-1

I would like to read the contents of the Event Log on Windows using the Perl script. I can read the contents of the 'Application' Log. I can't read old logs - .evtx files. Can you advise me where I have a mistake?

$filename = "C:/Windows/System32/winevt/Logs/Archive-Application-2022-10-26-16-18-53-831.evtx";
if (-f $filename) {
    printf "%s ... continue ...\n", $filename;
} else {
    printf "PROBLEM\n";
    exit -1;
}
$EventLog = new Win32::EventLog($filename) || die $!;
$EventLog->GetOldest($first) || die $!;    # it dies here

EDIT:

Function GetOldest returns a RecordNumber. I tried UNC:

$filename = "\\\\<server>\\C\$\\Windows\\System32\\winevt\\Logs\\Archive-Application-2022-10-25-04-01-56-731.evtx";

... but the same error. The file exists but died on the GetOldest function. I haven't found something like $EventLog->errstr anywhere on the internet ... https://metacpan.org/pod/Win32::EventLog

TLP
  • 66,756
  • 10
  • 92
  • 149
Jiri
  • 21
  • 1
  • One of your mistakes is not revealing the error messages. Assuming `$!` is applicable here, there might be a module specific error handling, like `$EventLog->errstr`. Is `GetOldest` a function that returns a non-negative value on success? – TLP Nov 05 '22 at 09:17
  • New users are expected to take the [tour]. It's also highly recommended to read through [ask]. – IInspectable Nov 05 '22 at 12:02
  • If the function returns a number, and that number is `0` that will trigger the `die` statement. Perhaps using die there is not optimal. Or you could do `die "No oldest records found!"`. – TLP Nov 05 '22 at 16:56
  • 1
    @Jiri, Re "*The file exists but died on the GetOldest function*" `GetOldest` is a wrapper for the `GetOldestEventLogRecord` system call. Like pretty much every other system call, the error that causes `GetOldestEventLogRecord` to fail can be obtain from the `GetLastError` system call. This is available in Perl as `$^E`. What error do you get? – ikegami Nov 05 '22 at 18:44
  • 1
    @TLP, It returns true on success or false on error. The number is "returned" via an output parameter. – ikegami Nov 05 '22 at 18:46

1 Answers1

1

I tried a powerful thing: I canceled the error test: originally : #$EventLog->GetOldest($first) || die $!; now : $EventLog->GetOldest($first); ... and continue with the script; the script reads the contents of the .evtx file correctly.

Jiri
  • 21
  • 1