Broken: Write to an EventLog ?

[avery]

Hi.

Windows 2000 has an issue where it doesn't (always) record logoff events.

I currently have the following script our government rep supplied. I am trying to do the same thing but use au3 as the language of choice. I would also like to write this to the Security Log and not the Application Log. The built-in Eventlog UDF doesn't seem to allow for the creation of Events. Does someone know a good way to do this? I'll give you full credit on the 2400+ machines this gets deployed on

Much thanks in Advance for any help or advice.

Original Script below that I'd like to have a au3.exe perform.

Installing WSH for Windows Logon/offs

Making the logon.vbs and logoff.vbs files

logoff.vbs

1) Click the Start button then Run... and in the box type notepad

2) Paste the following text (in blue) into the notepad

set wshshell=wscript.createobject("wscript.shell")

set wsh2=wscript.createobject("wscript.network")

wshshell.logevent 0,wsh2.userdomain & "\" & wsh2.username & " log off the computer"

3) Click File then Save As... and save it as the following: C:\WINNT\system32\GroupPolicy\User\Scripts\Logoff\logoff.vbs

4) Exit notepad

logon.vbs

5) Click the Start button then Run... and in the box type notepad

6) Paste the following text (in blue) into the notepad

set wshshell=wscript.createobject("wscript.shell")

set wsh2=wscript.createobject("wscript.network")

wshshell.logevent 0,wsh2.userdomain & "\" & wsh2.username & " log on the computer"

7) Click File then Save As... and save it as the following: C:\WINNT\system32\GroupPolicy\User\Scripts\Logon\logon.vbs

8) Exit notepad

Integration

WSH

1) Login as member of the Administrator's group

2) Start --> Run --> "gpedit.msc"

3) Double Click: User Configuration

4) Double Click: Windows Settings

5) Double Click: Script (Logon - Logoff)

6) Double Click: Logon (you get Logon Properties window)

7) Click: Show Files

8) At Logon Properties window Click: Add

9) Double Click: Browse (You should get a window for C:\WINNT\system32GroupPolicy\User\Scripts\Logon\logon.vbs)

10) Highlight the file "logon.vbs"

11) Click Open <OK>

12) Click OK

a. The logon.vbs file should be visible in the "Logon properties window"

13) Click Apply/OK (this should close the Logon Properties window)

14) Double Click: Logoff

15) Click: Show Files

16) At Logon Properties window Click: Add

17) Click: Browse (You should get a window for C:\WINNT\system32\GroupPolicy\User\Scripts\Logoff\logoff.vbs)

18) Highlight the file "logoff.vbs"

19) Click Open <OK>

20) Click Apply <OK>

21) This should complete updating the Scripting for Logon and Log Off.

Notes

To review the logons/logoffs; <Event Viewer><Application Log><View/Filter> "Event Source" <WSH>

If you use this process -- Then you should have a similar statement in the Vulnerabilities Portion and Auditing portions of your SSP:

Edited March 6, 2009 by avery

[GaryFrost]

Tryied _EventLog__Report?

[avery]

Tryied _EventLog__Report?

I made a terrible Monday morning mistake. I apologize for my obvious lack of observation.

...Writes an entry at the end of the specified event log -> _EventLog__Report()

[avery]

I made a terrible Monday morning mistake. I apologize for my obvious lack of observation.

...Writes an entry at the end of the specified event log -> _EventLog__Report()

I am still writing the script but I did notice something in the help file that was of concern.

Maybe I understand it wrong -- Does anyone know?

"$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log."

The example out of the help file does not write anything to my Security log (the example uses Application log, that also fails).

I do not know how to make it any more simple. I am using WXPSP2 to test this but the target OS is W2K.

Any help would be great.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

Edited February 23, 2009 by avery

[avery]

I am still writing the script but I did notice something in the help file that was of concern.

Maybe I understand it wrong -- Does anyone know?

"$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log."

The example out of the help file does not write anything to my Security log (the example uses Application log, that also fails).

I do not know how to make it any more simple. I am using WXPSP2 to test this but the target OS is W2K.

Any help would be great.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

[avery]

Hi,

When I run the code below I get the text below in quotes. Can anyone help me understand what this means and how to make it work?

Respectfully,

Avery

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "avery", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc  ;==>_Main

The description for Event ID ( 2 ) in Source ( Application ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: AutoIt3 generated event.

[Mallie99]

Hi,

When I run the code below I get the text below in quotes. Can anyone help me understand what this means and how to make it work?

Respectfully,

Avery

Hi Avery

It's working fine, what's missing is that you need to do a little further tweaking to the computers it is running on...

I found this thread and it made me go out digging since I was getting the exact same thing, in the end I came up with the following solution...

Solution:

EventMessages.zip

• Download and extract the attached DLL file, save it somewhere useful (such as c:\program files\app_name)
• Open Regedit and create the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NAMEOFAPPLICATION
• Add the following items:

  CategoryCount (Reg_DWORD) -> contains the number of categories you have (not sure how 'optional' this is)

  CategoryMessageFile (Reg_String) -> Path to the DLL file

  EventMessageFile (Reg_String) -> Path to the DLL file

• Get Resource Hacker and use it to open the DLL file
• Edit MessageTable with the first list (1 - x) being the names of your categories, the next bit being your messages

So from the following:

Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Flintstones")
    _EventLog__Report($EVENTLOG, 0, 2, 100, @UserName, "YabbaDabbaDoo", $adata)
    _EventLog__Close ($hEventLog)

Will give you something like:

Date: 03/03/03

Time: 15:27:44

Source: Flintstones

Category: Category 2

Type: None

EventID: 100

User: WindowsDomain\SomeUser

Computer: WindowsPC

Description:

The following things have happened within the program

-> YabbaDabbaDoo

Note that this DLL file will become registered as it is referenced every time EventVwr needs to read it... Now you know why it can take a long time to open the EventLog.

