ReadEventLog: Getting Strings, SID and Data 
Author Message
 ReadEventLog: Getting Strings, SID and Data

Hi All,

  How can I get to the associated descriptions, SID (not that important),
and Data members of EVENTLOGRECORD in ReadEventLog?

  I am able to get to the other members past the end of the struct, but not
the rest.  StringOffset and DataOffset don't always give me the right info.

  Here's the main loop based on a few MSDN articles.  I can post/email the
complete code if it's required.  BUFFER_SIZE is 4096.

 Thanks in advance

  -- Dev

'************ Code Start ************
    pevlr = VarPtr(abytBuffer(0))
    '    // Opening the event log positions the file pointer for this
    '   // handle at the beginning of the log. Read the records
    '   // sequentially until there are no more.
    Do While Not (apiReadEventLog(hLog, mlngReadFlag, 0, _
                            abytBuffer(0), BUFFER_SIZE, dwRead, dwNeeded) =
0)
        Do While dwRead > 0
            '// The source name is just past the end of the formal
structure.
            '     printf("%02d  Event ID: 0x%08X ",
            '           dwThisRecord++, pevlr->EventID);
            '       printf("EventType: %d Source: %s\n",
            '           pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
            '               sizeof(EVENTLOGRECORD)));
            '       dwRead -= pevlr->Length;
            '       pevlr = (EVENTLOGRECORD *)
            '           ((LPBYTE) pevlr + pevlr->Length);
                '}
            '   pevlr = (EVENTLOGRECORD *) &bBuffer;
            '//
            '
            Call sapiCopyMem(lpLog, ByVal pevlr, LenB(lpLog))
            Debug.Print " Event ID: &H" & Hex$(lpLog.EventID),
            Debug.Print " Event Type: " & _
                                fGetEventType(CLng(lpLog.EventType)),  'OK
            Debug.Print " TimeGenerated: " & fGetTime(lpLog.TimeGenerated),
'OK
            Debug.Print " TimeWritten: " & fGetTime(lpLog.TimeWritten)   'OK

            'SourceName is directly after the struct
            Debug.Print " Source: " & fStringFromPtr(pevlr + Len(lpLog)),
'OK

            'ComputerName is after
            '// TCHAR SourceName[]
            'so, it's pevlr + Len(struct) + len(Struct.Source) + 1
            lpSize = pevlr + Len(lpLog)
            Debug.Print " ComputerName: " & fStringFromPtr(lpSize _
                                                + apilstrlen(lpSize) + 1),
'OK

            'SID is after
            '// TCHAR Computername[]
            'Debug.Print " SID: " & fGetUserInfo(lpLog)   'Doesn't work

            '// TCHAR Strings[]
            'is after SID
            'so it's
            '   pevlr + len(struct)+len(SourceName[]) + Len(ComputerName) _
                        + struct.UserSidLength +1
            'lpSize = pevlr + Len(lpLog)                       '//SizeOf
            'lpSize = lpSize + apilstrlen(lpSize) + 1        '//SourceName
            'lpSize = lpSize + (apilstrlen(lpSize) + 1)     '//ComputerName
            'lpSize = lpSize + lpLog.UserSidLength + 1     '//SID

            'Debug.Print "Description:  " & fStringFromPtr(lpSize)
            'Doesn't work

            dwRead = dwRead - lpLog.Length
            pevlr = pevlr + lpLog.Length
         Loop
         pevlr = VarPtr(abytBuffer(0))
    Loop
'************ Code End **************



Fri, 26 Oct 2001 03:00:00 GMT  
 ReadEventLog: Getting Strings, SID and Data
Hi Dev,

Not sure if this helps you any but did you take a look at
http://www.netfokus.dk/vbadmincode/ for wp0396?

If you dont mind could you send on a copy of your code.

--
Calum Reay
Director / Senior Analyst Programmer
Paradox Contracting Ltd
http://www.pcltd.co.uk
http://www.pcltd.co.uk/access


Quote:
> Hi All,

>   How can I get to the associated descriptions, SID (not that important),
> and Data members of EVENTLOGRECORD in ReadEventLog?

>   I am able to get to the other members past the end of the struct, but
not
> the rest.  StringOffset and DataOffset don't always give me the right
info.

>   Here's the main loop based on a few MSDN articles.  I can post/email the
> complete code if it's required.  BUFFER_SIZE is 4096.

