win32utils devel - May 2006 - Possible problems with EventLog#write

Hi,

I''ve got EventLog#write and EventLog.add_event_source methods done. 
Well, I *think* they''re done, but I can''t get the data (text)
to work
properly, and I''m not sure if it''s a bug in my .mc file, the 
add_event_source method, the write method, or just a goof in my test file.

The source, category and event id seem to be ok.  However, the 
description always comes back with:

The description for Event ID ( 3 ) in Source ( foo ) cannot be found. 
The local computer may not have the necessary registry information or 
message DLL files to display messages from a remote computer. You may be 
able to use the /AUXSOURCE= flag to retrieve this description; see Help 
and Support for details. The following information is part of the event: 
test.

Anyway, here''s the .mc file (which I took from the tutorial.txt file) 
and the test file:

; foo.mc
MessageId=0x1
SymbolicName=CATEGORY_ERROR
Language=English
error
.

MessageId=0x2
SymbolicName=CATEGORY_WARNING
Language=English
warning
.

MessageId=0x3
Severity=Error
SymbolicName=FOO_ERROR
Language=English
Error: %1
.

# add.rb
dll_file = Dir.pwd + ''/foo.dll''
EventLog.add_event_source(
    "key_name"              => "foo",
    "category_count"        => 2,
    "event_message_file"    => dll_file,
    "category_message_file" => dll_file
)

# test.rb
require ''win32/eventlog''
include Win32

log = EventLog.open

log.write(
    :source     => ''foo'',
    :data       => ''test'',
    :category   => 0x2,
    :event_id   => 0x3,
    :event_type => EventLog::WARN
)

log.close

I also made sure that it wasn''t a path separator issue by doing a 
String#tr in the add_event_source, but that didn''t seem to matter.

Also, I''m not sure that doing File.expand_path on the dll name within 
add_event_source is a good idea - I just tossed that in there for now, 
but I''m curious what others think.

Thanks,

Dan

Hi,

2006/5/21, Daniel Berger <djberg96 at gmail.com>:
> Hi,
>
> I''ve got EventLog#write and EventLog.add_event_source methods
done.
> Well, I *think* they''re done, but I can''t get the data
(text) to work
> properly, and I''m not sure if it''s a bug in my .mc file,
the
> add_event_source method, the write method, or just a goof in my test file.
>
> The source, category and event id seem to be ok.  However, the
> description always comes back with:
>
> The description for Event ID ( 3 ) in Source ( foo ) cannot be found.
> The local computer may not have the necessary registry information or
> message DLL files to display messages from a remote computer. You may be
> able to use the /AUXSOURCE= flag to retrieve this description; see Help
> and Support for details. The following information is part of the event:
> test.
>
> Anyway, here''s the .mc file (which I took from the tutorial.txt
file)
> and the test file:
>
> ; foo.mc
> MessageId=0x1
> SymbolicName=CATEGORY_ERROR
> Language=English
> error
> .
>
> MessageId=0x2
> SymbolicName=CATEGORY_WARNING
> Language=English
> warning
> .
>
> MessageId=0x3
> Severity=Error
> SymbolicName=FOO_ERROR
> Language=English
> Error: %1
> .
>
event_id is defined in the mc.h

Look at the mc.h :

#define CATEGORY_ERROR                   0x00000001L

#define CATEGORY_WARNING                 0x00000002L

#define FOO_ERROR                        0xC0000003L
> # add.rb
> dll_file = Dir.pwd + ''/foo.dll''
> EventLog.add_event_source(
>    "key_name"              => "foo",
>    "category_count"        => 2,
>    "event_message_file"    => dll_file,
>    "category_message_file" => dll_file
> )
>
> # test.rb
> require ''win32/eventlog''
> include Win32
>
> log = EventLog.open
>
> log.write(
>    :source     => ''foo'',
>    :data       => ''test'',
>    :category   => 0x2,
>    :event_id   => 0x3,
>    :event_type => EventLog::WARN
> )
>
> log.close
>
You must call with event_id value 0xC0000003 instead of 0x3.

But it raises error
test.rb:7:in `write'': bignum too big to convert into `long''
(RangeError)
        from test.rb:7

It is another problem.
> I also made sure that it wasn''t a path separator issue by doing a
> String#tr in the add_event_source, but that didn''t seem to matter.
>
> Also, I''m not sure that doing File.expand_path on the dll name
within
> add_event_source is a good idea - I just tossed that in there for now,
> but I''m curious what others think.
>
And tail method raises insufficient resource error after reading six
event log messages.

