Using perl to read your win32 event log

6 August, 2007 – 5:16 pm

I often use a combination of cygwin with ssh to remotely manage windows servers, as I find this to be a quicker (and hopefully safer) method of access to my windows boxes. To that end, I often need to check windows application event logs. Typically you’d use the mmc, but all I want to do mostly is check the last 10 or 100 entries for things like break in attempts, or application warnings/failures etc.


To do that through your ssh session, you can use the native Win32::EventLog module that ships with the ActiveState version of Perl. I can’t remember where I got the majority of this code from, but I have since modified it to work within a Win32 environment along with some simple command line arguments. The version I copied was more in line with *ix systems I believe.

If I can remember where I got the code from I’ll acknowledge it, but feel free to use my modified version in the interim
:)

use Win32::EventLog;
 
$machine  = $ARGV[0] || "DEFAULTSERVERNAME";
$eventlog = $ARGV[1] || "Application";
$limit    = $ARGV[2] || 100;
 
my ($EventLog, $count, $first, $key);
 
$first = $count = 0;
my $event={
        'Source'              =>NULL,
        'Computer'            =>NULL,
        'Length'              =>NULL,
        'Category'            =>NULL,
        'RecordNumber'        =>NULL,
        'TimeGenerated'       =>NULL,
        'Timewritten'         =>NULL,
        'EventID'             =>NULL,
        'EventType'           =>NULL,
        'ClosingRecordNumber' =>NULL,
        'Strings'             =>NULL,
        'Data',               =>NULL,
        };
 
$EventLog = new Win32::EventLog( 'Application' ) || die $!;
 
$EventLog->GetOldest(\$first) || die $!;
$EventLog->GetNumber(\$count) || die $!;
 
$EventLog->Read((EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ),$first+$count,$event);
 
for $i ($first+$count-$limit+1..$first+$count)
        {
        $EventLog->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKWARDS_READ),0,$event);
        ($sec,$min,$hour,$mday,$mon,$year,$sday,$yday,$isdst) = localtime($event->{'TimeGenerated'});;
 
        #to get a readable EventId
        $event->{'EventID'} = $event->{'EventID'} & 0xffff;
 
        #foreach $key ('RecordNumber','Category','Source','Strings')
        #       {
        #       print sprintf( "%15s -> %s\n",$key, $event->{$key} );
        #       }
 
        print "$mday/",$mon+1,"/",$year+1900,"\t$hour:$min\t".$event->{Strings}."\n";
        }

Share it: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netscape
  • Reddit
  • Slashdot
  • Technorati
  • YahooMyWeb

Post a Comment

*
To prove that you're not a bot, enter this code
Anti-Spam Image

Login 90kts is proudly powered by WordPress Entries (RSS).