Re^2: Help understanding Win32::Eventlog

to clarify some things, I had used report to attempt to test to see if the code was working correctly, but it appears I did that incorrectly, and I am unsure of how to do it correctly. Also I have already done several google searchs, looked in the perldocs, and checked out cpan, and I am just not understanding what its trying to say. I understand the function calls and such, but I don't understand how it works well enough to implement them.

Update: Sorry it took me awhile to even remotely understand your code and I have several questions regarding it.

$handle appears to be a variable that is retrieving the eventlog records and then later on, is being read in your second while loop. am I incorrect in this observation?

Is there a way I could go about when reading these, looking for a specific string or integer and upon finding one of these do some action foo?

In the second while loop, you have EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ as part of your hash, wouldn't these need to be passed parameters in order to function correctly?

Again thanks for your help, I really appreciate it.

Comment on Re^2: Help understanding Win32::Eventlog

Replies are listed 'Best First'.
Re^3: Help understanding Win32::Eventlog by Anonymous Monk on Aug 04, 2011 at 10:57 UTC
$handle appears to be a variable that is retrieving the eventlog records and then later on, is being read in your second while loop. am I incorrect in this observation? Kinda sorta :) almost not really :D Yes, $handle is a (scalar) variable, a special kind, an object (aka reference), which is an instance of the class Win32::EventLog , which is just very thin sugar around the number returned by OpenEventLog Function (Windows) So instead of doing `ReadEventLog( handle ... ); CloseEventLog( handle );` [download] or in perl terms `Win32::EventLog::Read( $handle, ... ); Win32::EventLog::Close( $handle );` [download] you do `$handle->Read(...); $handle->Close;` [download] Win32::EventLog follows the c-interface too closely, I would write a wrapper that avoids pass-by-reference Is there a way I could go about when reading these, looking for a specific string or integer and upon finding one of these do some action foo? In the same way as the example demonstrates :) for example, instead of printing Message, you could perform additional checks, perhaps using the match operator, then call some other function In the second while loop, you have EVENTLOG_FORWARDS_READ\|EVENTLOG_SEEK_READ as part of your hash, wouldn't these need to be passed parameters in order to function correctly? No, they are not part of the hash, they are indeed arguments to the Read method Perhaps you need a syntax highlighting editor like http://padre.perlide.org/ or kephra .... Here is another example #!/usr/bin/perl -- use strict; use warnings; use Win32::EventLog(); use Data::Dump qw[ pp ]; Main( @ARGV ); exit( 0 ); sub Main { FiddleEventLog("System"); FiddleEventLog("Application"); } sub Ebola { my( $eventLog , $computerName ) = @_; my $handle = Win32::EventLog->new($eventLog, $computerName) or die "Can't open Application EventLog\n"; my $recs; $handle->GetNumber($recs) or die "Can't get number of EventLog records\n"; my $base; $handle->GetOldest($base) or die "Can't get number of oldest EventLog record\n"; return $handle, $base, $recs; } sub FiddleEventLog { my( $handle, $base, $recs ) = Ebola(@_); my $flags = Win32::EventLog::EVENTLOG_FORWARDS_READ() \| Win32::EventLog::EVENTLOG_SEEK_READ(); local $Win32::EventLog::GetMessageText = 1; # autocall GetMessageT +ext my $x = 0; while( $x < $recs ) { my $hashRef; $handle->Read( $flags , $base + $x, $hashRef ) or die "Can't read EventLog entry #$x\n"; DoTheVirus( $hashRef ); $x++; } print "\nRead $x records\n"; } sub DoTheVirus { my %hash = %{shift @_ }; if ( $hash{Message} and $hash{Message} =~ /die/ ){ die "dumb but hey, I've yet to see die in my event log"; } elsif( $hash{Source} eq 'Application Error' ){ if( $hash{Strings} =~ /\Qperl.exe\E/i ){ printf "\nUh oh $hash{RecordNumber} %s\n", pp($hash{St +rings}) if $hash{Strings} =~ /perl58.dll/; } } else { WinAppExploder( \%hash ); } } sub WinAppExploder { my( $ref ) = @_; if( $hash{Source} =~ /WinApp/ and $ref->{Strings} =~ /Windows is g +ood/ ) { if( $ref->{Category} == 50 ) { die 666; } } elsif( $ref->{Data} eq 'unix' ) { die 666; } } __END__ $ perl pm.918065.pl Read 2544 records Uh oh 8 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0" Uh oh 12 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 45 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 49 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0 +" Uh oh 125 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\ +0" 666 at pm.918065.pl line 67. [download]	[reply] [d/l] [select]
Re^4: Help understanding Win32::Eventlog by tfredett (Sexton) on Aug 04, 2011 at 18:46 UTC
Thanks so much for your help, it took me awhile, but the first example you posted I was able to get, and your second example here makes it that much more clear in my mind. Also thank you for answering my questions, it helped clear up a lot of other things I had been thinking about as well. If I could upvote you I would, but I can't because my level isn't high enough yet, not to mention your an anonymous monk :(	[reply]