WIN32::Eventlog - Getting the user info from Security Log

MurDog has asked for the wisdom of the Perl Monks concerning the following question:

Hey Monks,

Need you help with this mod. I have successfully dumped
the security log. Unfortunately, the user
information is not usable. Is there a way to convert the
user name to ASCII text? or did I just screw up the dump?
Example code:

if( $Event->Read( $Flag, $Num, \%Hash ) )
  {
    if( $Hash{EventType} & $Type )
    {
     ++$iCount;
     my ( $EventType, $Color, $Time );

     if( $Hash{EventType} == EVENTLOG_ERROR_TYPE ){
    $EventType = "Error";
    $Color = "FF0000" ;  # Red
     }elsif( $Hash{EventType} == EVENTLOG_WARNING_TYPE ){
    $EventType = "Warning";
    $Color = "FF4500";  # Red-Orange
     }elsif( $Hash{EventType} == EVENTLOG_INFORMATION_TYPE ){
    $EventType = "Information";
    $Color = "483D8B" ;  # Blue
     }elsif( $Hash{EventType} == EVENTLOG_AUDIT_SUCCESS ){
                      $EventType = "Audit Successful";
                      $Color = "483D8B";  # Red-Orange
     }elsif( $Hash{EventType} == EVENTLOG_AUDIT_FAILURE ){
                        $EventType = "Audit Failure";
                        $Color = "FF0000";  # Red
     }
     # Format the time so that we can create a date based variant
     my $Time = "" . localtime( $Hash{TimeGenerated} );
     $Time =~ s/^.*?\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*)/$1 $2 $4 $3/;
     my ($eventsource,$event,$eventid,$user,$computer,$datetime,$messa
+ge) =
     ($Hash{Source},($Hash{Event}) ? $Hash{Event}:"None",$Hash{EventID
+},
    ($Hash{User}) ? $Hash{User}:"N/A",$Hash{Computer},
    new Win32::OLE::Variant( VT_DATE, $Time ),$Hash{Message});
     print
      "$Source: $datetime;$EventType;$eventsource;$eventid,$event;$use
+r;$computer;$message\n";
      }
  }
[download]

Output:
$Source:$datetime;$EventType;$eventsource;$eventid,$event;$user;$computer;$message }
Security: 4/30/2003 3:40:22 PM;Audit Successful;Security;517,None;☺☺ ขภขี ;Computername;The audit log was cleared }
What can I do about the user name? Do I need to convert it to something?

Comment on WIN32::Eventlog - Getting the user info from Security Log Download Code

Replies are listed 'Best First'.
Re: WIN32::Eventlog - Getting the user info from Security Log by traveler (Parson) on Jul 27, 2003 at 23:19 UTC
Well, `GetMessageText(HASHREF);` converts the hashref to a string for you. If that is not what you want, it turns out that the user information is a SID. Use `Win32::LookupAccountSID` to translate a SID into an account name. --traveler	[reply] [d/l] [select]
Re: Re: WIN32::Eventlog - Getting the user info from Security Log by MurDog (Initiate) on Jul 28, 2003 at 04:07 UTC
Sweet Traveler. Very Sweet. Thanks for your insight :) BTW. Where did you find out it was a sid?	[reply]
Re: Re: Re: WIN32::Eventlog - Getting the user info from Security Log by traveler (Parson) on Jul 28, 2003 at 14:07 UTC
I checked the module source and saw that it is called $sid there. Glad to be of help.	[reply]