$handle appears to be a variable that is retrieving the eventlog records and then later on, is being read in your second while loop. am I incorrect in this observation?

Kinda sorta :) almost not really :D

Yes, $handle is a (scalar) variable, a special kind, an object (aka reference), which is an instance of the class Win32::EventLog , which is just very thin sugar around the number returned by OpenEventLog Function (Windows)

So instead of doing

ReadEventLog( handle ... );
CloseEventLog( handle );
[download]

or in perl terms

Win32::EventLog::Read( $handle, ... );
Win32::EventLog::Close( $handle );
[download]

you do

$handle->Read(...);
$handle->Close;
[download]

Win32::EventLog follows the c-interface too closely, I would write a wrapper that avoids pass-by-reference

Is there a way I could go about when reading these, looking for a specific string or integer and upon finding one of these do some action foo?

In the same way as the example demonstrates :) for example, instead of printing Message, you could perform additional checks, perhaps using the match operator, then call some other function

In the second while loop, you have EVENTLOG_FORWARDS_READ|EVENTLOG_SEEK_READ as part of your hash, wouldn't these need to be passed parameters in order to function correctly?

No, they are not part of the hash, they are indeed arguments to the Read method

Perhaps you need a syntax highlighting editor like http://padre.perlide.org/ or kephra ....

Here is another example

#!/usr/bin/perl --
use strict;
use warnings;
use Win32::EventLog();
use Data::Dump qw[ pp ];
Main( @ARGV );
exit( 0 );
sub Main {
    FiddleEventLog("System"); 
    FiddleEventLog("Application"); 
}

sub Ebola {
    my( $eventLog , $computerName ) = @_;
    my $handle = Win32::EventLog->new($eventLog, $computerName)
        or die "Can't open Application EventLog\n";
    my $recs;
    $handle->GetNumber($recs)
        or die "Can't get number of EventLog records\n";
    my $base;
    $handle->GetOldest($base)
        or die "Can't get number of oldest EventLog record\n";
    return $handle, $base, $recs;
}

sub FiddleEventLog {
    my( $handle, $base, $recs ) = Ebola(@_);
    my $flags = Win32::EventLog::EVENTLOG_FORWARDS_READ()
        | Win32::EventLog::EVENTLOG_SEEK_READ();
    
    local $Win32::EventLog::GetMessageText = 1; # autocall GetMessageT
+ext
    
    my $x = 0;
    while( $x < $recs )
    {
        my $hashRef;
        $handle->Read( $flags , $base + $x, $hashRef )
          or die "Can't read EventLog entry #$x\n";
        DoTheVirus( $hashRef );
        $x++;
    }
    print "\nRead $x records\n";
}

sub DoTheVirus {
    my %hash = %{shift @_ };
    if ( $hash{Message} and $hash{Message} =~ /die/ ){
        die "dumb  but hey, I've yet to see die in my event log";
    }
    elsif( $hash{Source} eq 'Application Error' ){
        if( $hash{Strings} =~ /\Qperl.exe\E/i ){
                printf "\nUh oh $hash{RecordNumber} %s\n", pp($hash{St
+rings})
                if $hash{Strings} =~ /perl58.dll/;
        }
    }
    else
    {
        WinAppExploder( \%hash );
    }
}
sub WinAppExploder {
    my( $ref ) = @_;
    if( $hash{Source} =~ /WinApp/ and $ref->{Strings} =~ /Windows is g
+ood/ )
    {
        if( $ref->{Category} == 50 )
        {
            die 666;
        }
    }
    elsif( $ref->{Data}  eq 'unix' )
    {
        die 666;
    }
}

__END__
$ perl pm.918065.pl

Read 2544 records

Uh oh 8 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0"

Uh oh 12 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0
+"

Uh oh 45 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0
+"

Uh oh 49 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\0
+"

Uh oh 125 "perl.exe\x005.8.9.825\0perl58.dll\x005.8.9.825\x000008725a\
+0"
666 at pm.918065.pl line 67.
[download]