$handle appears to be a variable that is retrieving the eventlog records and then later on, is being read in your second while loop. am I incorrect in this observation?
Kinda sorta :) almost not really :D
Yes, $handle is a (scalar) variable, a special kind, an object (aka reference), which is an instance of the class Win32::EventLog , which is just very thin sugar around the number returned by OpenEventLog Function (Windows)
So instead of doing
or in perl terms
you doWin32::EventLog::Read( $handle, ... ); Win32::EventLog::Close( $handle );
$handle->Read(...); $handle->Close;
Win32::EventLog follows the c-interface too closely, I would write a wrapper that avoids pass-by-reference
Is there a way I could go about when reading these, looking for a specific string or integer and upon finding one of these do some action foo?
In the same way as the example demonstrates :) for example, instead of printing Message, you could perform additional checks, perhaps using the match operator, then call some other function
In the second while loop, you have EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ as part of your hash, wouldn't these need to be passed parameters in order to function correctly?
No, they are not part of the hash, they are indeed arguments to the Read method
Perhaps you need a syntax highlighting editor like http://padre.perlide.org/ or kephra ....
Here is another example
#!/usr/bin/perl -- use strict; use warnings; use Win32::EventLog(); use Data::Dump qw[ pp ]; Main( @ARGV ); exit( 0 ); sub Main { FiddleEventLog("System"); FiddleEventLog("Application"); } sub Ebola { my( $eventLog , $computerName ) = @_; my $handle = Win32::EventLog->new($eventLog, $computerName) or die "Can't open Application EventLog\n"; my $recs; $handle->GetNumber($recs) or die "Can't get number of EventLog records\n"; my $base; $handle->GetOldest($base) or die "Can't get number of oldest EventLog record\n"; return $handle, $base, $recs; } sub FiddleEventLog { my( $handle, $base, $recs ) = Ebola(@_); my $flags = Win32::EventLog::EVENTLOG_FORWARDS_READ() | Win32::EventLog::EVENTLOG_SEEK_READ(); local $Win32::EventLog::GetMessageText = 1; # autocall GetMessageT +ext my $x = 0; while( $x < $recs ) { my $hashRef; $handle->Read( $flags , $base + $x, $hashRef ) or die "Can't read EventLog entry #$x\n"; DoTheVirus( $hashRef ); $x++; } print "\nRead $x records\n"; } sub DoTheVirus { my %hash = %{shift @_ }; if ( $hash{Message} and $hash{Message} =~ /die/ ){ die "dumb but hey, I've yet to see die in my event log"; } elsif( $hash{Source} eq 'Application Error' ){ if( $hash{Strings} =~ /\Qperl.exe\E/i ){ printf "\nUh oh $hash{RecordNumber} %s\n", pp($hash{St +rings}) if $hash{Strings} =~ /perl58.dll/; } } else { WinAppExploder( \%hash ); } } sub WinAppExploder { my( $ref ) = @_; if( $hash{Source} =~ /WinApp/ and $ref->{Strings} =~ /Windows is g +ood/ ) { if( $ref->{Category} == 50 ) { die 666; } } elsif( $ref->{Data} eq 'unix' ) { die 666; } } __END__ $ perl pm.918065.pl Read 2544 records Uh oh 8 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0" Uh oh 12 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 45 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 49 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 125 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\ +0" 666 at pm.918065.pl line 67.
In reply to Re^3: Help understanding Win32::Eventlog
by Anonymous Monk
in thread Help understanding Win32::Eventlog
by tfredett
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |