0

I've been working on windows log collection for a while. Can somebody please help me how to find the size of windows logs (Security, Application, System, etc) and also how to get the number of events that has been inserted into it. I need to access them using C++. There's a windows function EvtQuery to execute the query in C++.

I'm able to fetch the contents written in the log file. But how do I get the file size and the number of events which are not fields inside it?

Please refer the link to find details on the EvtQuery function: https://learn.microsoft.com/en-us/windows/desktop/api/winevt/nf-winevt-evtquery

Please help

Thank you.

Anand
  • 69
  • 1
  • 7

1 Answers1

1

You Could use a combination of GetFileSizeEx to get the file size of the log and GetNumberOfEventLogRecords to retrieve the number of records in the specified event log.

BENS
  • 185
  • 2
  • 7
  • Thank you @BENZ for the reply. I've tried the program and is perfectly working. I can get the correct number of my application logs. But as mentioned in the link below: [link](https://stackoverflow.com/questions/31628955/getnumberofeventlogrecords-returns-incorrect-number-of-event-logs) I can't find the event source of the Security log file. Can you help me find that. Where is this description given? I found that this is the source structure : Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security. But it must not be mentioned with a "\"; Please help. – Anand Aug 15 '18 at 16:11
  • 1
    Make sure to execute your app with adminstration previlege to work with the security log file, otherwise OpenEventLog will return null as if the file doesn't exist. – BENS Aug 15 '18 at 16:35
  • 1
    Like it's mentioned on the link you have provided `OpenEventLog ` does not accept paths , instead you can call it with source name of the event log as Security like this `OpenEventLog(NULL,L"Security");` and don't forget to run it with admin privilege . – BENS Aug 15 '18 at 16:53
  • Thanks a lot. It works perfectly. But why is it that it doesn't work with certain logs like Setup, Forwarded Events etc. It works perfectly with Security, Application, System logs etc.? – Anand Aug 15 '18 at 17:21
  • @BENZ I managed to get the log file size from my local machine. Do you have any idea of how to find the same from a remote machine? I don't think we can do it using the GetFileSizeEx() function. I don't know if it is possible. Please help. – Anand Aug 18 '18 at 17:28
  • I saw that the GetFileSize() function has a handle parameter in it. Can this be used to get the information from a remote system? – Anand Aug 18 '18 at 17:46
  • 1
    You could specifie the network path for the file you want, like this "\\computer\\c$\\yourfilename" when getting the handle . i assume you are using the CreateFile function to get the the file handle . – BENS Aug 18 '18 at 19:24
  • Yes, I'll be using CreateFile function to get the handle. And is there a similar function that i can use in order to get the number of logs in the file? I was going through the Eventlog Remoting protocol. Will that help? Or is there an easier way? Thank you for the help – Anand Aug 19 '18 at 08:13
  • @BENZ Isn't it necessary to be a shared file in order to use GetFileSizeEx() function to get the file size? – Anand Aug 24 '18 at 21:44