Working with Event Logs (WinNT/2000/XP)
FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS
After WatchEventLog: triggers, you can use FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to loop through the list of new event records. FOUND-EVENT buffer is used to access the "body" of each event record.
Example:
#( test_watch_event WatchEventLog: "System" Action: FOR-NEW-EVENTS ." New System event detected" CR ;FOR-NEW-EVENTS )# #( test_watch_event1 WatchEventLog: "System" Action: FOR-NEW-EVENTS ." New System event detected=" FOUND-EVENT evEventID @ . CR ;FOR-NEW-EVENTS )#
Address of a buffer, which contains the binary information about an event record. You can use this buffer inside the FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS loop.
Here are the fields, that are accessible in FOUND-EVENT:
Name |
Size |
Description |
evLength | 1 CELLS | Size of this event record, in bytes. |
evReserved | 1 CELLS | Reserved |
evRecordNumber | 1 CELLS | Record number of the record |
evTimeGenerated | 1 CELLS | Time at which this entry was submitted. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time. |
evTimeWritten | 1 CELLS | Time at which this entry was received by the service to be written to the logfile. This time is measured in the number of seconds elapsed since 00:00:00 January 1, 1970, Universal Coordinated Time. |
evEventID | 2 bytes | Event identifier |
evEventType | 2 bytes | Type of event |
evNumStrings | 2 bytes | Number of strings present in the log (at the position indicated by StringOffset) |
evEventCategory | 2 bytes | Category for this event |
evReservedFlags | 1 CELLS | Reserved |
evClosingRecordNumber | 1 CELLS | Reserved |
evStringOffset | 1 CELLS | Offset of the description strings within this event log record |
evUserSidLength | 1 CELLS | Size of the UserSid member, in bytes |
evUserSidOffset | 1 CELLS | Offset of the security identifier (SID) within this event log record |
evDataLength | 1 CELLS | Size of the event-specific data (at the position indicated by DataOffset), in bytes |
evDataOffset |
1 CELLS | Offset of the event-specific information within this event log record, in bytes |
More detailed description of all of the fields is available in MSDN (see EVENTLOGRECORD structure).
Use the word @ to access the fields, which are marked as 1 CELLS and the word W@ to access the fields, which are marked as 2 bytes.
Example:
#( test-found-event WatchEventLog: "Security" Action: FOR-NEW-EVENTS FOUND-EVENT evRecordNumber @ . CR FOUND-EVENT evEventType W@ . CR ;FOR-NEW-EVENTS )#
#( test-found-event1
\ printing all the description strings to console WatchEventLog: "Security" Action: FOR-NEW-EVENTS FOUND-EVENT evStringOffset @ FOUND-EVENT + FOUND-EVENT evNumStrings W@ 0 ?DO ." String " I . ." =" ASCIIZ> 2DUP TYPE CR + 1+ LOOP DROP ;FOR-NEW-EVENTS )#
Here are additional words to simplify the work with FOUND-EVENT buffer:
Name |
Comment |
Description |
evComputername | ( a -- a1) | computer name (use ASCIIZ> to convert null-terminated string to au-string) |
evNString | ( a # -- a1) | address of an #th string. String numbering begins with 0. (Use ASCIIZ> to convert null-terminated string to au-string). |
evSourceName | ( a -- a1) | event source string (use ASCIIZ> to convert null-terminated string to au-string) |
evStrings | ( a -- a1) | description strings (use ASCIIZ> to convert null-terminated string to au-string) |
evStrings2String | ( a -- a1 u1) | combines all the description strings, replaces intermediate zeroes with blank spaces and returns the entire string |
evUserSid | ( a -- a1 u1) | SID |
Example:
#( test-evlog WatchEventLog: "Security" Action: FOR-NEW-EVENTS ." evSourceName =" FOUND-EVENT evSourceName ASCIIZ> TYPE CR ." evComputername =" FOUND-EVENT evComputername ASCIIZ> TYPE CR ;FOR-NEW-EVENTS )#
#( test-evlog1
\ printing entire description string to console WatchEventLog: "Security" Action: FOR-NEW-EVENTS ." evStrings2String =" FOUND-EVENT evStrings2String TYPE CR ;FOR-NEW-EVENTS )#
Modifiers (optional):
EVENTLOG-AUDIT-SUCCESS - notify of Audit Success
event records
EVENTLOG-AUDIT-FAILURE - notify
of Audit Failure event records
EVENTLOG-ERROR-TYPE - notify of
Error event records
EVENTLOG-WARNING-TYPE - notify of Warning event records
This word is triggered when new event records in WinNT/2000/XP event logs are available. You can pass "Application", "System" or "Security" as "log_name" parameter.
The modifiers listed above allow a user to specify very precisely which event records should be watched.
After WatchEventLog: is triggered, the user can start a loop FOR-NEW-EVENTS ... ;FOR-NEW-EVENTS to traverse through all new event records in specified events log.
Example:
#( test-watchevent WatchEventLog: "Security" Action: FOR-NEW-EVENTS ." EVENT RECORD= " FOUND-EVENT evEventID @ . CR ;FOR-NEW-EVENTS )# #( test-watchevent1
\ printing entire FOUND-EVENT buffer to console WatchEventLog: "Application"
EVENTLOG-AUDIT-FAILURE Action: FOR-NEW-EVENTS ." EVENT RECORD=" CR FOUND-EVENT DUP @ DUMP CR CR ;FOR-NEW-EVENTS )#