0

It is about to collect logs of event viewer from the remote machine.I have tried Event Logging api so far. Though,It works well by reading logs from the localhost,was failed to read from remote machine.

HANDLE OpenEventLogA(
  [in] LPCSTR lpUNCServerName,
  [in] LPCSTR lpSourceName
);

Using this,I have tried to open event logs by mentioning ipaddress of remote machine in the place of UNCServerName.But,it doesn't work.Below is the code,I've tried so far.

#include <windows.h>
#include <stdio.h>
#include <bits/stdc++.h>  
#include <winbase.h>
#include<string.h>
#include <iostream>  
#include<vector>

#define BUFFER_SIZE 1024*200
#define MAX_TIMESTAMP_LEN       23 + 1 
#define MAX_WORD_LEN       1000 

using namespace std;


struct SearchRecord {
    string type;
    string time;
    string source;
    string eid;

};
void FillEventRecordDetails(std::vector<SearchRecord*> *searchRecordResult)
{

    HANDLE h;
    int i=1,j=0;
    EVENTLOGRECORD *pevlr;
    BYTE bBuffer[BUFFER_SIZE];
    DWORD dwRead, dwNeeded, dwRecord,dwThisRecord;

    // Open the Application event log.
    h = OpenEventLog(//ip address//,    
             "Application");   
    if (h == NULL)
    {
        cout<<GetLastError();
    }
    cout<<"HANDLE:"<<h;
    pevlr = (EVENTLOGRECORD *) &bBuffer;
    GetOldestEventLogRecord(h, &dwThisRecord);
    cout<<"Record Number:"<<dwThisRecord;
    GetNumberOfEventLogRecords(h, &dwRecord);
    cout<<"\n New:"<<dwRecord+dwThisRecord;
    while (ReadEventLog(h, EVENTLOG_SEEK_READ|               
                EVENTLOG_FORWARDS_READ , 
                dwThisRecord,            
                pevlr,        
                BUFFER_SIZE,  
                &dwRead,      
                &dwNeeded))   
    {   
        
        while (dwRead > 0 )
        {
            
            //TYPE
            string type;
            switch(pevlr->EventType)
            {
                case EVENTLOG_ERROR_TYPE:
                   type = "ERROR";
                    break;
                case EVENTLOG_WARNING_TYPE:
                    type = "WARNING";
                    break;
                case EVENTLOG_INFORMATION_TYPE:
                    type = "INFORMATION";
                    break;
                case EVENTLOG_AUDIT_SUCCESS:
                    type = "AUDIT_SUCCESS";
                    break;
                case EVENTLOG_AUDIT_FAILURE:
                    type = "AUDIT_FAILURE";
                    break;
                default:
                    type = "Unknown";
                    break;
            }

            //TIME
            DWORD Time = ((PEVENTLOGRECORD)pevlr)->TimeGenerated ;
            ULONGLONG ullTimeStamp = 0;
            ULONGLONG SecsTo1970 = 116444736000000000;
            SYSTEMTIME st;
            FILETIME ft, ftLocal;
            ullTimeStamp = Int32x32To64(Time, 10000000) + SecsTo1970;
            ft.dwHighDateTime = (DWORD)((ullTimeStamp >> 32) & 0xFFFFFFFF);
            ft.dwLowDateTime = (DWORD)(ullTimeStamp & 0xFFFFFFFF);   
            FileTimeToLocalFileTime(&ft, &ftLocal);
            FileTimeToSystemTime(&ftLocal, &st);   
            ostringstream mon1 , day1 ,year1,hour1,min1,sec1,mil1; 
            mon1 << st.wMonth ;day1 << st.wDay ;year1 << st.wYear ;hour1 << st.wHour ;min1 << st.wMinute ;sec1 << st.wSecond ;mil1 <<st.wMilliseconds;
            string mon = mon1.str();string day = day1.str();string year = year1.str();string hour = hour1.str();string min = min1.str();string sec = sec1.str();
            string mil=mil1.str();
            string time = day+"-"+mon+"-"+year+" "+hour+":"+min+":"+sec+":"+mil;

            int id = ((PEVENTLOGRECORD)pevlr)->EventID & 0xFFFF;
            ostringstream temp;
            temp << id;
            string eid = temp.str();  


            string source =  (LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD));


            SearchRecord *pRecord = new SearchRecord();
            pRecord->type = type;
            pRecord->time = time;
            pRecord->eid = eid;
            pRecord->source = source;
            searchRecordResult->push_back(pRecord);
            cout<<i;  
            cout<<" Type:"<<type;
            cout<<" Time:"<<time;
            cout<<" Event Id:"<<id;
            cout<<" source:"<<source;
            cout<<"\n";
            i++;
            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)
                ((LPBYTE) pevlr + pevlr->Length);

        }
        dwThisRecord+=i;
        pevlr = (EVENTLOGRECORD *) &bBuffer;
    }

    CloseEventLog(h);

}
int main()
{  
    vector<SearchRecord*> searchRecordResult ;
    FillEventRecordDetails(&searchRecordResult);
}

Is there any way to read logs from remote machine using c++ code?

Thanks in advance.

pm100
  • 48,078
  • 23
  • 82
  • 145
Shyaam sundar
  • 1
  • 3
  • 4
    "Doesn't work" could mean a **lot** of things. Including, e.g., permission/access errors. Which would be expected. If you'd like to get an answer you need to provide _minimal_ working code that displays the exact error received, and the error itself. Not only is that the way StackOverflow works, but it's what you'd need to answer the question yourself if someone asked it of you. – davidbak Mar 05 '22 at 18:28
  • @davidbak Now,i have added my code. So,the handle returns null.It prints some error code like 1722 in console. – Shyaam sundar Mar 05 '22 at 19:17
  • " prints some error code like 1722" could you show the exact error please – pm100 Mar 05 '22 at 19:18
  • the first field is not 'ip address' its a name – pm100 Mar 05 '22 at 19:20
  • https://learn.microsoft.com/en-us/windows/win32/wes/accessing-remote-computers – pm100 Mar 05 '22 at 19:21
  • And now that you have an actual error number, we can help you, or a search engine can. For example, with a search engine I found this SO question - [How to fix Error:1722 RPC server unavailable in c++ program using winevt.h](https://stackoverflow.com/questions/59919862/how-to-fix-error1722-rpc-server-unavailable-in-c-program-using-winevt-h) - it doesn't have an answer, but it does have a bunch of comments that shed light on the subject and point to other interesting documents that may help you. – davidbak Mar 05 '22 at 19:22
  • An IP address (dotted quad) is usually sufficient where a Windows API demands a server name. – davidbak Mar 05 '22 at 19:23
  • @pm100 As you told,I have tried using EvtOpenSession.The code is as same as in the document you have referred.But now ,it shows some error like [Error] 'EvtClose' was not declared in this scope.Likewise,it shows error in all the builtin function such as EvtRpcLogin,EvtOpenSession and so on.I think,the problem is with the library file wevtapi.lib.I have downloaded and added the file in library folder of my compiler.Still,it doesn't work.Where should i place this library file? – Shyaam sundar Mar 08 '22 at 14:27

0 Answers0