Jump to content
Sign in to follow this  
mdwerne

How to add multiple lines of EventData to an EventLog?

Recommended Posts

mdwerne

Hello,

I'm working on a script that writes detailed application event logs, and I'd like to know if there is a way with Autoit to write multiple lines of XML EventData (see example below):

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Application" /> 
  <EventID Qualifiers="0">1001</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> 
  <EventRecordID>86554</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>YOUR_COMPUTER</Computer> 
  <Security /> 
  </System>
  <EventData>
     <Data>DeskTop Agent: Mike</Data> 
     <Data>Observer Username: Miguel</Data>
     etc...
  </EventData>
 </Event>

So far, using EventCreate, everything I send end's up in a single <data> entry (see below):

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Application" /> 
  <EventID Qualifiers="0">1001</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> 
  <EventRecordID>86554</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>YOUR_COMPUTER</Computer> 
  <Security /> 
  </System>
  <EventData>
       <Data>DeskTop Agent: Mike Observer Username: Miguel</Data> 
  </EventData>
 </Event>

Here is the code I'm using thus far (which does not work the way I'd like):

$LogData = @CRLF & "DeskTop Agent: " & @UserName & @CRLF & "Observer Username: " & $DTObserver & @CRLF & "File name/s with extension: " & $FilenameWextension & @CRLF & "Action Performed: " & $ActionPerformed & @CRLF & "Explanation: " & $Explanation & @CRLF & "Machine Name: " & @ComputerName & @CRLF & "IP Address: " & @IPAddress1 & @CRLF & "App1Installed: " & $App1 & @CRLF & "App2Installed: " & $App2
Run("eventcreate /T Information /ID 100 /L Application /SO DTALog /D " & Chr(34) & "DTALog Details: " & $LogData & Chr(34), "", @SW_HIDE, 2)

I found a Stackoverflow post that talks about doing it in C# (https://stackoverflow.com/questions/7694276/how-to-add-multiple-lines-of-eventdata-to-an-eventlog-in-windows)
but I'd like to determine if it can be accomplished with AutoIt!.

Thanks for your time,
-Mike

Edited by mdwerne

Share this post


Link to post
Share on other sites
ripdad

If I use EventCreate using your last snippet and look in Windows Event Viewer, it looks as it should with multiple lines. Evidently, XML strips CRLF from the data. Seems, you could add a pipe "|" in the data where you want a line return and then extract the data from EventData and StringReplace on the pipe. ie: StringReplace($data, '|', @CRLF)

Or perhaps you could add multiple data entries in EventData.

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
mdwerne

Thanks for the reply ripdad!

So I must be missing something in what your trying to tell me. I changed my last snippet to this:

$LogData = @CRLF & "DeskTop Agent: " & @UserName & "|" & "Observer Username: " & $DTObserver & "|" & "File name/s with extension: " & $FilenameWextension & "|" & "Action Performed: " & $ActionPerformed & "|" & "Explanation: " & $Explanation & "|" & "Machine Name: " & @ComputerName & "|" & "IP Address: " & @IPAddress1 & "|" & "App1Installed: " & $App1 & "|" & "App2Installed: " & $App2
Run("eventcreate /T Information /ID 100 /L Application /SO DTALog /D " & Chr(34) & "DTALog Details: " & $LogData & Chr(34), "", @SW_HIDE, 2)

and when generated, the event looked like this:

- <EventData>
  <Data>DTALog Details: DeskTop Agent: mike|Observer Username: miguel|File name/s with extension: 10|Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)|Explanation: e.g. To allow work on project document from another workstation.|Machine Name: R123456|IP Address: 192.168.0.1|App1Installed: 1|App2Installed: 1</Data> 
  </EventData>

I am using Splunk to query the event logs, and would like each of the variables in their own <data> field. Like this:

<EventData>
  <Data>Data Transfer Agent: mike</Data> 
  <Data>Observer Username: miguel</Data> 
  <Data>File name/s with extension: 10</Data> 
  <Data>Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)</Data> 
  <Data>Explanation: e.g. To allow work on project document from another workstation</Data> 
  <Data>Machine Name: R123456</Data> 
  <Data>IP Address: 192.168.0.1</Data> 
  <Data>App1Installed: 1</Data> 
  <Data>App2Installed: 1</Data> 
  </EventData>

I'm not sure how I would do this using the suggestion you gave me.

