Re: RFC Win32::Event2Log ..gimme back my logfiles

by Anonymous Monk
in reply to RFC Win32::Event2Log ..gimme back my logfiles


congratulations brave programmer

This seems like a good project for you to think out loud, some more, cause you're already doing it, congratulations!

For now concentrate on how a user would use this thing, forget about backends and implementation details, write a few dozen user programs , a few a day, and see what you like the most, concentrate on verbs/actions the user would perform, the programs don't have to actually work they just have to be written like they should work like a user would want them to work

Ask yourself why would anyone use your module instead of EventLog? Answer the question as many times as you can (write a program), you're trying to attract/catch users for your module(?or app?) ... is your bait delicious enough?

If you're only writing for yourself (valid reason) then you don't have to get imaginative with api names, just do the first thing that pops into your head and you can write -- one-offs are easy

For some good/bad ideas take a look at Re: Win32::EventLog searching the wrong logs (MyEventLog for Win32::EventLog, Re: Translating Win32 EventLog Category ) and POE::Component::Win32::EventLog - A POE component that provides non-blocking access to Win32::EventLog.

Some comments about your code

local is used for temporarily overriding globals like this

local $Win32::EventLog::GetMessageText = 1;

This is a "Red flag" localtime ... $year + 1900, and an extremely ridiculous one when on the next line you have  DateTime->new but we've all been there and you probably know just need more perl DateTime FAQ ( hint DateTime->strftime, DateTime::Format::Strptime , DateTime::Format::Human::Duration, DateTime::Format::Natural, )

Pod convention is uppercase for sections and

=head1 NAME Module::Name - one line description =head1 DESCRIPTION ...

Regarding the name?

Well name has to follow from function, and since the function of your module is kinda up in the air ...

See Namespace/advice for new CPAN modules for Thai & Lao, Re^2: Naming a module that handles SIP2 (library protocol stopwords), Modules: Creation, Use, and Abuse , Re: RFC: Automatic logger module,

yes Win23 might belong in the name

yes Event might belong in the name

No "2" does not belong in the name, not as a substitute for "To" in "ThisToThat". Don't be like "Pod::2::DocBook" thats maximum terrible :) Exception is the terribly named "POD2::IT - Italian translation of Perl core documentation " series cause it should have been lowercase "it" :D

No, "log" does not belong in the name. Sure you're making log files, and "events" are logs, but you're not log framework anything .... use the module DESCRIPTION to help users find your log file creating win32 event log reading parsing module :D

Is your module really an application? Are you sure you're not really working up to App::Win32EventsFilter? Thats where the research/trialerror/userprograms come in .... if 80% of the use cases, the rules, would look identical in a or a commandline  win32eventsfilter --add "snackarooony" then the name kinda writes itself


I'm sure there is more stuff I could say if I spent more time thinking about it, but its like tennis :)

Re^2: RFC Win32::Event2Log ..gimme back my logfiles
by Discipulus (Monsignor) on Feb 02, 2018 at 11:35 UTC
    Many thanks Anonymous Monk for your review, full of good links and suggestions!

    let me comment back..

    > write a few dozen user programs ... concentrate on verbs/actions the user would perform ..

    I'm already doing this: I need to use my module already so I'm testing on various scenarios.

    > Ask yourself why would anyone use your module instead of EventLog

    Well I'm confident enough with my lure: it abstract all the boring part of using Win32::EventLog as counting events, get them back in the right way (consider the module has a bit weird interface, not easy to use under strict and warnings, populating globals variables like in  my $base; $handle->GetOldest($base) )

    More: my engine tracks and logs last numbers read for each registry, so if you restart the program you just read newer events: this is achieved via the lastreadfile option in the engine contruction.

    It also automatically open and close your destination logfiles with an autoflushed handle: this is the only way I found to have no buffering done by the OS.

    Finally providing a callback in the rule creation lets the final user to really do what they want. Rethinking about this probably it's worth to be redisigned: I now constrain the rule to have a destination logfile associated and optionally a format callback.

    Perhaps it will be better to let logfile optional if a callback it's specified: so a better name will be action or callback instead of format This can lead to an extreme flexibility: no more the output to a logfile but, for example: if an event is found write a mail and restart a service.

    The above abstraction will affect the name too: Win32::EventTrigger or Win32::Event::Engine ?

    Links provided are useful (apart from the la-berre one unavailable..) and you are probably the same Anonymous Monk of Re: Win32::EventLog not returning all events? and if so what a pity you are no a named one to track of your post.. anyway thanks!

    I have add a FURTHER READINGS section (and put them all uppercase..) to my pod pointing to these and more articles.

    about code style

    I have localized my $Win32::EventLog::GetMessageText occurence: as I said probably i'll strip out the reading part into a Win32::Event2Log::Reader submodule. The best place for this variable will be just after the, eventual, require Win32::EventLog one. Anyway this means you read my code.. someone read my code!! I must tell to my wife! ;=)

    The red flag about dates is received, mea culpa, I'll clean the example (following your hints) before publishing the module.

    about the name

    ok no 2 in the name: Win32::EventFilter (without the S?) sounds good. Considering the above abstraction I mentioned probably Win32::Event::Engine will be more appropriate, no?

    Anyway no, I do not think i'm writing an App::* like think. It's more similar modular engine, rule based. As side note, during my preliminar readings, I read perlmodstyle and I noticed i broke Designing your API suggestions, precisely Separate functionality from output one. But what can I do? The engine must show itself some output (on verbosity at least). It is designed to run forever (or to terminate at endtime ..) so it's like a webserver so some output directly from the module can be useful.

    Thanks again for your help


    update Feb 09: asked here how to subclass and separate module functionalities.

