Win32::EventLog - Missing Events

[Ryan Frantz]

Perlers,

 

I'm working on a script to check the application log on one of my
servers for a specific event using Win32::EventLog.  For some reason, I
don't get all of the event entries returned.  In this case I have 1196
entries, but only 353 are output by the script (so says $log->GetNumber
and wc -l).  Does anyone know why this could be?

 

Using the documentation from CPAN and a few pages from 'Perl for System
Administration', I've written the following:

 

# Perl and Windows, sittin' in a tree...

 

use strict;

use warnings;

 

# the code snippet for Win32::EventLog was lifted from 'Perl for System
Administration', pg. 298

 

use Win32::EventLog;

# each event has a type, hash it

my %type = ( 1  => "ERROR",

             2  => "WARNING",

             4  => "INFORMATION",

             8  => "AUDIT_SUCCESS",

             16 => "AUDIT_FAILURE",);

 

# if this is set, we also retrieve the full text of every message on
each Read()

$Win32::EventLog::GetMessageText = 1;

 

# open the System log (try Application later)

#my $log = new Win32::EventLog("Application") or die "Unable to open
system log:$!\n";

my $log = new Win32::EventLog("System") or die "Unable to open system
log:$!\n";

 

# find the number of records in the log

$log->GetNumber(my $lastRec);

 

my $entry;

my $source2find = "APCPBEAgent";

my $id2find = "2000";

# set an arbitrary time for testing; will capture time at the end of
each run (in production)

#my $time2find = "1125272719";

 

# read one record at a time, starting with the first entry

# note: find docs on EVENTLOG_*...

while
($log->Read((EVENTLOG_SEQUENTIAL_READ|EVENTLOG_FORWARDS_READ),1,$entry))
{

 

# the following print lines are for debugging, to make sure I really
have some output...

  print"\n-------------------\n";

  print "Time: " . $entry->{TimeGenerated} . "\n";

  print scalar localtime($entry->{TimeGenerated}) . "\n";

  print "Computer: " . $entry->{Computer} . "\n";

  print "EventID: " . ($entry->{EventID} & 0xffff) . "\n";

  print "Source: " . $entry->{Source}. "\n";

  print "Event Type: " . $type{$entry->{EventType}} . "\n";

  print "Message: " . $entry->{Message}. " \n";

 

# assign some variables

  my $source = $entry->{Source};

  my $time = $entry->{TimeGenerated};

  my $eventid = $entry->{EventID};

  

#  if ( $time > $time2find ) {

#    if ( $source eq $source2find ) {

#      if ( $eventid eq $id2find ) {

#        print"\n-------------------\n";

#        print "Time: " . $time . "\n";

#        print "Source: " . $source . "\n";

#        print "EventID: " . $eventid . "\n";

#      }

#    }

#  }

 

}

 

print "Number of events: $lastRec\n";

 

Ryan