I've also tried this method, with no additional success.

#include <EventLog.au3>

Example()

Func Example()
    Local $hEventLog, $aData[4] = [3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close($hEventLog)
EndFunc   ;==>Example

Thanks again,
-Mike

Share this post


Link to post
Share on other sites
ripdad
19 minutes ago, mdwerne said:

I am using Splunk to query the event logs, and would like each of the variables in their own <data> field. Like this:

<EventData>
  <Data>Data Transfer Agent: mike</Data> 
  <Data>Observer Username: miguel</Data> 
  <Data>File name/s with extension: 10</Data> 
  <Data>Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)</Data> 
  <Data>Explanation: e.g. To allow work on project document from another workstation</Data> 
  <Data>Machine Name: R123456</Data> 
  <Data>IP Address: 192.168.0.1</Data> 
  <Data>App1Installed: 1</Data> 
  <Data>App2Installed: 1</Data> 
  </EventData>

 

 

I was thinking more like this...

<EventData>
  <Data1>Data Transfer Agent: mike</Data1> 
  <Data2>Observer Username: miguel</Data2> 
  <Data3>File name/s with extension: 10</Data3> 
</EventData>

I don't know much about XML, but it seems logical.

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
mdwerne

This would work for me as well...the question is still how. :(

Above you suggested "Or perhaps you could add multiple data entries in EventData."

EventCreate does not like more than 1 of the /D switch, and I'm not sure how to use the "_EventLog__Report" function to add multiple data entries...if it's even possible.

If I look through my Application Event log, I see that other apps can create entries like I'm after:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2017-12-04T22:02:33.393707600Z" /> 
  <EventRecordID>10493</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>R123456.my.domain</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>consent.exe</Data> 
  <Data>10.0.15063.0</Data> 
  <Data>e0f856c4</Data> 
  <Data>unknown</Data> 
  <Data>0.0.0.0</Data> 
  <Data>00000000</Data> 
  <Data>c0000409</Data> 
  <Data>0000000000000000</Data> 
  <Data>f8c</Data> 
  <Data>01d36d4b962f1993</Data> 
  <Data>c:\windows\system32\consent.exe</Data> 
  <Data>unknown</Data> 
  <Data>01cbf734-c21e-46ce-8132-df9596bb70f4</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

maybe I need to jump over to C# for this project.

Thanks for the suggestions nonetheless,
-Mike

Share this post


Link to post
Share on other sites
ripdad

This is the first time I heard of Splunk, so i have no idea how it handles data.

Although, any text can be manipulated...

Opt('MustDeclareVars', 1)

Local $s = "Data Transfer Agent: mike|Observer Username: miguel|File name/s with extension: 10"
Local $a = StringSplit($s, '|')
$s = '<EventData>' & @CRLF

For $i = 1 To $a[0]
    $s &= '    <Data' & $i & '>' & $a[$i] & '</Data' & $i & '>' & @CRLF
Next

$s &= '</EventData>'
MsgBox(0, 'Result', $s)

After that, it's a matter of replacing that section in the XML -- since that seems to be the format you want it in.

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
mdwerne

Sadly, this is how it shows up in the event log:

- <EventData>
  <Data>DTALog Details: <EventData> <Data1>Data Transfer Agent: mike</Data1> <Data2>Observer Username: miguel</Data2> <Data3>File name/s with extension: 10</Data3> </EventData></Data> 
  </EventData>

While it may not be obvious from the snippet above, the $s variable came in as plain text, not actual XML data.

Thanks for giving it a shot...I'll see if there is another way to go about this.

Share this post


Link to post
Share on other sites
ripdad
9 minutes ago, mdwerne said:

Sadly, this is how it shows up in the event log:


- <EventData>
  <Data>DTALog Details: <EventData> <Data1>Data Transfer Agent: mike</Data1> <Data2>Observer Username: miguel</Data2> <Data3>File name/s with extension: 10</Data3> </EventData></Data> 
  </EventData>

I didn't mean that you run that with EventCreate, but after you have the resulting XML file. Read it in AutoIt, then work from there. Here's another way to manipulate it -- if you don't care about the data numbers...

