Re: [rt.cpan.org #61484] missing results with Win32::EventLog

Tue, 21 Sep 2010 02:44:02 -0700 

Tue Sep 21 05:43:52 2010: Request 61484 was acted upon.
Transaction: Correspondence added by DOLMEN
       Queue: Win32-EventLog
     Subject: Re: [rt.cpan.org #61484] missing results with Win32::EventLog
   Broken in: (no value)
    Severity: (no value)
       Owner: Nobody
  Requestors: p...@sennovation.com
      Status: new
 Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=61484 >


Hi Paul

It looks like the use of the EVENT_SEQUENTIAL_READ flag is what causes the
skip.
I've modified your script to use explicit offset calculation and all events
appear. I only used the example from Win32::Log's perldoc as a reference.
See attached file.

Olivier Mengué.


2010/9/20 Paul Faulstich via RT <bug-win32-event...@rt.cpan.org>

> Mon Sep 20 10:05:52 2010: Request 61484 was acted upon.
> Transaction: Ticket created by p...@sennovation.com
>       Queue: Win32-EventLog
>     Subject: missing results with Win32::EventLog
>   Broken in: (no value)
>    Severity: (no value)
>       Owner: Nobody
>  Requestors: p...@sennovation.com
>      Status: new
>  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=61484 >
>
>
> I am finding that Win32::EventLog does not consistently pull all the
> data from the event log.  I suspect this may be because I am pulling
> data from remote machines.  I have looked though the source code for a
> place that might have a hidden timeout or synchronization issue that
> is causing events to be dropped, but I am not seeing it. Also, I can
> run my script over and over, and I get the same results, which I
> wouldn't expect with a timeout or synchronization problem.
>
> I also wonder if it has to do with needing to change the value of
> other parameters, such as NumberOfBytesToRead, which I don't appear to
> be able to set.  See
> http://msdn.microsoft.com/en-us/library/aa363674%28VS.85%29.aspx
>
> Enclosed are three files:
> * my example perl script. This script prints details of all events
> whose Source includes the string "Symantec". For other events, it
> prints just the Source name. (exampleEventLog.pl)
> * the results from running the perl script, which contains only 4
> entries with a source of Symantec Antivirus (example.out5.txt)
> * a screenshot of the EventViewer for that machine, which shows far
> more than 4 entries for Symantec Antivirus, including entries
> interspersed between those that the perl script found. (snap447.png)
>
> Please let me know if there are other tests I can do to help resolve
> this problem.  I guess the good news is my results are consistent with
> any given PC.
>
> Thanks,
>
> Paul
>
> --
> Paul Faulstich, GIAC GSEC
> SEnnovation.com
>
>
> Machine: BG60246
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: SecurityCenter
> !!!!!
> Source: ccSvcHst
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: Offline Files
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: RCONSVC
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> ====================================================
> Sat Sep 18 22:51:59 2010 BG60246[12] Symantec AntiVirus:INFORMATION
>
>
> Changed value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\FileType' from
> '0' to '1'
> ====================================================
> Sat Sep 18 22:51:59 2010 BG60246[12] Symantec AntiVirus:INFORMATION
>
>
> New Value 'HKLM\SOFTWARE\Symantec\Symantec Endpoint
> Protection\AV\Quarantine\ForwardingPort' = '33'
> ====================================================
> Sat Sep 18 22:51:52 2010 BG60246[14] Symantec AntiVirus:INFORMATION
>
>
> Symantec Endpoint Protection services startup was successful.
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: crypt32
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: ccSvcHst
> !!!!!
> Source: SescLU
> !!!!!
> Source: RCONSVC
> ====================================================
> Fri Sep 17 23:17:43 2010 BG60246[14] Symantec AntiVirus:INFORMATION
>
>
> Symantec Endpoint Protection services startup was successful.
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: UPHClean
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: UPHClean
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: Folder Redirection
> !!!!!
> Source: RCONSVC
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: Outlook
> !!!!!
> Source: RCONSVC
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: Outlook
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: UPHClean
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: RCONSVC
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: WinMgmt
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: crypt32
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: LoadPerf
> !!!!!
> Source: System.ServiceModel.Install 3.0.0.0
> !!!!!
> Source: System.ServiceModel.Install 3.0.0.0
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: MsiInstaller
> !!!!!
> Source: UPHClean
>
>

Attachment: exampleEventLog.pl
Description: Binary data

Reply via email to