Working with Event Logs (WinNT/2000/XP)



FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS

After WatchEventLog: triggers, you can use FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to loop through the list of new event records. FOUND-EVENT buffer is used to access the "body" of each event record.

Example:

#( test_watch_event
WatchEventLog: "System"
Action:
FOR-NEW-EVENTS
    ." New System event detected" CR
;FOR-NEW-EVENTS
)#
   
#( test_watch_event1
WatchEventLog: "System"
Action:
FOR-NEW-EVENTS
    ." New System event detected=" FOUND-EVENT evEventID @ . CR
;FOR-NEW-EVENTS
)#

FOUND-EVENT ( -- a)

Address of a buffer, which contains the binary information about an event record. You can use this buffer inside the FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS loop.

Here are the fields, that are accessible in FOUND-EVENT:

Name
Size
Description
evLength 1 CELLS Size of this event record, in bytes.
evReserved 1 CELLS Reserved
evRecordNumber 1 CELLS Record number of the record
evTimeGenerated 1 CELLS Time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.
evTimeWritten 1 CELLS Time at which this entry was received by the service to be written to the logfile. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time.
evEventID 2 bytes Event identifier
evEventType 2 bytes Type of event
evNumStrings 2 bytes Number of strings present in the log (at the position indicated by StringOffset)
evEventCategory 2 bytes Category for this event
evReservedFlags 1 CELLS Reserved
evClosingRecordNumber 1 CELLS Reserved
evStringOffset 1 CELLS Offset of the description strings within this event log record
evUserSidLength 1 CELLS Size of the UserSid member, in bytes
evUserSidOffset 1 CELLS Offset of the security identifier (SID) within this event log record
evDataLength 1 CELLS Size of the event-specific data (at the position indicated by DataOffset), in bytes

evDataOffset

1 CELLS Offset of the event-specific information within this event log record, in bytes

More detailed description of all of the fields is available in MSDN (see EVENTLOGRECORD structure).

Use the word @ to access the fields, which are marked as 1 CELLS and the word W@ to access the fields, which are marked as 2 bytes.

Example:

#( test-found-event
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
    FOUND-EVENT evRecordNumber @ . CR
    FOUND-EVENT evEventType W@ . CR
;FOR-NEW-EVENTS
)#
#( test-found-event1
\ printing all the description strings to console WatchEventLog: "Security" Action: FOR-NEW-EVENTS FOUND-EVENT evStringOffset @ FOUND-EVENT + FOUND-EVENT evNumStrings W@ 0 ?DO ." String " I . ." =" ASCIIZ> 2DUP TYPE CR + 1+ LOOP DROP ;FOR-NEW-EVENTS )#

Here are additional words to simplify the work with FOUND-EVENT buffer:

Name
Comment
Description
evComputername ( a -- a1) computer name (use ASCIIZ> to convert null-terminated string to au-string)
evNString ( a # -- a1) address of an #th string. String numbering begins with 0. (Use ASCIIZ> to convert null-terminated string to au-string).
evSourceName ( a -- a1) event source string (use ASCIIZ> to convert null-terminated string to au-string)
evStrings ( a -- a1) description strings (use ASCIIZ> to convert null-terminated string to au-string)
evStrings2String ( a -- a1 u1) combines all the description strings, replaces intermediate zeroes with blank spaces and returns the entire string
evUserSid ( a -- a1 u1) SID

Example:

#( test-evlog
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS 
    ." evSourceName =" FOUND-EVENT evSourceName ASCIIZ> TYPE CR
    ." evComputername =" FOUND-EVENT evComputername ASCIIZ> TYPE CR
;FOR-NEW-EVENTS
)#

#( test-evlog1

\ printing entire description string to console WatchEventLog: "Security" Action: FOR-NEW-EVENTS ." evStrings2String =" FOUND-EVENT evStrings2String TYPE CR ;FOR-NEW-EVENTS )#

WatchEventLog: "log_name"

Modifiers (optional):
EVENTLOG-AUDIT-SUCCESS - notify of Audit Success event records
EVENTLOG-AUDIT-FAILURE - notify of Audit Failure event records
EVENTLOG-ERROR-TYPE - notify of Error event records
EVENTLOG-WARNING-TYPE
- notify of Warning event records

This word is triggered when new event records in WinNT/2000/XP event logs are available. You can pass "Application", "System" or "Security" as "log_name" parameter.

The modifiers listed above allow a user to specify very precisely which event records should be watched.

After WatchEventLog: is triggered, the user can start a loop FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to traverse through all new event records in specified events log.

Example:

#( test-watchevent
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
    ." EVENT RECORD= " FOUND-EVENT evEventID @ . CR
;FOR-NEW-EVENTS
)#
   
#( test-watchevent1
\ printing entire FOUND-EVENT buffer to console WatchEventLog: "Application"
EVENTLOG-AUDIT-FAILURE Action: FOR-NEW-EVENTS ." EVENT RECORD=" CR FOUND-EVENT DUP @ DUMP CR CR ;FOR-NEW-EVENTS )#