用OpenEventLog,ReadEventLog等函数unit Unit1;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,DateUtils;
type
//日志格式
EVENTLOGRECORD = record
Length,
Reserved,
RecordNumber,
TimeGenerated,
TimeWritten,
EventID: LongWord;
EventType,
NumStrings,
EventCategory,
ReservedFlags: Word;
ClosingRecordNumber,
StringOffset,
UserSidLength,
UserSidOffset,
DataLength,
DataOffset: LongWord;
end;type
PEventLogRecord = ^TEventLogRecord;
TEventLogRecord = packed record
Length: dword;
Reserved: dword;
RecordNumber: dword;
TimeGenerated: dword;
TimeWritten: dword;
EventID: dword;
EventType: word;
NumStrings: word;
EventCategory: word;
ReservedFlags: word;
ClosingRecordNumber: dword;
StringOffset: dword;
UserSidLength: dword;
UserSidOffset: dword;
DataLength: dword;
DataOffset: dword;
end;
const
EVENTLOG_SEQUENTIAL_READ = $00000001;
ENTLOG_SEEK_READ = $00000002;
EVENTLOG_FORWARDS_READ = $00000004;
EVENTLOG_BACKWARDS_READ = $00000008;type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
Button2: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}procedure TForm1.Button1Click(Sender: TObject);
var
hEventLog, nBytesRead, nBytesNeed: LongWord;
buff: array[0..300 * 56 - 1] of Byte; //buff 缓冲区一次能读入300条记录,不够你自己加
p: ^EVENTLOGRECORD; x: string;
buffer: pchar;begin
hEventLog := OpenEventLog(nil, 'System');
if hEventLog <> 0 then
begin
FillChar(buff, SizeOf(EVENTLOGRECORD), 0);
if ReadEventLog(hEventLog, EVENTLOG_BACKWARDS_READ or EVENTLOG_SEQUENTIAL_READ,
0, @buff, SizeOf(buff), nBytesRead, nBytesNeed) then
begin
p := @buff;
//循环读取日志条目
while LongWord(p) < LongWord(@buff) + nBytesRead do
begin
//你对每条日志的处理过程......
GetMem(Buffer, sizeof(EVENTLOGRECORD));
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD))); x := 'time:' + DateTimeToStr(Double(EncodeDate(1970, 1, 1)) + p^.TimeGenerated / 86400 + 1 / 3) + ' eventid:' + inttostr(P^.EventID) + ' eventtype: catelog: ' + inttostr(p^.EventCategory) + ' source: ' + Buffer; //p^.DataOffset StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
memo1.Lines.Add(x);
GetMem(Buffer, sizeof(50));
StrCopy(Buffer, pchar(pchar(p) + 50)); memo1.Lines.Add(Buffer); p := Pointer(LongWord(p) + p.Length);
end;
end;
end;
CloseEventLog(hEventLog);end;
从网上找来的代码,日志读取不全,还有详细的日志内容,不知道怎么取。有没有人知道ReadEventLog详细的用法??
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,DateUtils;
type
//日志格式
EVENTLOGRECORD = record
Length,
Reserved,
RecordNumber,
TimeGenerated,
TimeWritten,
EventID: LongWord;
EventType,
NumStrings,
EventCategory,
ReservedFlags: Word;
ClosingRecordNumber,
StringOffset,
UserSidLength,
UserSidOffset,
DataLength,
DataOffset: LongWord;
end;type
PEventLogRecord = ^TEventLogRecord;
TEventLogRecord = packed record
Length: dword;
Reserved: dword;
RecordNumber: dword;
TimeGenerated: dword;
TimeWritten: dword;
EventID: dword;
EventType: word;
NumStrings: word;
EventCategory: word;
ReservedFlags: word;
ClosingRecordNumber: dword;
StringOffset: dword;
UserSidLength: dword;
UserSidOffset: dword;
DataLength: dword;
DataOffset: dword;
end;
const
EVENTLOG_SEQUENTIAL_READ = $00000001;
ENTLOG_SEEK_READ = $00000002;
EVENTLOG_FORWARDS_READ = $00000004;
EVENTLOG_BACKWARDS_READ = $00000008;type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
Button2: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}procedure TForm1.Button1Click(Sender: TObject);
var
hEventLog, nBytesRead, nBytesNeed: LongWord;
buff: array[0..300 * 56 - 1] of Byte; //buff 缓冲区一次能读入300条记录,不够你自己加
p: ^EVENTLOGRECORD; x: string;
buffer: pchar;begin
hEventLog := OpenEventLog(nil, 'System');
if hEventLog <> 0 then
begin
FillChar(buff, SizeOf(EVENTLOGRECORD), 0);
if ReadEventLog(hEventLog, EVENTLOG_BACKWARDS_READ or EVENTLOG_SEQUENTIAL_READ,
0, @buff, SizeOf(buff), nBytesRead, nBytesNeed) then
begin
p := @buff;
//循环读取日志条目
while LongWord(p) < LongWord(@buff) + nBytesRead do
begin
//你对每条日志的处理过程......
GetMem(Buffer, sizeof(EVENTLOGRECORD));
StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD))); x := 'time:' + DateTimeToStr(Double(EncodeDate(1970, 1, 1)) + p^.TimeGenerated / 86400 + 1 / 3) + ' eventid:' + inttostr(P^.EventID) + ' eventtype: catelog: ' + inttostr(p^.EventCategory) + ' source: ' + Buffer; //p^.DataOffset StrCopy(Buffer, pchar(pchar(p) + sizeof(EVENTLOGRECORD)));
memo1.Lines.Add(x);
GetMem(Buffer, sizeof(50));
StrCopy(Buffer, pchar(pchar(p) + 50)); memo1.Lines.Add(Buffer); p := Pointer(LongWord(p) + p.Length);
end;
end;
end;
CloseEventLog(hEventLog);end;
从网上找来的代码,日志读取不全,还有详细的日志内容,不知道怎么取。有没有人知道ReadEventLog详细的用法??
http://www.wilsonc.demon.co.uk/ntcomponents.htm