Hope this helps...

Mallie (The Techie)

[kor]

I'm getting the exact same error and I shouldn't have to do this crazy DLL resource hacker nonsense. Why don't the EventLog functions just work?

[Melba23]

kor,

Why don't the EventLog functions just work?

Because MS changed the way their OS operated from XP SP2 onwards as explained in the Help file.

Please remember that AutoIt is developed by volunteers who give up their free time to work on it - just like those of us who help out here on the forum. Are you offering your services to amend the UDF?

M23

[kor]

I see nothing in the helpfile for _EventLog_Report that makes any mention of no longer workign with XP XP3 or beyond. Where are you seeing this information so I can read up on it?

Edited March 28, 2011 by kor

[BrewManNH]

From the Help file:

Parameters

$hEventLog A handle to the event log. As of Windows XP SP2, this cannot be a handle to the Security log.

[kor]

From the Help file:

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "Application")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

I'm not attempting to write to the security log. I'm trying to write to the application log.

[BrewManNH]

Works for me on Win7.

Log Name: Application

Source: Application

Date: 3/28/2011 4:59:44 PM

Event ID: 2

Task Category: None

Level: Information

Keywords: Classic

User: 030-303-02\Administrator

Computer: 030-303-02

Description:

The description for Event ID 2 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

AutoIt3 generated event

the message resource is present but the message is not found in the string/message table

From the research I just did, that's a normal output from the event viewer when it doesn't understand what the Event ID is supposed to be connecting to.

Edited March 28, 2011 by BrewManNH

[kor]

Works for me on Win7.

From the research I just did, that's a normal output from the event viewer when it doesn't understand what the Event ID is supposed to be connecting to.

What would be your suggested fix then? What should the event ID be to not get the error?

I could care less about event ID, I honestly just want to write informational items to the event log for debugging later. A bonus if I can specify my application name in the "source" column.

[BrewManNH]

Change this line

$hEventLog = _EventLog__Open("", "Application")

To something like this:

$hEventLog = _EventLog__Open("", <Your Application Name here>)

This will write to the application event log with whatever you put between the "<>" listed as the source. I'm not exactly sure why it does it that way, but it seems to use the Application log if you don't specify a different log to save to using what you put inside the "<>". I've tried this on Windows XP SP3 and Windows 7 and I got the same results.

[danrche]

Hey guys, reading thread and I'm new to scripting, but could you use the wsh method within an autoit

something like:

$WshShell = ObjCreate("WScript.Shell")
$WshShell.LogEvent (4, $data_here)

Off the top of my head, I know that wsh writes default to application log, but I'm not sure about any other event log area's.

edit: I had a look at the udf for eventlog.au3 and that has much more functionality to it.

Edited March 29, 2011 by danrche

[kor]

Change this line

$hEventLog = _EventLog__Open("", "Application")

To something like this:

$hEventLog = _EventLog__Open("", <Your Application Name here>)

This will write to the application event log with whatever you put between the "<>" listed as the source. I'm not exactly sure why it does it that way, but it seems to use the Application log if you don't specify a different log to save to using what you put inside the "<>". I've tried this on Windows XP SP3 and Windows 7 and I got the same results.

Same error as before. It's not working.

#include <EventLog.au3>

_Main()

Func _Main()
    Local $hEventLog, $aData[4]=[3, 1, 2, 3]

    $hEventLog = _EventLog__Open("", "testing")
    _EventLog__Report($hEventLog, 4, 0, 2, "Administrator", "AutoIt3 generated event", $aData)
    _EventLog__Close ($hEventLog)

EndFunc   ;==>_Main

The description for Event ID ( 2 ) in Source ( testing ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: AutoIt3 generated event.

[BrewManNH]

That's not an error message. That's just Windows telling you that it has no idea what event id 2 is. If you google event log event id you'll see examples that MS has on their website that show the same text for a Windows program used to write to the applications log.

http://support.microsoft.com/kb/315410

[kor]

That's not an error message. That's just Windows telling you that it has no idea what event id 2 is. If you google event log event id you'll see examples that MS has on their website that show the same text for a Windows program used to write to the applications log.

http://support.microsoft.com/kb/315410

So what event ID do I need to use to just get the text of "AutoIt3 generated event" and only that text written to the log?

[BrewManNH]

There is none, here is another link that explains why you get that when you write to the Application log, this knowledge base article explains why you would get that when you use the MS product LogEvent.exe but it applies here as well. The application has to be built to correctly set the information in the event logs and AutoIt scripts aren't created that way.

As it states on that page, "The Event IDs logged will really only have meaning for the user or app that will be monitoring the Event Log." so plan accordingly. It is the same as the return codes used in a UDF, the return codes only make sense because the writer of the UDF made them make sense to the people that use the function.