Jump to content

How to add multiple lines of EventData to an EventLog?

mdwerne

By mdwerne,
in AutoIt General Help and Support

 Share

Recommended Posts

mdwerne Polymath

mdwerne

Posted
Posted (edited)

Hello,

I'm working on a script that writes detailed application event logs, and I'd like to know if there is a way with Autoit to write multiple lines of XML EventData (see example below): 

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Application" /> 
  <EventID Qualifiers="0">1001</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> 
  <EventRecordID>86554</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>YOUR_COMPUTER</Computer> 
  <Security /> 
  </System>
  <EventData>
     <Data>DeskTop Agent: Mike</Data> 
     <Data>Observer Username: Miguel</Data>
     etc...
  </EventData>
 </Event>

So far, using EventCreate, everything I send end's up in a single <data> entry (see below): 

 <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="Application" /> 
  <EventID Qualifiers="0">1001</EventID> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2015-07-12T21:26:07.000000000Z" /> 
  <EventRecordID>86554</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>YOUR_COMPUTER</Computer> 
  <Security /> 
  </System>
  <EventData>
       <Data>DeskTop Agent: Mike Observer Username: Miguel</Data> 
  </EventData>
 </Event>

Here is the code I'm using thus far (which does not work the way I'd like): 

$LogData = @CRLF & "DeskTop Agent: " & @UserName & @CRLF & "Observer Username: " & $DTObserver & @CRLF & "File name/s with extension: " & $FilenameWextension & @CRLF & "Action Performed: " & $ActionPerformed & @CRLF & "Explanation: " & $Explanation & @CRLF & "Machine Name: " & @ComputerName & @CRLF & "IP Address: " & @IPAddress1 & @CRLF & "App1Installed: " & $App1 & @CRLF & "App2Installed: " & $App2
Run("eventcreate /T Information /ID 100 /L Application /SO DTALog /D " & Chr(34) & "DTALog Details: " & $LogData & Chr(34), "", @SW_HIDE, 2)

I found a Stackoverflow post that talks about doing it in C# (https://stackoverflow.com/questions/7694276/how-to-add-multiple-lines-of-eventdata-to-an-eventlog-in-windows)
but I'd like to determine if it can be accomplished with AutoIt!.

Thanks for your time,
-Mike

Edited by mdwerne
Link to comment
Share on other sites
ripdad Universalist

ripdad

Posted
Posted (edited)

If I use EventCreate using your last snippet and look in Windows Event Viewer, it looks as it should with multiple lines. Evidently, XML strips CRLF from the data. Seems, you could add a pipe "|" in the data where you want a line return and then extract the data from EventData and StringReplace on the pipe. ie: StringReplace($data, '|', @CRLF)

Or perhaps you could add multiple data entries in EventData.

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites
mdwerne Polymath

mdwerne

Posted
  • Author
Posted

Thanks for the reply ripdad!

So I must be missing something in what your trying to tell me. I changed my last snippet to this: 

$LogData = @CRLF & "DeskTop Agent: " & @UserName & "|" & "Observer Username: " & $DTObserver & "|" & "File name/s with extension: " & $FilenameWextension & "|" & "Action Performed: " & $ActionPerformed & "|" & "Explanation: " & $Explanation & "|" & "Machine Name: " & @ComputerName & "|" & "IP Address: " & @IPAddress1 & "|" & "App1Installed: " & $App1 & "|" & "App2Installed: " & $App2
Run("eventcreate /T Information /ID 100 /L Application /SO DTALog /D " & Chr(34) & "DTALog Details: " & $LogData & Chr(34), "", @SW_HIDE, 2)

and when generated, the event looked like this: 

- <EventData>
  <Data>DTALog Details: DeskTop Agent: mike|Observer Username: miguel|File name/s with extension: 10|Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)|Explanation: e.g. To allow work on project document from another workstation.|Machine Name: R123456|IP Address: 192.168.0.1|App1Installed: 1|App2Installed: 1</Data> 
  </EventData>

I am using Splunk to query the event logs, and would like each of the variables in their own <data> field. Like this: 

<EventData>
  <Data>Data Transfer Agent: mike</Data> 
  <Data>Observer Username: miguel</Data> 
  <Data>File name/s with extension: 10</Data> 
  <Data>Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)</Data> 
  <Data>Explanation: e.g. To allow work on project document from another workstation</Data> 
  <Data>Machine Name: R123456</Data> 
  <Data>IP Address: 192.168.0.1</Data> 
  <Data>App1Installed: 1</Data> 
  <Data>App2Installed: 1</Data> 
  </EventData>

I'm not sure how I would do this using the suggestion you gave me.

I've also tried this method, with no additional success. 

#include <EventLog.au3>

Example()

Func Example()
    Local $hEventLog, $aData[4] = [3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close($hEventLog)
EndFunc   ;==>Example

Thanks again,
-Mike

Link to comment
Share on other sites
ripdad Universalist

ripdad

Posted
Posted
19 minutes ago, mdwerne said:

I am using Splunk to query the event logs, and would like each of the variables in their own <data> field. Like this: 

<EventData>
  <Data>Data Transfer Agent: mike</Data> 
  <Data>Observer Username: miguel</Data> 
  <Data>File name/s with extension: 10</Data> 
  <Data>Action Performed: e.g. Copied project documents from C: drive to F: (USB Drive)</Data> 
  <Data>Explanation: e.g. To allow work on project document from another workstation</Data> 
  <Data>Machine Name: R123456</Data> 
  <Data>IP Address: 192.168.0.1</Data> 
  <Data>App1Installed: 1</Data> 
  <Data>App2Installed: 1</Data> 
  </EventData>

 

 

I was thinking more like this... 

