Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

reading .evt logs (Win32)

by softworkz (Monk)
on Jul 02, 2002 at 14:35 UTC ( #178866=perlquestion: print w/replies, xml ) Need Help??

softworkz has asked for the wisdom of the Perl Monks concerning the following question:

Hello monks, Is there a way to read in the security.evt logs on a Win32 machine and dump them as normal TEXT files?

1. They logs are already saved as .evt extensions (yes, garbled if opened in notepad, but user friendly if viewed in the event viewer,
but I want to have them readable as text)
2. I know they should have been saved as csv files.
3. I know about Win32::Eventlog but that only gets the logs that are currently in the event viewer.
4. The logs are saved as .evt each month
5. I know there is a 3rd party software that can read the saved .evt logs and dump them as plain text (www.heysoft.net), but I'm sure there's a way in Perl?


Any thoughts/tips/suggestions?
Thanks

Replies are listed 'Best First'.
(wil) Re: reading .evt logs (Win32)
by wil (Priest) on Jul 02, 2002 at 14:46 UTC
    3. I know about Win32::Eventlog but that only gets the logs that are currently in the event viewer.
    No it doesn't. You can configure Win32::Eventlog to read in your backed up event log files, too. Here's the relevent snippet from the POD:

    Win32::EventLog->new(SOURCENAME,SERVERNAME);

    The new() method creates a new EventLog object and returns a handle to it. This hande is then used to call the methods below.

    The method is overloaded in that if the supplied SOURCENAME argument contains one or more literal '\' characters (an illegal character in a SOURCENAME), it assumes that you are trying to open a backup eventlog and uses SOURCENAME as the backup eventlog to open. Note that when opening a backup eventlog, the SERVERNAME argument is ignored (as it is in the underlying Win32 API). For EventLogs on remote machines, the SOURCENAME parameter must therefore be specified as a UNC path.

    - wil
Re: reading .evt logs (Win32)
by screamingeagle (Curate) on Jul 02, 2002 at 14:44 UTC
    the win32 api to read the event log is :
    BOOL ReadEventLog( HANDLE hEventLog, // handle to event log DWORD dwReadFlags, // how to read log DWORD dwRecordOffset, // initial record offset LPVOID lpBuffer, // buffer for read data DWORD nNumberOfBytesToRead, // bytes to read DWORD *pnBytesRead, // number of bytes read DWORD *pnMinNumberOfBytesNeeded // bytes required );
    i guess you could use Win32::API to call this API and read the event logs...
    hth
Re: reading .evt logs (Win32)
by BrowserUk (Patriarch) on Jul 02, 2002 at 15:26 UTC

    If you only have a few .evt files to process, you could always load them up with the Viewer and then re-save them in CSV format. If its more than a few, you could try using a macro-recorder to automate the process.

    The downside of this is that you loose the "binary data" from the events. This may or may not be a problem depending on your need.

    One thing to be aware of is that some programs log the text parts of their "binary data" in straight ascii. Others use utf-8 ot utf-16. Perling your way around that may cause a few headaches.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://178866]
Approved by Rex(Wrecks)
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (2)
As of 2023-01-30 01:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?