Using the full paths to the actual .evt files as if they were backup files is something that I have considered doing, but haven't tried yet. It may be what I have to do.

Right now, I am just looping through an array of the names that I know and calling Win32::EventLog->new() on each one. I thought that I could just put all the possibilities in the array, and if one didn't exist on a particular server, I could just do a next when the new() failed.

Unfortunately, that doesn't seem to work. I am testing things now by printing out the number of records and the first record in each log. I stuck a non-existent name ('ducky') in my array to test, and what it did was repeat the information from the Application log file. I do a close at the end of my loop, and the manual specifically says that after a close the handle is no longer any good. I'm not sure what is going on here.

I went and modified the test code on the man page and set it in a foreach loop with 'Appplication', 'System', and 'Ducky'. 'Ducky' gives the same info as Application, but 'Ducky' doesn't exist. It acts as if new() defaults to Application if it doesn't recognize the SourceName passed. If you give it a NULL entry for SourceName, then it does fail...

Unless someone has some other suggestions, I guess I'll try using the full paths to the evt files and see how that goes. If that works, I can at least loop through the .evt files in the config directory.

Thanks--

Al

Unless someone has some other suggestions,

There are three standard names: Application, Security & System. Which map to the system logs:

C:\windows\SYSTEM32\CONFIG\AppEvent.Evt
C:\windows\SYSTEM32\CONFIG\SecEvent.Evt
C:\windows\SYSTEM32\CONFIG\SysEvent.Evt
[download]

And the underlying system APIs default to the Application Log on the current system. Ie. The defaulting is done by the system not the module, and is done when: a) the underlying APIs are passed NULLs for the serverName and sourceName parameters; b) one of the passed values is unrecognised. (Dumb defaults, it should return an error, but there you go.)

As far as I'm aware. the only other files that you can access through these apis, are backups of those three produced by calling the appropriate system API (exposed by the module using the ->Backup() method). You can only do that once you have successfully opened one of those 3, or (perhaps, it is unclear) an existing backup of one of those three. And the way you open a backup is to pass the fully qualified pathname to the New() constructor.

There are no other options.

---

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

Gyuk! I knew there were more reasons I didn't like Windows...

Thanks for the info, though. That explains a lot. Everything seems to work, if I pass in the log names that the Event Viewer shows; so I guess it will handle more than just the three standard logs (of course, maybe that was a fluke...). I tried giving the full paths to the files. New didn't give an error, but when I queried for the number of records, I got nothing. I don't think I can count on it to handle backup, then.

I guess I'll build a hash lookup table and check it against the .evt files on the server to see what logs are there to be backed up. Too bad there isn't a list of the event logs in the environment. This will be a bit convoluted and brain dead, but oh well...

Again, many thanks!

--Al