Al_Gee has asked for the wisdom of the Perl Monks concerning the following question:

My production platform will be some Windows 2000 and 2003 servers. I am developing on a workstation running Windows XP Pro SP3 using Activstate perl 5.10.0.

I want to read the registry to get the names of the event logs (we have more than the standard three, and it varies amongst the different servers). There is a key at LMachine/System/CurrentControlSet/Services/EventLog that has beneath it as subkeys all of the event logs for the machine.

The code below will print out the subkeys for other keys in the registry including Services immediately above EventLog and any of the subkeys below EventLog. For EventLog, though, it opens the key, but it only prints the values.

Am I doing something wrong? Is there another way to get a list of the event logs?

Thanks--

Al

-----Included code 

use Win32::TieRegistry Delimiter => '/';

#
# Here is the 'path' to the key in the registry.  Here it is
# set to look at the EventLog key.
#
my $name = join '/',
           qw/ LMachine System CurrentControlSet
               Services EventLog /;

my $key = $Registry->{$name}
    or die "$0: can't open $name: $^E\n";

my(@subs,@vals);

for (keys %$key) {
    print "$_\n";
    if (m<^/(.*)$>s) {
        push @vals, $1;
    }
    elsif (m<^(.*)/$>s) {
        push @subs, $1;
    }
}

#
# Run against other registry keys this prints out subkeys
# and values.  For EventLog, it only prints out values.
#
print "Subkeys of $name:\n",
      map(    "$_\n", @subs),
      "Values of $name:\n",
      map(    "$_=$key->{$_}\n", @vals);

[download]
-----End included code

Replies are listed 'Best First'.
Re: Reading Subkeys with Win32::TieRegistry
by imrags (Monk) on Jan 23, 2009 at 07:40 UTC
    Do you have to search the registry for the event log files?
    AFAIK, the eventlog files are located on %systemroot%/system32/config directory...
    They have the extension .evt
    If you find these "evt" files, you'll be able to find all the event log files in Windows.
    Then you can think of using Win32::EventLog module to process them...
    Try reading this, eventquery.vbs
    Might be of some help...
    Raghu
[reply]
      See my reply to the next comment. I am going to be using Win32::EventLog, but it needs the names of the event logs to back up. I am trying to avoid having to create a hash with all of the possible .evt files and their associated event log names.

      Thanks--

      Al

[reply]
Re: Reading Subkeys with Win32::TieRegistry
by dHarry (Abbot) on Jan 23, 2009 at 08:25 UTC

    I agree/think Win32::EventLog might be a better choice. It has a powerful read method. Also see How To for ideas.

    Furthermore I recall that you can set the event log security locally/by using Group Policy. Are you sure you have permission to read them, i.e. with what user are you trying to read the registry?

    HTH

[reply]

      My ultimate goal is a to write a backup system for our Windows servers. What I need to be able to do is backup each event log on each system to a local directory on that system and then to a central system on the network.

      The reason I am trying to read the subkeys under Eventlog in the registry is that the Windows Event Log system is flawed (at least for my use of it). Though it allows you to have more event logs, the system's defaults assume that you only have three event logs: Application, Security, and System. (And, yes, I do have the correct permissions to read the files).

      Furthermore, while the .evt file in the config directory indicates that there is an event log, it is not the name of the event log. The documentation for Win32::EventLog implied that I might be able to manipulate the event logs using the full path to the .evt file. I was unable to get that to work; Win32::EventLog would only work with the name of the event log. (Using the full path is meant for reading backup files; so maybe it won't work on a .evt file in the config directory...) Win32::Registry has no mechanism for listing out the existing event logs.

      I saw that the registry key for the Eventlog had a subkey for each event log on the system, and those subkeys used the same name as the event log. We have multiple servers with many different combinations of event logs. Rather than have a hash lookup, which I would have to maintain, that would associate each .evt file in the config directory to the correct event log name, I decided to try and read those subkeys.

      I was foiled again. While I can read the subkeys of the Services key above Eventlog and of the subkeys below Eventlog, I cannot get Win32::TieRegistry to read the subkeys of the Eventlog key itself.

      If someone knows of another way to get a list of the event logs on a system, I'd be happy to try it...

      Thanks--

      Al

[reply]
Re: Reading Subkeys with Win32::TieRegistry (debug)
by tye (Sage) on Jan 31, 2009 at 08:08 UTC

    I've been unable to reproduce this. Could you please check what the permissions are on the EventLog/ key and the EventLog/Application/ key? (Transcribe the information from Edit->Permission->Advanced and tell me what user and groups you are accessing via.) Then include a dump of the return value from $key->Information(). Thanks.

    - tye        

[reply]

      OK. I went and checked the information that you asked for. The permissions for both keys are the same, and the local Administrators group is set to Full Control. I am running the script as a member of that Administrators group. I went to the Advanced tab and checked the effective permissions for the user that is running the script. On both keys, it has Full Control.

      A dump of the return value from $key->Information() for the Eventlog key shows the following:

      CntSubKeys = 6
      CntValues = 11
      MaxSubClassLen = 0
      SecurityLen = 260
      MaxSubKeyLen = 12
      MaxValNameLen = 19
      LastWrite = 2009-01-21T20:51:34
      MaxValDataLen = 27

      The only thing that I can see different about the Eventlog key and any of the others (looking in regedit) is the setting for the first value in that key labeled "(Default)". For all of the other keys that I've looked at, that "Default" value is set to either a string (Application, for example, is set to "mnmsrvc") or "(value not set)". If I click on "Modify" the Eventlog "(Default)" looks empty just like the values for the keys that show "(value not set)". If, however, I click on "Modify Binary Data", the values for the keys that show "(value not set)" show "0000" and the value for "(Default)" on the Eventlog key shows "0000  00 00". I have no idea, if that is the problem, but it is the only difference that I can see...

      Does that answer all your questions?

      Thanks for your help.

      --Al

[reply]

Back to Seekers of Perl Wisdom