the script's output:
---------------------
C:\>perl events.pl
Supposed Count: 26382
Actual Count: 1261
-------------------

[download]
Any ideas what I'm doing wrong here? Why is it skipping so many events?

Replies are listed 'Best First'.
Re: Win32::EventLog not returning all events?
by BrowserUk (Patriarch) on Oct 12, 2011 at 00:35 UTC

    Try subtracting the value from $log->GetOldest() from the value returned by $log->GetNumber() to determine how many are actually in the log.

    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
[d/l]
[select]
      The problem isn't exactly with the GetNumber() method. That method seems to return the correct number (it returns the same number of events that I see in event viewer).

      The problem is that when I iterate over... 

      while ($log->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),1
+, my $entry))

      [download]
      ...it doesn't include all events I see in EventVwr! If I makeit print out the event details, I can walk through the events and see the code showing me some events but missing others. I can't figure out why it'd be skipping them, as they don't look different to me in any way.
[reply]
[d/l]
Re: Win32::EventLog not returning all events?
by Anonymous Monk on Oct 13, 2011 at 09:09 UTC

    For some hints see http://www.le-berre.com/perl/perldoc.htm#Hacks and Help understanding Win32::Eventlog

    And see this, seems to work :) its a start, definitely an improvement over raw Win32::EventLog but it does need some flushing out 

    #!/usr/bin/perl --
use strict;
use warnings;
use Data::Dumper;

Main( @ARGV );
exit( 0 );

sub Main {
    my $e = MyEventLog->new("Application");
    
    print DD( { $e->First } );
    
    my $rec = $e->Last ;
    print DD( $rec );
    print DD( { $rec->Prev } );
}

sub DD { Data::Dumper->new([@_])->Useqq(1)->Dump; }

BEGIN {
    package MyEventLog::Entry;
    use Scalar::Util qw' weaken ';
    $INC{'MyEventLog/Entry.pm'} = __FILE__;
    sub new {
        my( $class, $parent, $self ) = @_;
        $self->{MyEventLog} = $parent;
        weaken $self->{MyEventLog} ;
        return bless $self, $class;
    }
    sub Prev { # sub Previous {
        my( $self ) = @_;
        return $self->{MyEventLog}->Get( $self->{RecordNumber} - 1 );
    }
    sub Next { # sub Nextious {
        my( $self ) = @_;
        return $self->{MyEventLog}->Get( $self->{RecordNumber} + 1 );
    }
    
    package MyEventLog;
    use Win32::EventLog;
    $INC{'MyEventLog.pm'} = __FILE__;
    sub new {
        my( $package, $eventLog , $computerName ) = @_;
        $computerName ||= $ENV{ComputerName};
        my $handle=Win32::EventLog->new($eventLog, $computerName)
            or die "Can't open Application EventLog\n";
        my $recs;
        $handle->GetNumber($recs)
            or die "Can't get number of EventLog records\n";
        my $base;
        $handle->GetOldest($base)
            or die "Can't get number of oldest EventLog record\n";
        return bless {
            handle => $handle,
            recs => $recs,
            base => $base,
            GetMessageText  => !!1, 
        }, $package;
    }
    sub Add { die "todo , # update recs" }
    sub First { return shift->GetNth( 0 ); }
    sub Last { return shift->GetNth( -1 ); }
    sub GetNth {
        my( $self, $ix ) = @_;
        if( $ix < 0 ){
            $ix += 1 + $self->{recs};
        } else {
            $ix += $self->{base};
        }
        return $self->Get( $ix );
    }
    sub Get {
        my( $self, $ix ) = @_;
        local $Win32::EventLog::GetMessageText = $self->{GetMessageTex
+t};
        my $hashRef = {};
        $self->{handle}->Read(
            Win32::EventLog::EVENTLOG_FORWARDS_READ()
            |
            Win32::EventLog::EVENTLOG_SEEK_READ()
            ,
            $ix,
            $hashRef
        )
            or die "Can't read EventLog entry #$ix\n";
        
        return %$hashRef if  wantarray;
        return MyEventLog::Entry->new( $self => $hashRef );
    }
    1;
}

__END__

    [download]

    Don't ask me to explain anything, instead read Modern Perl: the free book

[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://930894]
Approved by BrowserUk
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others exploiting the Monastery: (9)
As of 2024-04-19 07:56 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found