Copyright © 2006 Gene Michael Stover. All rights reserved. Permission to copy, store, & view this document unmodified & in its entirety is granted.
Two problems with the Window event log are:
I've written programs which solve these problems:
These programs are open source. This essay tells where to get them & how to use them.
One of the source code files, getopt.c, is in the public domain. I downloaded it from the web site of the TEX User's Group.
All other files, both source & executable, are copyrighted by Gene Michael Stover & released under the terms of the GNU General Public License . Here's a copy of the copyright notice & license agreement at the beginning of each source file:
Copyright (c) 2006 Gene Michael Stover. All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
A copy of the GNU General Public License is in the file COPYING.
The full user's manual for print-log is in Section 4.
Here are some examples of using print-log.
Assume the Windows event log contains two items. The first item, inserted at noon, says ``12 o'clock & all's well.'' The second item, inserted an hour later, says ``Superstition brings bad luck.''.
If you run on this event log, ``print-log -c,'', it prints:
; RecordNumber,TimeGenerated,TimeWritten,EventID,EventType,EventCategory,ClosingRecordNumber 28463,2006-Aug-31T12:00:00,2006-Aug-31T12:00:00,101,EVENTLOG_INFORMATION_TYPE,1,0,(concat) 12 o'clock & all's well. 28464,2006-Aug-31T13:00:00,2006-Aug-31T13:00:00,101,EVENTLOG_INFORMATION_TYPE,1,0,(concat) Superstition brings bad luck.
The first line, which begins with a semicolon (;) because it's effectively a comment, shows the names of the fields.
Each of the other lines is an event log record. They are sorted from oldest to newest. As you can see from the last field of the second & third lines, our two event log records are in this output.
The ``(concat)'' means that print-log was unable to coax the Windows function FormatMessage to apply a format string to the event log message's string arguments, so print-log is showing you the concatenation of those string arguments. This is common; in fact, it may be the way that event log records are meant to be viewed. I'm not sure at this time, so print-log prints ``(concat)'' as a reminder. I might remove that later.
Back to our example of two event log messages, if you run ``print-log -l'' on the event log of two messages, you get:
(EVENTLOGRECORD (RecordNumber . 28463) (TimeGenerated . "2006-Aug-31T12:00:00") (TimeWritten . "2006-Aug-31T12:00:00") (EventID . 101) (EventType . EVENTLOG_INFORMATION_TYPE) (EventCategory . 1) (ClosingRecordNumber . 0) (MessageString . "(concat) success Scheduler launched Automatic LiveUpdate.")) (EVENTLOGRECORD (RecordNumber . 28464) (TimeGenerated . "2006-Aug-31T13:00:00") (TimeWritten . "2006-Aug-31T13:00:00") (EventID . 101) (EventType . EVENTLOG_INFORMATION_TYPE) (EventCategory . 1) (ClosingRecordNumber . 0) (MessageString . "(concat) Superstition brings bad luck."))
Again, each event log record is shown in a single item, but this time, each item is Lisp data. Each item is a list whose FIRST is the symbol EVENTLOGRECORD & whose REST is an association list.
Finally, you could run ``print-log -x'' on the same event log of two messages, & you would see:
<EVENTLOGRECORD> <RecordNumber>28463</RecordNumber> <TimeGenerated>2006-Aug-31T12:00:00</TimeGenerated> <TimeWritten>2006-Aug-31T12:00:00</TimeWritten> <EventID>101</EventID> <EventType>EVENTLOG_INFORMATION_TYPE</EventType> <EventCategory>1</EventCategory> <ClosingRecordNumber>0</ClosingRecordNumber> <MessageString>(concat) 12 o'clock & all's well.</MessageString> </EVENTLOGRECORD> <EVENTLOGRECORD> <RecordNumber>28464</RecordNumber> <TimeGenerated>2006-Aug-31T21:20:58</TimeGenerated> <TimeWritten>2006-Aug-31T21:20:58</TimeWritten> <EventID>101</EventID> <EventType>EVENTLOG_INFORMATION_TYPE</EventType> <EventCategory>1</EventCategory> <ClosingRecordNumber>0</ClosingRecordNumber> <MessageString>(concat) Superstition brings bad luck.</MessageString> </EVENTLOGRECORD>
In fact, print-log's XML output puts each EVENTLOGRECORD on a single line with no characters between fields. I've broken it here for readability.
You'll notice that this output is not valid XML because it does not have a single root element. There are probably other reasons it's not good XML. The idea is that it's close enough to XML that you could add your own root wrapper element.2
insert-log.exe is a command line program which inserts a record into the Windows Event Log. It provides only simple control over the record that it inserts.
When you run insert-log, it reads a single line from its standard input. It creates a new event log record using the line it read & the values for the command line options. It inserts that new record into the Windows event log.
EventType is not case-sensitive. For example,
_SUCCESS'' is equivalent to
The default eventType is
insert-log was created by Gene Michael Stover.
print-log.exe is a command line program which prints the records from
Windows Event Log.
It is sort of like the
tail program in unix.
>elements. There may be other ways in which it's not valid XML. The idea is that you can easily wrap this pseudo-XML output to create valid XML. -x is incompatible with -c & -l.
print-log was created by Gene Michael Stover.
\t'') character, pipe (``
|'') character, or backslash (``
\'') character as the argument to the -c option.
I cannot fix it without adding to print-log.c a notation for special characters. Such a notation could be confusing, & has little value (to me), so I have no plan to fix.
I could fix this by changing the -c command line option to mean CSV & adding a ``-d tab'' command line option which means DSV.
No plan to fix.
If you just want the executable files (both for Microsoft Windows), here you go:
Drop them into a directory which is in your path, then run either of them by typing its name on the command line. Detailed user's manuals are in Section 4.
If you want the source code & other files which are required to compile the programs yourself, you may download wel.zip or browse them individually in the tree (below).
To build them, make sure you have all the files in
the directory tree as I've shown here. (If you
wel.zip archive file, you should have that.) On the command
line, cd into the wel directory.
Edit the setenv.bat file to work with your
environment; you'll probably have to edit the path
to the vcvars32.bat file. Then type
\setdev && .
\build''. The new executable files
will be in .
Unix3 has a program, called tail which prints some of the final contents of a file or other input stream.
If you give it the ``-f'' command line option, tail will print the final part of the file, & it won't exit when it reaches the end of the file. As more content is appended to the input, tail will print them.
For more information about tail, see:
Gene Michael Stover 2008-04-20