Hi, Recently, I've had to read the Windows Event Log and I used the logpaser tool http://www.microsoft.com/DownLoads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
I found this was the most convinient way to parse the eventlog. Sample code : LogParser.exe -stats:OFF "select EventType,TimeGenerated,SourceName,EventID,Strings,message from C:/WINDOWS/system32/config/sysevent.evt where (eventid=50 or EventType=1 or eventid=1074)" -i:EVT -o:CSV Bour9 > -----Message d'origine----- > De : [email protected] > [mailto:[email protected]] De la > part de Bill Luebkert > Envoyé : lundi 9 février 2009 05:51 > À : Chandra, Ramesh H.S. IN BLR SISL > Cc : [email protected] > Objet : Re: How do I read the event header using Win32::EventLog? > > Chandra, Ramesh H.S. IN BLR SISL wrote: > > > > > > Hello, > > > > How do I read the "event header" from the event logs on a > > Windows machine. > > > > I have the Win32::EventLog module and I am able to read the > > message. But I would like to get the 'date" and 'time' of the event > > which occurred. > > So, how do I get the date and time of an event using > > Win32::Eventlog module? > > You're supposed to insert code to be scrutinized to illicit > suggestions > on how to fix it. > > Starting with the example in the pod section and fixing it for strict: > > use strict; > use warnings; > use Win32::EventLog; > > my $base = 0; > my $recs = 0; > > my $handle = Win32::EventLog->new("System") or die "Open > System Log: $! ($^E)"; > $handle->GetNumber($recs) or die "Get number of records: $! ($^E)"; > print "recs=$recs\n"; > $handle->GetOldest($base) or die "Get oldest record: $! ($^E)"; > print "base=$base\n"; > > my $x = 0; > my $hashref; > while ($x < $recs) { > > $handle->Read(EVENTLOG_FORWARDS_READ | > EVENTLOG_SEEK_READ, $base + $x, > $hashref) or die "Read entry '$x': $! ($^E)"; > if ($hashref->{Source} eq "EventLog") { > Win32::EventLog::GetMessageText($hashref); > print "Entry $x: $hashref->{Message}\n"; > print Data::Dumper->Dump([$hashref], [qw($hashref)]); > } > ++$x; > } > > __END__ > > This is what a dump of the hashref looks like - all the info should > be in there: > > $hashref = { > 'Category' => 0, > 'ClosingRecordNumber' => 0, > 'Computer' => 'computername', > 'Data' => '', > 'EventID' => '-2147477639', > 'EventType' => 4, > 'Length' => 0, > 'Message' => 'Microsoft (R) Windows (R) 5.01. 2600 Service > Pack 3 Uniprocessor > Free. > ', > 'RecordNumber' => 25753, > 'Source' => 'EventLog', > 'Strings' => '5.01. 2600 Service Pack 3 Uniprocessor Free ', > 'TimeGenerated' => 1228652519, > 'Timewritten' => 1228652519, > 'User' => '' > }; > > _______________________________________________ > ActivePerl mailing list > [email protected] > To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs > > _______________________________________________ ActivePerl mailing list [email protected] To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