Local $s = "Data Transfer Agent: mike|Observer Username: miguel|File name/s with extension: 10|"
$s = '<EventData>' & @CRLF & '<Data>' & StringReplace($s, '|', '</Data>' & @CRLF & '<Data>')
$s = StringTrimRight($s, 6) & '</EventData>'
$s = StringReplace($s, '<Data>', '    <Data>')
MsgBox(0, 'Result', $s)

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
ripdad

So, I got it worked out as simple as I could -- unless you find a better solution...

Opt('MustDeclareVars', 1)

; read the xml
Local $sFile = FileRead(@ScriptDir & '\EventOriginal.xml')

; load it in array
Local $a = StringSplit($sFile, @CRLF, 1)

Local $s = ''

; loop through fields
For $i = 1 To $a[0]
    If StringInStr($a[$i], '<Data>') Then
        ; manipulate the data
        $a[$i] = '    ' & StringStripWS($a[$i], 3)
        $a[$i] = StringReplace($a[$i], '|', '</Data>' & @CRLF & '    <Data>')
    EndIf
    ; re-assemble 
    $s &= $a[$i] & @CRLF
Next

MsgBox(0, 'Final Result', $s)

; write final result to file
Local $hFile = FileOpen(@ScriptDir & '\EventResult.xml', 2)
FileWrite($hFile, $s)
FileClose($hFile)

Here is the xml file I worked with, which has pipes denoting where returns should go...

EventOriginal.xml

 

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
mdwerne

Thank you again, I will see if I can make this work.

Share this post


Link to post
Share on other sites
Wolfteeth

Hi, Mdwerne,

I have the same question and problem here by writing event data with XML format... (Multiple lines)

still not understand how to use the array Data...

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • VITSUSA
      By VITSUSA
      I am using window XP in my desktop, so I want to convert basic disk to a dynamic disk, so how it is possible?
    • XaelloNegative
      By XaelloNegative
      Hi,
      I'm currently saving process time stamps of my employer's other employees and saving it in a text document as data storage. However, my employer wants it to be processed in a day to day basis to generate their average process time per day. How can I compare today from yesterday and so on and so forth with the succeeding days? Whats the best approach to this?
      Thank you.
      ~XN~
    • Shirdish_chakravarthi
      By Shirdish_chakravarthi
      i am working on a application where if the flashing is success i get a window saying "SUCCESS" and if the flashing failed a window saying "FAILED" and i have to automatically identify pass or fail.the problem is both the windows are having the same control ID. how can i differentiate between both windows? so that i can make use of that in script for automation///
       
       
      Thanks
    • comtech80
      By comtech80
      Folks,
      I have an issue I've been trying to solve for a while, I'm trying to add static routes in DHCP via a 121 route rule in Windows 2012 R2 is a brutal manual process and wanted to automate this via AutoIT.
       
      When I use the "ControlGetText" everything displays properly in the MSG box but when I try and use "ControlSetText" or "ControlSend" the values won't display in the input box but the action comes back as successful?
      Anyone able to help me with this? I'm thinking this might be an active window issue but i'm not sure.
      Here is a part of my code.
       
      $hWnd = WinWait("[TITLE:Add a Static Route]","", 10)
      WinActivate($hWnd)
      $Status = ControlSend($hWnd, "", "[CLASS:Edit; INSTANCE:4]", "192"); Does not add 192 to the text box.
      Local $sTextEdit1 = ControlGetText($hWnd, "", "[CLASS:Edit; INSTANCE:1]")
      ConsoleWrite ( "ControlSend Status: " &  $Status & @CRLF); Returns a Value of 1
      ConsoleWrite ( "ControlGetText Value Edit1: " &  $sTextEdit1 & @CRLF);
       
      Please see attachment for more info.

    • lganta
      By lganta
      Hello!
      I created some scripts for a simple farming bot a few years ago and they rely on ControlSend.
      A year ago I quit that game and then installed Windows 10 (was using windows 7).
      Recently I installed that game and tried running them again and they seem to work (I have some messages displayed on the screen with the state of the bot ), except for the ControlSend part (which obviously is crucial).
      I started debugging the scripts so I created a basic script that makes use of Send. I tested this with Notepad in focus and works just fine and then with my game window in focus and it didn't work (it's supposed to write that text in an input box from the game).
      #include <MsgBoxConstants.au3> Sleep(3000); Send("some text"); MsgBox($MB_OK, "Notification", "Control was sent!");  
      Is there a way for the creators of the game to create some kind of security system against this? Or something happens because I updated to Windows 10?
      Is there something I'm missing?
      Thank you!
×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.