Jump to content
Sign in to follow this  
antmar904

Search and display eventlog entry

Recommended Posts

antmar904

Hi All,

I would like to search the "System" event log for any event that contains "PowerBroker for Windows detected a UAC prompt" in the "Gerneral" tab and show it in a gui or msgbox window.

Can someone help me out getting started?

Share this post


Link to post
Share on other sites
JLogan3o13

Help file - begin with _EventLog__Open

Edit: Bored. Try something like this:

#include <EventLog.au3>

$hLog = _EventLog__Open("", "System")
$sCount = _EventLog__Count($hLog)

For $i = $sCount To 1 Step -1
    $aEvent = _EventLog__Read($hLog, True, False, $i)
    If StringInStr($aEvent[13], "PowerBroker for Windows detected ") Then
        MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13])
    EndIf
Next
Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

How to get your question answered on this forum!

Share this post


Link to post
Share on other sites
antmar904

@JLogan,

That worked great, thank you.

Can you please help me understand this part:

For $i = $sCount To 1 Step -1

    $aEvent = _EventLog__Read($hLog, True, False, $i)

    If StringInStr($aEvent[13], "PowerBroker for Windows detected ") Then

Share this post


Link to post
Share on other sites
JLogan3o13

It is in the help file, but you begin by opening the log. You are then reading from the last (most recent) entry to the first (oldest). For each entry you read, if part of the description includes the text you're looking for, then do something with that entry.


√-1 2^3 ∑ π, and it was delicious!

How to get your question answered on this forum!

Share this post


Link to post
Share on other sites
antmar904

Thank you.

Share this post


Link to post
Share on other sites
antmar904
Is there a way to display all its findings is a easier to read gui instead of a msgbox?
 
I ask because sometimes there can be hundreds of events and having to click "OK" to see the next one can be a lot of work.

Share this post


Link to post
Share on other sites
antmar904

Im trying to write all the events that are found with all the arrays mentioned but im not getting any output:

#include <EventLog.au3>
#include <GUIConstantsEx.au3>

$sFilePath = "C:\test.log"

$hFileOpen = FileOpen($sFilePath)

$hLog = _EventLog__Open("", "System")

$sCount = _EventLog__Count($hLog)


For $i = $sCount To 1 Step -1

    $aEvent = _EventLog__Read($hLog, True, False, $i)

    If StringInStr($aEvent[13], "PowerBroker for Windows detected a UAC prompt") Then

        ;MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13])
        FileWrite($hFileOpen, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13])

    EndIf

Next

Share this post


Link to post
Share on other sites
JLogan3o13

A couple of things:

  • The default mode for FileOpen, since you don't specify it, is Read Only. Check the help file for the parameter you need to fix this.
  • You also had some syntactical errors in your FileWrite line, see below (extra comma, missing &)
FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13])
Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

How to get your question answered on this forum!

Share this post


Link to post
Share on other sites
antmar904

@JLogan,

Thank you

This is what i have so far and is working:

#include <EventLog.au3>

$sFilePath = "C:\temp\PB_UAC_Prompt.log"

$hFileOpen = FileOpen($sFilePath, 1)

$hLog = _EventLog__Open("", "System")

$sCount = _EventLog__Count($hLog)


For $i = $sCount To 1 Step -1

    $aEvent = _EventLog__Read($hLog, True, False, $i)

    If StringInStr($aEvent[13], "PowerBroker for Windows detected a UAC prompt") Then

        ;MsgBox(0, "Record Number: " & $aEvent[1], "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13])
        FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] & @CRLF & @CRLF)

    EndIf

Next

FileClose($hFileOpen)

However the output is not very nice.

How can i make the "Description" array easier to read in the text file?  Right now it is all one line.

PB_UAC_Prompt.txt

Share this post


Link to post
Share on other sites
kylomas

antmar,

Right now it is all one line.

 

The output text for Description is not one line, however, each line is terminated by a CR (as oppossed to a CRLF). 

You can change that by changing all CR's to CRLF's. 

Somehting like this...

$aEvent[13] = stringreplace($aEvent[13],@CR,@CRLF)

I can't test anything as I don't have UAC on.

edit: Note, in this case it works because the string you are changing only contains CR's.  This will NOT work for strings containing a mix of CR's and CRLF's.

Edited by kylomas

Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites
antmar904

im not sure i understand what @CR and @CRLF does.

now the output file looks like this:

False
False
False
False
False
False
False
False
False
 
FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] = stringreplace($aEvent[13],@CR,@CRLF))

Share this post


Link to post
Share on other sites
antmar904

anyone?

Share this post


Link to post
Share on other sites
JLogan3o13

antmar, the forum etiquette is to wait 24 hours before bumping your thread. We are all volunteers here, and there are several forums through which we scan for questions. Waiting 24 hours gives us enough time to review the issue and offer suggestions :)


√-1 2^3 ∑ π, and it was delicious!

How to get your question answered on this forum!

Share this post


Link to post
Share on other sites
kylomas

CR and CRLF are line terminators.  I might have the syntax wrong, you definately have the placement wrong.  You alter the text before you write the file.


Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites
antmar904

@JLogan

You are right, sorry about that.  Just anxious to get my script working.

@kylomas

I made the change and altered the text before writing to the file however the format is not right yet.

I would like the "Record Number" to be the first line written and all the rest with "Authorization" being the last line written before the next record is written.

Here is the current output file:

 

PBUACEvents.txt

Share this post


Link to post
Share on other sites
antmar904

I got it, i just added a couple of line breaks at the end:

FileWriteLine($hFileOpen, "Record Number: " & $aEvent[1] & @CRLF & "Submitted: " & $aEvent[2] & " " & $aEvent[3] & @CRLF & "Description: " & $aEvent[13] & @CRLF & "-------------------------------" & @CRLF & @CRLF & @CRLF)

Share this post


Link to post
Share on other sites
kylomas

Glad you got it working...note - "Authorization" is not always the last line of a record (see the first record of the file you posted)

Edited by kylomas

Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×