<EventData>
  <Data1>Data Transfer Agent: mike</Data1> 
  <Data2>Observer Username: miguel</Data2> 
  <Data3>File name/s with extension: 10</Data3> 
</EventData>

I don't know much about XML, but it seems logical.

 

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites
mdwerne Polymath

mdwerne

Posted
  • Author
Posted

This would work for me as well...the question is still how. :(

Above you suggested "Or perhaps you could add multiple data entries in EventData."

EventCreate does not like more than 1 of the /D switch, and I'm not sure how to use the "_EventLog__Report" function to add multiple data entries...if it's even possible.

If I look through my Application Event log, I see that other apps can create entries like I'm after: 

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Application Error" /> 
  <EventID Qualifiers="0">1000</EventID> 
  <Level>2</Level> 
  <Task>100</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2017-12-04T22:02:33.393707600Z" /> 
  <EventRecordID>10493</EventRecordID> 
  <Channel>Application</Channel> 
  <Computer>R123456.my.domain</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>consent.exe</Data> 
  <Data>10.0.15063.0</Data> 
  <Data>e0f856c4</Data> 
  <Data>unknown</Data> 
  <Data>0.0.0.0</Data> 
  <Data>00000000</Data> 
  <Data>c0000409</Data> 
  <Data>0000000000000000</Data> 
  <Data>f8c</Data> 
  <Data>01d36d4b962f1993</Data> 
  <Data>c:\windows\system32\consent.exe</Data> 
  <Data>unknown</Data> 
  <Data>01cbf734-c21e-46ce-8132-df9596bb70f4</Data> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

maybe I need to jump over to C# for this project.

Thanks for the suggestions nonetheless,
-Mike

Link to comment
Share on other sites
ripdad Universalist

ripdad

Posted
Posted

This is the first time I heard of Splunk, so i have no idea how it handles data.

Although, any text can be manipulated... 

Opt('MustDeclareVars', 1)

Local $s = "Data Transfer Agent: mike|Observer Username: miguel|File name/s with extension: 10"
Local $a = StringSplit($s, '|')
$s = '<EventData>' & @CRLF

For $i = 1 To $a[0]
    $s &= '    <Data' & $i & '>' & $a[$i] & '</Data' & $i & '>' & @CRLF
Next

$s &= '</EventData>'
MsgBox(0, 'Result', $s)

After that, it's a matter of replacing that section in the XML -- since that seems to be the format you want it in.

 

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites
mdwerne Polymath

mdwerne

Posted
  • Author
Posted

Sadly, this is how it shows up in the event log: 

- <EventData>
  <Data>DTALog Details: <EventData> <Data1>Data Transfer Agent: mike</Data1> <Data2>Observer Username: miguel</Data2> <Data3>File name/s with extension: 10</Data3> </EventData></Data> 
  </EventData>

While it may not be obvious from the snippet above, the $s variable came in as plain text, not actual XML data.

Thanks for giving it a shot...I'll see if there is another way to go about this.

Link to comment
Share on other sites
ripdad Universalist

ripdad

Posted
Posted
9 minutes ago, mdwerne said:

Sadly, this is how it shows up in the event log: 


- <EventData>
  <Data>DTALog Details: <EventData> <Data1>Data Transfer Agent: mike</Data1> <Data2>Observer Username: miguel</Data2> <Data3>File name/s with extension: 10</Data3> </EventData></Data> 
  </EventData>

I didn't mean that you run that with EventCreate, but after you have the resulting XML file. Read it in AutoIt, then work from there. Here's another way to manipulate it -- if you don't care about the data numbers... 

Local $s = "Data Transfer Agent: mike|Observer Username: miguel|File name/s with extension: 10|"
$s = '<EventData>' & @CRLF & '<Data>' & StringReplace($s, '|', '</Data>' & @CRLF & '<Data>')
$s = StringTrimRight($s, 6) & '</EventData>'
$s = StringReplace($s, '<Data>', '    <Data>')
MsgBox(0, 'Result', $s)

 

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites
ripdad Universalist

ripdad

Posted
Posted (edited)

So, I got it worked out as simple as I could -- unless you find a better solution... 

Opt('MustDeclareVars', 1)

; read the xml
Local $sFile = FileRead(@ScriptDir & '\EventOriginal.xml')

; load it in array
Local $a = StringSplit($sFile, @CRLF, 1)

Local $s = ''

; loop through fields
For $i = 1 To $a[0]
    If StringInStr($a[$i], '<Data>') Then
        ; manipulate the data
        $a[$i] = '    ' & StringStripWS($a[$i], 3)
        $a[$i] = StringReplace($a[$i], '|', '</Data>' & @CRLF & '    <Data>')
    EndIf
    ; re-assemble 
    $s &= $a[$i] & @CRLF
Next

MsgBox(0, 'Final Result', $s)

; write final result to file
Local $hFile = FileOpen(@ScriptDir & '\EventResult.xml', 2)
FileWrite($hFile, $s)
FileClose($hFile)

Here is the xml file I worked with, which has pipes denoting where returns should go...

EventOriginal.xml

 

Edited by ripdad

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...