Sign in to follow this  
Followers 0
RedneckTech

_EventLog_Read possible issue with the function?

8 posts in this topic

Anyone played with this enough?

$hEventLog = _EventLog_Open("", "System")

_EventLog_Read($hEventLog, True, False)

Works

$hEventLog = _EventLog_Open("", "System")

_EventLog_Read($hEventLog, False, either, anything)

Fails. Doesnt error, but pulls nothing

I have tried putting in variables, positive integers, negative integers, and other commands while using both true and false for flag2, but if flag 1 is False nothing will read. This does not work as I want to use the following inside of a while loop

_EventLog_Read($hEventLog, False, False, $n)

with an ever increasing $n.

Really needing some help on here. if there's something im missing it would be greatly appreciated.

Share this post


Link to post
Share on other sites



Hi, RedNeckTech. If you want to return a specific field from the Event Log, you have to specify the array index. This works for me:

#include <EventLog.au3>

$hEventLog = _EventLog__Open("", "System")

For $i = 1 To 10
$aEvent = _EventLog__Read($hEventLog, True, False, $i)
  MsgBox(0, "", $aEvent[13])
Next

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

sorry. i have done that. here is what i have. same issue applies:

#include <EventLog.au3>
#include <date.au3>

$n = 1
$timediff = 0
While $timediff < 24
   $hEventLog = _EventLog__Open("", "System")
   $aEvent = _EventLog__Read($hEventLog, False, False, 0)
   $timearray = StringSplit( $aEvent[5], ":")
   MsgBox(0, "", $aEvent[4])
   MsgBox(0, "", $aEvent[5])
   $datearray = StringSplit( $aEvent[4], "/")
   MsgBox(0, "", $datearray[0])
   $24hour = $timearray[1]
   If StringInStr ( $aEvent[5], "PM" ) Then
      MsgBox(0, "", "PM")
      $24hour = $timearray[1] + 12
   EndIf
   If $datearray[2] <> @MDAY Then
      MsgBox(0, "", $datearray[2])
      $24hour = $24hour + 24
   EndIf
   $hours = @HOUR
   $timediff = $hours - $24hour
   If $timediff < 24 Then
      ;_Analyze()
      $n = $n + 1
   EndIf
WEnd

Func Analyze()
   If $aEvent [10] = "Windows AntiMalware" Then
      If $aEvent[8] <> "information" Then
         FileOpen (@WorkingDir & "WinAMLog.txt", 1)
         FileWriteLine ( @WorkingDir & "WinAMLog.txt", $aEvent[2] & " " & $aEvent[3] & " - " & $aEvent[13] )
      EndIf
   EndIf
EndFunc

Share this post


Link to post
Share on other sites

Have tried it with $hEventLog inside and outside of the while loop. and when i get a decent first test run i will cleanup. i just need to get something from that first _EventLog_Read pass and i can roll from there

Share this post


Link to post
Share on other sites

working backwards from the latest entry, i believe:

#Include <EventLog.au3>
#Include <Array.au3>

$hEventLog = _EventLog__Open("", "System")
$eventArray = _EventLog__Read($hEventLog, True, False)
_ArrayDisplay ($eventArray)

for $i = $eventArray[1] - 1 to 0 step - 1
$loopArray = _EventLog__Read($hEventLog, False, False, $i)
_ArrayDisplay ($loopArray)
next

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

when i try it with "false" as flag 1 i get blank results no matter what i have setup. the work backwards is supposed to be flag 2

Share this post


Link to post
Share on other sites

I cant say i understand exactly all the flags, but if you want to get a starting point and an ending point, this is how i would do so. Whether you work forward or backward is of no consequence. Its just the $n will need to be increasing from a number that is valid (the lowest of which is 71214 in my system log).

#Include <EventLog.au3>
#Include <Array.au3>

$hEventLog = _EventLog__Open("", "System")
$eventArray1 = _EventLog__Read($hEventLog, True, False)
_ArrayDisplay ($eventArray1) ; the highest number
$hEventLog = _EventLog__Close($hEventLog)

$hEventLog = _EventLog__Open("", "System")
$eventArray2 = _EventLog__Read($hEventLog, True, True)
_ArrayDisplay ($eventArray2) ; the lowest number
$hEventLog = _EventLog__Close($hEventLog)

$hEventLog = _EventLog__Open("", "System")
for $i = $eventArray1[1] to $eventArray2[1] step - 1
$loopArray = _EventLog__Read($hEventLog, False, False, $i)
_ArrayDisplay ($loopArray)
next
$hEventLog = _EventLog__Close($hEventLog)

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Thanks. didnt know that it went off record number rather than "position"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0