>  Thanks in advance

>   -- Dev

> '************ Code Start ************
>     pevlr = VarPtr(abytBuffer(0))
>     '    // Opening the event log positions the file pointer for this
>     '   // handle at the beginning of the log. Read the records
>     '   // sequentially until there are no more.
>     Do While Not (apiReadEventLog(hLog, mlngReadFlag, 0, _
>                             abytBuffer(0), BUFFER_SIZE, dwRead, dwNeeded)
=
> 0)
>         Do While dwRead > 0
>             '// The source name is just past the end of the formal
> structure.
>             '     printf("%02d  Event ID: 0x%08X ",
>             '           dwThisRecord++, pevlr->EventID);
>             '       printf("EventType: %d Source: %s\n",
>             '           pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
>             '               sizeof(EVENTLOGRECORD)));
>             '       dwRead -= pevlr->Length;
>             '       pevlr = (EVENTLOGRECORD *)
>             '           ((LPBYTE) pevlr + pevlr->Length);
>                 '}
>             '   pevlr = (EVENTLOGRECORD *) &bBuffer;
>             '//
>             '
>             Call sapiCopyMem(lpLog, ByVal pevlr, LenB(lpLog))
>             Debug.Print " Event ID: &H" & Hex$(lpLog.EventID),
>             Debug.Print " Event Type: " & _
>                                 fGetEventType(CLng(lpLog.EventType)),  'OK
>             Debug.Print " TimeGenerated: " &

fGetTime(lpLog.TimeGenerated),

- Show quoted text -

Quote:
> 'OK
>             Debug.Print " TimeWritten: " & fGetTime(lpLog.TimeWritten)
'OK

>             'SourceName is directly after the struct
>             Debug.Print " Source: " & fStringFromPtr(pevlr + Len(lpLog)),
> 'OK

>             'ComputerName is after
>             '// TCHAR SourceName[]
>             'so, it's pevlr + Len(struct) + len(Struct.Source) + 1
>             lpSize = pevlr + Len(lpLog)
>             Debug.Print " ComputerName: " & fStringFromPtr(lpSize _
>                                                 + apilstrlen(lpSize) + 1),
> 'OK

>             'SID is after
>             '// TCHAR Computername[]
>             'Debug.Print " SID: " & fGetUserInfo(lpLog)   'Doesn't work

>             '// TCHAR Strings[]
>             'is after SID
>             'so it's
>             '   pevlr + len(struct)+len(SourceName[]) + Len(ComputerName)
_
>                         + struct.UserSidLength +1
>             'lpSize = pevlr + Len(lpLog)                       '//SizeOf
>             'lpSize = lpSize + apilstrlen(lpSize) + 1        '//SourceName
>             'lpSize = lpSize + (apilstrlen(lpSize) + 1)
'//ComputerName
>             'lpSize = lpSize + lpLog.UserSidLength + 1     '//SID

>             'Debug.Print "Description:  " & fStringFromPtr(lpSize)
>             'Doesn't work

>             dwRead = dwRead - lpLog.Length
>             pevlr = pevlr + lpLog.Length
>          Loop
>          pevlr = VarPtr(abytBuffer(0))
>     Loop
> '************ Code End **************



Sat, 27 Oct 2001 03:00:00 GMT  
 ReadEventLog: Getting Strings, SID and Data
Hi Calum,

  Yes, I believe that's the example from L.J. Johnson.  He directed me today
towards the same, but I was already too far along in terms of translating C
code from MSDN.  I haven't yet had a chance to go through his sample.  Guess
I didn't search enough.  :-(

    The code is still very messy, so I'll avoid some embarrassment and hold
back posting it publicly till I can clean it up. <g>

    -- Dev


: Hi Dev,
:
: Not sure if this helps you any but did you take a look at
: http://www.netfokus.dk/vbadmincode/ for wp0396?
:
: If you dont mind could you send on a copy of your code.
:
<snip>



Sat, 27 Oct 2001 03:00:00 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. Converting SID to string SID in VB

2. Convert string SID to SID

3. convert binary sid to hex sid

4. Getting the SID

5. Getting local user sid...

6. getting the sid

7. Getting SID

8. Getting a Username/Group from the SID of a user logged on the network

9. !!! Getting the SID (Security Identifier) !!!

10. Getting SID via API

11. !!! Getting the SID (Security Identifier) !!!

12. Getting a user's SID?

 

 
Powered by phpBB® Forum Software