Working with Event Logs (WinNT/2000/XP)
FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS
After WatchEventLog: triggers, you can use FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to loop through the list of new event records. FOUND-EVENT buffer is used to access the "body" of each event record.
Example:
#( test_watch_event
WatchEventLog: "System"
Action:
FOR-NEW-EVENTS
." New System event detected" CR
;FOR-NEW-EVENTS
)#
#( test_watch_event1
WatchEventLog: "System"
Action:
FOR-NEW-EVENTS
." New System event detected=" FOUND-EVENT evEventID @ . CR
;FOR-NEW-EVENTS
)#
Address of a buffer, which contains the binary information about an event record. You can use this buffer inside the FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS loop.
Here are the fields, that are accessible in FOUND-EVENT:
Name |
Size |
Description |
| evLength | 1 CELLS | Size of this event record, in bytes. |
| evReserved | 1 CELLS | Reserved |
| evRecordNumber | 1 CELLS | Record number of the record |
| evTimeGenerated | 1 CELLS | Time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time. |
| evTimeWritten | 1 CELLS | Time at which this entry was received by the service to be written to the logfile. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time. |
| evEventID | 2 bytes | Event identifier |
| evEventType | 2 bytes | Type of event |
| evNumStrings | 2 bytes | Number of strings present in the log (at the position indicated by StringOffset) |
| evEventCategory | 2 bytes | Category for this event |
| evReservedFlags | 1 CELLS | Reserved |
| evClosingRecordNumber | 1 CELLS | Reserved |
| evStringOffset | 1 CELLS | Offset of the description strings within this event log record |
| evUserSidLength | 1 CELLS | Size of the UserSid member, in bytes |
| evUserSidOffset | 1 CELLS | Offset of the security identifier (SID) within this event log record |
| evDataLength | 1 CELLS | Size of the event-specific data (at the position indicated by DataOffset), in bytes |
evDataOffset |
1 CELLS | Offset of the event-specific information within this event log record, in bytes |
More detailed description of all of the fields is available in MSDN (see EVENTLOGRECORD structure).
Use the word @ to access the fields, which are marked as 1 CELLS and the word W@ to access the fields, which are marked as 2 bytes.
Example:
#( test-found-event
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
FOUND-EVENT evRecordNumber @ . CR
FOUND-EVENT evEventType W@ . CR
;FOR-NEW-EVENTS
)#
#( test-found-event1
\ printing all the description strings to console
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
FOUND-EVENT evStringOffset @ FOUND-EVENT +
FOUND-EVENT evNumStrings W@ 0 ?DO
." String " I . ." =" ASCIIZ> 2DUP TYPE CR + 1+
LOOP
DROP
;FOR-NEW-EVENTS
)#
Here are additional words to simplify the work with FOUND-EVENT buffer:
Name |
Comment |
Description |
| evComputername | ( a -- a1) | computer name (use ASCIIZ> to convert null-terminated string to au-string) |
| evNString | ( a # -- a1) | address of an #th string. String numbering begins with 0. (Use ASCIIZ> to convert null-terminated string to au-string). |
| evSourceName | ( a -- a1) | event source string (use ASCIIZ> to convert null-terminated string to au-string) |
| evStrings | ( a -- a1) | description strings (use ASCIIZ> to convert null-terminated string to au-string) |
| evStrings2String | ( a -- a1 u1) | combines all the description strings, replaces intermediate zeroes with blank spaces and returns the entire string |
| evUserSid | ( a -- a1 u1) | SID |
Example:
#( test-evlog
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
." evSourceName =" FOUND-EVENT evSourceName ASCIIZ> TYPE CR
." evComputername =" FOUND-EVENT evComputername ASCIIZ> TYPE CR
;FOR-NEW-EVENTS
)#
#( test-evlog1
\ printing entire description string to console
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
." evStrings2String =" FOUND-EVENT evStrings2String TYPE CR
;FOR-NEW-EVENTS
)#
Modifiers (optional):
EVENTLOG-AUDIT-SUCCESS - notify of Audit Success
event records
EVENTLOG-AUDIT-FAILURE - notify
of Audit Failure event records
EVENTLOG-ERROR-TYPE - notify of
Error event records
EVENTLOG-WARNING-TYPE - notify of Warning event records
This word is triggered when new event records in WinNT/2000/XP event logs are available. You can pass "Application", "System" or "Security" as "log_name" parameter.
The modifiers listed above allow a user to specify very precisely which event records should be watched.
After WatchEventLog: is triggered, the user can start a loop FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to traverse through all new event records in specified events log.
Example:
#( test-watchevent
WatchEventLog: "Security"
Action:
FOR-NEW-EVENTS
." EVENT RECORD= " FOUND-EVENT evEventID @ . CR
;FOR-NEW-EVENTS
)#
#( test-watchevent1
\ printing entire FOUND-EVENT buffer to console
WatchEventLog: "Application"
EVENTLOG-AUDIT-FAILURE
Action:
FOR-NEW-EVENTS
." EVENT RECORD=" CR FOUND-EVENT DUP @ DUMP CR CR
;FOR-NEW-EVENTS
)#