Re: Win32::EventLog searching the wrong logs

Try and take a look at MyEventLog for Win32::EventLog, Re: Translating Win32 EventLog Category

I might add this constructor

sub Win32::EventLog::new {
    package Win32::EventLog;
    die "usage: PACKAGE->new(SOURCENAME[, SERVERNAME])\n" unless @_ > 
+1;
    my ( $class, $source, $server ) = @_;
    my $handle;
    my $error;
    # Create new handle
    if ( $source !~ /\\/ ) {
        my $ret = OpenEventLog( $handle, $server, $source );
        $ret or $error = [ [ int $!, $!], [int $^E, $^E] ];
    }
    else {
        my $ret = OpenBackupEventLog( $handle, $server, $source );
        $ret or $error = [ [ int $!, $!], [int $^E, $^E] ];
    }
    return bless {
        handle   => $handle,
        Source   => $source,
        Computer => $server,
        error    => $error,
    } => $class;
}
[download]

I also might add a check in this constructor for the behaviour you experience that is describe below (opens Application when it can't find what you ask for)

https://metacpan.org/source/JDB/Win32-EventLog-0.077/EventLog.xs

lpEvtLog->hLog = OpenEventLogA(lpszUNCServerName,lpszSourceName);
[download]

OpenEventLog function (Windows)

lpSourceName [in]
The name of the log.
If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file.

The linked example ( Querying for Event Information (Windows) ) says The source name (provider) must exist as a subkey of Application.

Regarding that comment one answer in How to open system event log? says For Vista or higher use EvtQuery, EvtNext etc to query the XML based event logs. and links to Querying for Events (Windows) using EvtQuery

Other answer links to WindowsNT Event Log Viewer - CodeProject which talks about the win32 registry

I've not deciphered the registry clues , but you might be able to :)

Enjoy :)

Comment on Re: Win32::EventLog searching the wrong logs Select or Download Code

Replies are listed 'Best First'.
Re^2: Win32::EventLog searching the wrong logs by FloydATC (Deacon) on May 02, 2014 at 08:09 UTC
I should probably have pointed out that I don't enjoy working with Windows and therefore tend to avoid it, mostly because of its tendency to do braindead stuff like what you referred to; If you specify a custom log and it cannot be found, the event logging service opens the Application log; however, there will be no associated message or category string file. Well, thanks! Basically, this confirms my suspicion that I'm asking for the wrong thing and Windows, instead of returning an error message like any civilized OS would, decides to "help" by giving me something completely different. (Stupid joke about toilet paper vs. sand paper goes here) After reading the articles you linked, I ventured into the most unholy land of the Windows Registry and found the following keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Applicat +ion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Hardware +Events HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet + Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Mana +gement Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows +Powershell [download] Uh... okay? So what about the "Setup" and "Forwarded Events" that very clearly show up in the Event Log viewer? There's something going on here that I just don't understand. Examining the Event Log viewer closely, you may notice that those other logs have a different icon than the ones I can't read (which do not appear in the Registry). I have no idea why, but there's probably a connection. Further, examining the "Properties" of each log, I see the following "Log paths": `%SystemRoot%\System32\Winevt\Logs\Application.evtx %SystemRoot%\System32\Winevt\Logs\Security.evtx %SystemRoot%\System32\Winevt\Logs\Setup.evtx %SystemRoot%\System32\Winevt\Logs\System.evtx %SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx` [download] If I try to open those files (obviously replacing "%SystemRoot%" with "C:"), `Win32::EventLog->new()` succeeds but `->GetNumber` returns undef. Probably because they're not meant to be accessed that way. I don't have a clue how to fix this... -- FloydATC Time flies when you don't know what you're doing	[reply] [d/l] [select]
Re^3: Win32::EventLog searching the wrong logs by Anonymous Monk on May 02, 2014 at 08:53 UTC
Do you have a `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Applicat +ion\Setup` [download] key? Where do you find `Setup.evtx` in the registry? Hmmm Eventlog Key (Windows)	[reply] [d/l] [select]
Re^4: Win32::EventLog searching the wrong logs by Anonymous Monk on May 02, 2014 at 08:55 UTC
You probably tried those logs as administrator ... maybe you don't have permissions :/	[reply]
Re^5: Win32::EventLog searching the wrong logs by Anonymous Monk on May 02, 2014 at 09:00 UTC
Re^6: Win32::EventLog searching the wrong logs by FloydATC (Deacon) on May 02, 2014 at 09:54 UTC
Some notes below your chosen depth have not been shown here
Re^5: Win32::EventLog searching the wrong logs by FloydATC (Deacon) on May 02, 2014 at 09:46 UTC
Re^4: Win32::EventLog searching the wrong logs by FloydATC (Deacon) on May 02, 2014 at 09:43 UTC
No, I've searched the whole subtree for "Setup" and "Forwarded" and fould only stuff like "VSS Setup"; applications that presumably log their own internal events. -- FloydATC Time flies when you don't know what you're doing	[reply]