I am writing a script to find the event logs in the c:\\windows\system32\config directory and back them up. I am developing this on my XP Pro workstation and plan to run it on servers running Windows 2000 and Windows 2003. As different servers have different event logs, I am reading the directory for *.evt files and then calling Win32::EventLog->new on each one.
I started noticing some anomalies and put in some debugging code to see what was going on. Specifically, I called GetNumber and GetOldest. What I found was that they were always the same even though I was looping through multiple different sized eventlogs. I tried printing out the first record from each (using the example code from the Win32::EventLog documentation) and it came out the same. I close the handle created by the call to new each time. I can't figure out what I may be doing wrong. Here is the relevant code from my script including my debug statements:
# Open the Windows log directory
#
opendir (WINLOG, $winlogdir) or die "Can't open $winlogdir: $!\n";
#
# Read the directory for any event logs; they all end in .evt.
#
@eventlogs = grep /\.evt$/i, readdir WINLOG;
foreach $eventlog (@eventlogs) {
$recs = 0;
$oldestrec = 0;
print "Event log: $eventlog\n";
$eventlog =~ s/\.evt$//i; # Chop off the .evt extension
print "Event log no extension: $eventlog\n";
#
# Win32::EventLog knows where the log directory is; so now
# we just give it the name of the file to open.
#
$event = Win32::EventLog->new($eventlog, $local_computer)
or die "Can't open $eventlog event log: $!";
$event->GetNumber($recs)
or die "Can't get number of records from $eventlog: $!\n";
$event->GetOldest($oldestrec)
or die "Can't get oldest record from $eventlog: $!\n";
if ($recs || $oldestrec) {
print $eventlog, ": ", $recs, "\n";
print "Oldest record for $eventlog: $oldestrec\n";
}
else {
print "No records for $eventlog\n";
}
my $hashRef;
$event->Read(EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ,
$oldestrec,
$hashRef)
or die "Can't read EventLog entry #$oldestrec\n";
#if ($hashRef->{Source} eq "EventLog") {
Win32::EventLog::GetMessageText($hashRef);
print "Entry $oldestrec: $hashRef->{Message}\n";
#}
#else {
print "Source: $hashRef->{Source}\n";
#}
$event->Close();
}
Another oddity that I noticed (hence I commented out the if statement from the example code) was that $hashRef->{Source} was always set to "SceCli" rather than "EventLog" as in the example. The only log that has SceCli as source in its first record is Application. It seems like I am never opening any of the other .evt files. Does Win32::EventLog not handle non-standard .evt files? Thanks for any help.
Cheers--
Al
I started noticing some anomalies and put in some debugging code to see what was going on. Specifically, I called GetNumber and GetOldest. What I found was that they were always the same even though I was looping through multiple different sized eventlogs. I tried printing out the first record from each (using the example code from the Win32::EventLog documentation) and it came out the same. I close the handle created by the call to new each time. I can't figure out what I may be doing wrong. Here is the relevant code from my script including my debug statements:
# Open the Windows log directory
#
opendir (WINLOG, $winlogdir) or die "Can't open $winlogdir: $!\n";
#
# Read the directory for any event logs; they all end in .evt.
#
@eventlogs = grep /\.evt$/i, readdir WINLOG;
foreach $eventlog (@eventlogs) {
$recs = 0;
$oldestrec = 0;
print "Event log: $eventlog\n";
$eventlog =~ s/\.evt$//i; # Chop off the .evt extension
print "Event log no extension: $eventlog\n";
#
# Win32::EventLog knows where the log directory is; so now
# we just give it the name of the file to open.
#
$event = Win32::EventLog->new($eventlog, $local_computer)
or die "Can't open $eventlog event log: $!";
$event->GetNumber($recs)
or die "Can't get number of records from $eventlog: $!\n";
$event->GetOldest($oldestrec)
or die "Can't get oldest record from $eventlog: $!\n";
if ($recs || $oldestrec) {
print $eventlog, ": ", $recs, "\n";
print "Oldest record for $eventlog: $oldestrec\n";
}
else {
print "No records for $eventlog\n";
}
my $hashRef;
$event->Read(EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ,
$oldestrec,
$hashRef)
or die "Can't read EventLog entry #$oldestrec\n";
#if ($hashRef->{Source} eq "EventLog") {
Win32::EventLog::GetMessageText($hashRef);
print "Entry $oldestrec: $hashRef->{Message}\n";
#}
#else {
print "Source: $hashRef->{Source}\n";
#}
$event->Close();
}
Another oddity that I noticed (hence I commented out the if statement from the example code) was that $hashRef->{Source} was always set to "SceCli" rather than "EventLog" as in the example. The only log that has SceCli as source in its first record is Application. It seems like I am never opening any of the other .evt files. Does Win32::EventLog not handle non-standard .evt files? Thanks for any help.
Cheers--
Al