Re: A question regarding Win32::EventLog

I've tried your code, and the only garbage I see are an excess of carriage returns in the output of 1 log entry that documents a hungapp Explorer.exe hang... Is this what you're getting?

I tried regexing out the CR's from the output with s/\r//;, to no avail. I guess they are in the log file (corrupt logfile?), but it's hard to tell because my C:\WINDOZE\system32\config\AppEvent.Evt is in goofy binary format... You've piqued my curiosity; let me know if you have any other info. For instance: what did your "garbage" output look like?

Comment on Re: A question regarding Win32::EventLog Download Code

Replies are listed 'Best First'.
Re^2: A question regarding Win32::EventLog by sidhartha (Acolyte) on Feb 02, 2005 at 06:34 UTC
Yeah I spent a little time trying to fix the CR's to no avail. One thing I notice is that the Event ID field doesn't always accurately report. Here is a sample I ran through the windows findstr command (I'm getting around to just installing cygwin): perl test.pl \| findstr UserID EventID 8001 EventID 8000 EventID 1073743528 EventID 11707 EventID 1004 EventID 1073743528 EventID 1073743528 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 11707 EventID 11707 EventID 11707 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1269629470 EventID 1000 Those 10 digit numbers are a mystery. The other ones like 1000 seem to match up correctly. In addition there is literal garbage in parts, here is a sample: c}⌂▒■♂√v3Θí⌡╓T╠F31B²╬≈↓)Zσ▌ ◄Ω#!Rφ"▬;╥←↓j╒╬╧!┌‼◄b▌╓╫9┬∩╪h Thanks for your response. I'm gonna look at it some more tomorrow and I'll let you know if I can figure out anything further.	[reply]
Re^3: A question regarding Win32::EventLog by barathbr (Scribe) on Feb 02, 2005 at 07:55 UTC
Hi Sid, I cant quite figure out where those characters are coming from, but for the event ID bit, this should fix it: `foreach my $key (keys %$hashRef){ if ($key =~ /EventID/) { my $id = ($hashRef->{$key} & 0xffff); print $key . "\t" . "\"$id\"" . "\n"; }` [download] hth !! Update: Ok, I am seeing the chars being printed against the name field. I still dont know how to fix it to print the name field, but this should give you the sid for the uid instead. `elsif ($key =~ /User/){ my $sid = unpack("H" . 2 * length(${$hashRef}{$key}), ${$hashRef}{ +$key}); my $user = ($hashRef->{$key} & 0xffff); print "User SID: " . "\t" . "\"$sid\" " . "\n"; }` [download]	[reply] [d/l] [select]
Re^4: A question regarding Win32::EventLog by sidhartha (Acolyte) on Feb 02, 2005 at 12:49 UTC
Wow that certainly does do the trick thank you very much! If you don't mind can you tell me what is exactly going on here?	[reply]