Thanks for reminding me about Win32::EventLog. I had forgotten that I had done a quick exploration with that. I abandonned it when I found that some of the older versions of Perl did not return the message text for me. (These are old systems used for regression testing so upgrading Perl is not possible on them.)
In any case, here is the code that I was experimenting with. I make no promises about it how well it works since I haven't used it in a while and it never got used past those first trials. But perhaps it will give you a start.
use Win32::EventLog;
$Win32::EventLog::GetMessageText = 1; # This is required if you want t
+o see the text of the messages!
$limit = $ARGV[0] || 100;
$computer = $ARGV[1];
my ($EventLog, $count, $first, $key);
%type = (1 => "ERROR",
2 => "WARNING",
4 => "INFORMATION",
8 => "AUDIT_SUCCESS",
16 => "AUDIT_FAILURE");
$first = $count = 0;
if ($computer)
{
$EventLog = new Win32::EventLog('System', $computer) || die $!;
}
else
{
$EventLog = new Win32::EventLog('System') || die $!;
}
$EventLog->GetOldest(\$first) || die $!;
$EventLog->GetNumber(\$count) || die $!;
$EventLog->Read((EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ), $first
++$count, $entry);
for $i ($first+$count-$limit+1..$first+$count)
{
$result = $EventLog->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_BACKW
+ARDS_READ),0,$entry);
($sec,$min,$hour,$mday,$mon,$year,$sday,$yday,$isdst) = localtime(
+$entry->{TimeGenerated});;
my $date = sprintf("%02d/%02d/%d %02d:%02d:%02d",
$mon+1, $mday, $year+1900,
$hour, $min, $sec);
print "$date $entry->{Computer} ";
printf ("[%4d]", $entry->{EventID} & 0xffff);
print " (result=$result)\n";
print " Source: $entry->{Source}\n";
print " Type: $type{$entry->{EventType}}\n";
print $entry->{Message};
print "\n";
}
| 