Export Particular Entry from Event Viewer

[mtmartis]

Hello,

I am trying to create a script that will output a particular event in the Windows Event Viewer, though I am at a loss still.

From what I can tell, I need to use the _Event__Read function. The example provided by AutoIT shows how to output the most recent record, however, I need to output a record where the Source is Winlogon.

expandcollapse popup

#include <GuiConstantsEx.au3>
#include <EventLog.au3>

Global $iMemo

_Main()

Func _Main()
    Local $hEventLog, $hGUI, $aEvent

    ; Create GUI
    $hGUI = GUICreate("EventLog", 400, 300)
    $iMemo = GUICtrlCreateEdit("", 2, 2, 396, 300, 0)
    GUICtrlSetFont($iMemo, 9, 400, 0, "Courier New")
    GUISetState()

    ; Read most current event record
    $hEventLog = _EventLog__Open("", "Application")
;~  $hEventLog = _EventLog__Open("", "System")
    $aEvent = _EventLog__Read($hEventLog)
    ;~  $aEvent = _EventLog__Read($hEventLog, True, False)
;~  $aEvent = _EventLog__Read($hEventLog, True, False)
    MemoWrite("Result ............: " & $aEvent[ 0])
    MemoWrite("Record number .....: " & $aEvent[ 1])
    MemoWrite("Submitted .........: " & $aEvent[ 2] & " " & $aEvent[ 3])
    MemoWrite("Generated .........: " & $aEvent[ 4] & " " & $aEvent[ 5])
    MemoWrite("Event ID ..........: " & $aEvent[ 6])
    MemoWrite("Type ..............: " & $aEvent[ 8])
    MemoWrite("Category ..........: " & $aEvent[ 9])
    MemoWrite("Source ............: " & $aEvent[10])
    MemoWrite("Computer ..........: " & $aEvent[11])
    MemoWrite("Username ..........: " & $aEvent[12])
    MemoWrite("Description .......: " & $aEvent[13])
    _EventLog__Close($hEventLog)


    ; Loop until user exits
    Do
    Until GUIGetMsg() = $GUI_EVENT_CLOSE

EndFunc   ;==>_Main

; Write a line to the memo control
Func MemoWrite($sMessage)
    GUICtrlSetData($iMemo, $sMessage & @CRLF, 1)
EndFunc   ;==>MemoWrite

I would think placing the following code after the _Eventlog__Read function would read the log up to that entry then output the results, but I just get an empty box.

Do
    Until $aEvent[10] = "Winlogon"

Any help to steer me in the right direction would be greatly appreciated.

Thanks!

Edited September 25, 2009 by mtmartis

[water]

Replace line

$aEvent = _EventLog__Read($hEventLog)

with

Do      
  $aEvent = _EventLog__Read($hEventLog)
Until $aEvent[10] = "Winlogon"

and you get the first Eventlog entry with Source "Winlogon".

I think you misinterpred the function of _EventLog__Read. It only reads one single record. When you call the function again with the same handle then the next record is returned.

Edited September 25, 2009 by water

[mtmartis]

Replace line

$aEvent = _EventLog__Read($hEventLog)

with

Do      
  $aEvent = _EventLog__Read($hEventLog)
Until $aEvent[10] = "Winlogon"

and you get the first Eventlog entry with Source "Winlogon".

I think you misinterpred the function of _EventLog__Read. It only reads one single record. When you call the function again with the same handle then the next record is returned.

Ugh, you make it seem so simple. I think I am beginning to understand it. I am new to scripting,so, it's repeating the Read until it finds the Winlogon entry.

It looks like I just did not know how/where to properly implement the loop. I'll have to get back to basics and learn when and where to use what.

Thank You very much Water!

[water]

Glad to be of service