1,183
社区成员
发帖
与我相关
我的任务
分享怎么读取系统的日志?OpenEventLog,ReadEventLog的详细用法
用OpenEventLog,ReadEventLog等函数
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,DateUtils;
type
//日志格式
EVENTLOGRECORD = record
Length,
Reserved,
RecordNumber,
TimeGenerated,
TimeWritten,
EventID: LongWord;
EventType,
NumStrings,
EventCategory,
ReservedFlags: Word;
ClosingRecordNumber,
StringOffset,
UserSidLength,
UserSidOffset,
DataLength,
DataOffset: LongWord;
end;
type
PEventLogRecord = ^TEventLogRecord;
TEventLogRecord = packed record
Length: dword;
Reserved: dword;
RecordNumber: dword;
TimeGenerated: dword;
TimeWritten: dword;
EventID: dword;
EventType: word;
NumStrings: word;
EventCategory: word;
ReservedFlags: word;
ClosingRecordNumber: dword;
StringOffset: dword;
UserSidLength: dword;
UserSidOffset: dword;
DataLength: dword;
DataOffset: dword;
end;
const
EVENTLOG_SEQUENTIAL_READ = $00000001;
ENTLOG_SEEK_READ = $00000002;
EVENTLOG_FORWARDS_READ = $00000004;
EVENTLOG_BACKWARDS_READ = $00000008;
type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
Button2: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
hEventLog, nBytesRead, nBytesNeed: LongWord;
buff: array[0..300 * 56 - 1] of Byte; //buff 缓冲区一次能读入300条记录,不够你自己加
p: ^EVENTLOGRECORD;
x: string;
buffer: pchar;
begin
hEventLog := OpenEventLog(nil, 'System');
if hEventLog <> 0 then
begin
FillChar(buff, SizeOf(EVENTLOGRECORD), 0);
if ReadEventLog(hEventLog, EVENTLOG_BACKWARDS_READ or EVENTLOG_SEQUENTIAL_READ,
0, @buff, SizeOf(buff), nBytesRead, nBytesNeed) then
begin
p := @buff;
//循环读取日志条目
while LongWord(p) < LongWord(@buff) + nBytesRead do
begin
//你对每条日志的处理过程......
GetMem(Buffer, sizeof(EVENTLOGRECORD));
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
x := 'time:' + DateTimeToStr(Double(EncodeDate(1970, 1, 1)) + p^.TimeGenerated / 86400 + 1 / 3) + ' eventid:' + inttostr(P^.EventID) + ' eventtype: catelog: ' + inttostr(p^.EventCategory) + ' source: ' + Buffer;
//p^.DataOffset
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
memo1.Lines.Add(x);
GetMem(Buffer, sizeof(50));
StrCopy(Buffer, pchar(pchar(p) + 50));
memo1.Lines.Add(Buffer);
p := Pointer(LongWord(p) + p.Length);
end;
end;
end;
CloseEventLog(hEventLog);
end;
从网上找来的代码,日志读取不全,还有详细的日志内容,不知道怎么取。
有没有人知道ReadEventLog详细的用法??
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,DateUtils;
type
//日志格式
EVENTLOGRECORD = record
Length,
Reserved,
RecordNumber,
TimeGenerated,
TimeWritten,
EventID: LongWord;
EventType,
NumStrings,
EventCategory,
ReservedFlags: Word;
ClosingRecordNumber,
StringOffset,
UserSidLength,
UserSidOffset,
DataLength,
DataOffset: LongWord;
end;
type
PEventLogRecord = ^TEventLogRecord;
TEventLogRecord = packed record
Length: dword;
Reserved: dword;
RecordNumber: dword;
TimeGenerated: dword;
TimeWritten: dword;
EventID: dword;
EventType: word;
NumStrings: word;
EventCategory: word;
ReservedFlags: word;
ClosingRecordNumber: dword;
StringOffset: dword;
UserSidLength: dword;
UserSidOffset: dword;
DataLength: dword;
DataOffset: dword;
end;
const
EVENTLOG_SEQUENTIAL_READ = $00000001;
ENTLOG_SEEK_READ = $00000002;
EVENTLOG_FORWARDS_READ = $00000004;
EVENTLOG_BACKWARDS_READ = $00000008;
type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
Button2: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
hEventLog, nBytesRead, nBytesNeed: LongWord;
buff: array[0..300 * 56 - 1] of Byte; //buff 缓冲区一次能读入300条记录,不够你自己加
p: ^EVENTLOGRECORD;
x: string;
buffer: pchar;
begin
hEventLog := OpenEventLog(nil, 'System');
if hEventLog <> 0 then
begin
FillChar(buff, SizeOf(EVENTLOGRECORD), 0);
if ReadEventLog(hEventLog, EVENTLOG_BACKWARDS_READ or EVENTLOG_SEQUENTIAL_READ,
0, @buff, SizeOf(buff), nBytesRead, nBytesNeed) then
begin
p := @buff;
//循环读取日志条目
while LongWord(p) < LongWord(@buff) + nBytesRead do
begin
//你对每条日志的处理过程......
GetMem(Buffer, sizeof(EVENTLOGRECORD));
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
x := 'time:' + DateTimeToStr(Double(EncodeDate(1970, 1, 1)) + p^.TimeGenerated / 86400 + 1 / 3) + ' eventid:' + inttostr(P^.EventID) + ' eventtype: catelog: ' + inttostr(p^.EventCategory) + ' source: ' + Buffer;
//p^.DataOffset
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
memo1.Lines.Add(x);
GetMem(Buffer, sizeof(50));
StrCopy(Buffer, pchar(pchar(p) + 50));
memo1.Lines.Add(Buffer);
p := Pointer(LongWord(p) + p.Length);
end;
end;
end;
CloseEventLog(hEventLog);
end;
从网上找来的代码,日志读取不全,还有详细的日志内容,不知道怎么取。
有没有人知道ReadEventLog详细的用法??
...全文
请发表友善的回复…
发表回复
ddxxyy2002 2009-10-15
- 打赏
- 举报
sdfa
yousoft2013 2008-04-16
- 打赏
- 举报
谢了,里面的TNTEventLog正是我想要的代码
hongqi162 2008-04-15
- 打赏
- 举报
用这里面的组件,或者你看看里面的代码实现
http://www.wilsonc.demon.co.uk/ntcomponents.htm
http://www.wilsonc.demon.co.uk/ntcomponents.htm
