Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: A question regarding Win32::EventLog

by nerfherder (Monk)
on Feb 02, 2005 at 00:29 UTC ( #427105=note: print w/replies, xml ) Need Help??


in reply to A question regarding Win32::EventLog

I've tried your code, and the only garbage I see are an excess of carriage returns in the output of 1 log entry that documents a hungapp Explorer.exe hang... Is this what you're getting?

I tried regexing out the CR's from the output with s/\r//;, to no avail. I guess they are in the log file (corrupt logfile?), but it's hard to tell because my C:\WINDOZE\system32\config\AppEvent.Evt is in goofy binary format... You've piqued my curiosity; let me know if you have any other info. For instance: what did your "garbage" output look like?

Replies are listed 'Best First'.
Re^2: A question regarding Win32::EventLog
by sidhartha (Acolyte) on Feb 02, 2005 at 06:34 UTC
    Yeah I spent a little time trying to fix the CR's to no avail. One thing I notice is that the Event ID field doesn't always accurately report. Here is a sample I ran through the windows findstr command (I'm getting around to just installing cygwin):
    perl test.pl | findstr UserID
    EventID 8001
    EventID 8000
    EventID 1073743528
    EventID 11707
    EventID 1004
    EventID 1073743528
    EventID 1073743528
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 11707
    EventID 11707
    EventID 11707
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1269629470
    EventID 1000
    
    Those 10 digit numbers are a mystery. The other ones like 1000 seem to match up correctly. In addition there is literal garbage in parts, here is a sample:
    c}⌂▒■♂√v3Θ⌡╓T╠F31B╬≈↓)Zσ▌◄Ω#!Rφ"▬;╥←↓j╒╬╧!┌‼◄b▌╓╫9┬∩╪h
    
    Thanks for your response. I'm gonna look at it some more tomorrow and I'll let you know if I can figure out anything further.
      Hi Sid, I cant quite figure out where those characters are coming from, but for the event ID bit, this should fix it:
      foreach my $key (keys %$hashRef){ if ($key =~ /EventID/) { my $id = ($hashRef->{$key} & 0xffff); print $key . "\t" . "\"$id\"" . "\n"; }
      hth !!

      Update:
      Ok, I am seeing the chars being printed against the name field. I still dont know how to fix it to print the name field, but this should give you the sid for the uid instead.
      elsif ($key =~ /User/){ my $sid = unpack("H" . 2 * length(${$hashRef}{$key}), ${$hashRef}{ +$key}); my $user = ($hashRef->{$key} & 0xffff); print "User SID: " . "\t" . "\"$sid\" " . "\n"; }
        Wow that certainly does do the trick thank you very much! If you don't mind can you tell me what is exactly going on here?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://427105]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (3)
As of 2021-09-16 23:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?