Regards,

Park Heesob

Heesob Park wrote:
> Hi,
> 
> 2006/5/21, Daniel Berger <djberg96 at gmail.com>:
>> Hi,
>>
>> I''ve got EventLog#write and EventLog.add_event_source methods
done.
>> Well, I *think* they''re done, but I can''t get the
data (text) to work
>> properly, and I''m not sure if it''s a bug in my .mc
file, the
>> add_event_source method, the write method, or just a goof in my test
file.
>>
>> The source, category and event id seem to be ok.  However, the
>> description always comes back with:
>>
>> The description for Event ID ( 3 ) in Source ( foo ) cannot be found.
>> The local computer may not have the necessary registry information or
>> message DLL files to display messages from a remote computer. You may
be
>> able to use the /AUXSOURCE= flag to retrieve this description; see Help
>> and Support for details. The following information is part of the
event:
>> test.
>>
>> Anyway, here''s the .mc file (which I took from the
tutorial.txt file)
>> and the test file:
>>
>> ; foo.mc
>> MessageId=0x1
>> SymbolicName=CATEGORY_ERROR
>> Language=English
>> error
>> .
>>
>> MessageId=0x2
>> SymbolicName=CATEGORY_WARNING
>> Language=English
>> warning
>> .
>>
>> MessageId=0x3
>> Severity=Error
>> SymbolicName=FOO_ERROR
>> Language=English
>> Error: %1
>> .
>>
> event_id is defined in the mc.h
> 
> Look at the mc.h :
> 
> #define CATEGORY_ERROR                   0x00000001L
> 
> #define CATEGORY_WARNING                 0x00000002L
> 
> #define FOO_ERROR                        0xC0000003L
> 
>> # add.rb
>> dll_file = Dir.pwd + ''/foo.dll''
>> EventLog.add_event_source(
>>    "key_name"              => "foo",
>>    "category_count"        => 2,
>>    "event_message_file"    => dll_file,
>>    "category_message_file" => dll_file
>> )
>>
>> # test.rb
>> require ''win32/eventlog''
>> include Win32
>>
>> log = EventLog.open
>>
>> log.write(
>>    :source     => ''foo'',
>>    :data       => ''test'',
>>    :category   => 0x2,
>>    :event_id   => 0x3,
>>    :event_type => EventLog::WARN
>> )
>>
>> log.close
>>
> 
> You must call with event_id value 0xC0000003 instead of 0x3.
> 
> But it raises error
> test.rb:7:in `write'': bignum too big to convert into
`long'' (RangeError)
>         from test.rb:7
> 
> It is another problem.
I take it Win32API.c would have to be modified to use ULL2NUM. :(
> 
>> I also made sure that it wasn''t a path separator issue by
doing a
>> String#tr in the add_event_source, but that didn''t seem to
matter.
>>
>> Also, I''m not sure that doing File.expand_path on the dll name
within
>> add_event_source is a good idea - I just tossed that in there for now,
>> but I''m curious what others think.
>>
> And tail method raises insufficient resource error after reading six
> event log messages.
Confirmed.  I tried wrapping the WaitForSingleObject() function in its 
own thread and/or calling GC.start but that didn''t seem to help.  Any
ideas?

Dan

Hi,

2006/5/22, Daniel Berger <djberg96 at gmail.com>:
> Heesob Park wrote:
> > Hi,
> >
> > 2006/5/21, Daniel Berger <djberg96 at gmail.com>:
> >> Hi,
> >>
> >> I''ve got EventLog#write and EventLog.add_event_source
methods done.
> >> Well, I *think* they''re done, but I can''t get
the data (text) to work
> >> properly, and I''m not sure if it''s a bug in my
.mc file, the
> >> add_event_source method, the write method, or just a goof in my
test file.
> >>
> >> The source, category and event id seem to be ok.  However, the
> >> description always comes back with:
> >>
> >> The description for Event ID ( 3 ) in Source ( foo ) cannot be
found.
> >> The local computer may not have the necessary registry information
or
> >> message DLL files to display messages from a remote computer. You
may be
> >> able to use the /AUXSOURCE= flag to retrieve this description; see
Help
> >> and Support for details. The following information is part of the
event:
> >> test.
> >>
> >> Anyway, here''s the .mc file (which I took from the
tutorial.txt file)
> >> and the test file:
> >>
> >> ; foo.mc
> >> MessageId=0x1
> >> SymbolicName=CATEGORY_ERROR
> >> Language=English
> >> error
> >> .
> >>
> >> MessageId=0x2
> >> SymbolicName=CATEGORY_WARNING
> >> Language=English
> >> warning
> >> .
> >>
> >> MessageId=0x3
> >> Severity=Error
> >> SymbolicName=FOO_ERROR
> >> Language=English
> >> Error: %1
> >> .
> >>
> > event_id is defined in the mc.h
> >
> > Look at the mc.h :
> >
> > #define CATEGORY_ERROR                   0x00000001L
> >
> > #define CATEGORY_WARNING                 0x00000002L
> >
> > #define FOO_ERROR                        0xC0000003L
> >
> >> # add.rb
> >> dll_file = Dir.pwd + ''/foo.dll''
> >> EventLog.add_event_source(
> >>    "key_name"              => "foo",
> >>    "category_count"        => 2,
> >>    "event_message_file"    => dll_file,
> >>    "category_message_file" => dll_file
> >> )
> >>
> >> # test.rb
> >> require ''win32/eventlog''
> >> include Win32
> >>
> >> log = EventLog.open
> >>
> >> log.write(
> >>    :source     => ''foo'',
> >>    :data       => ''test'',
> >>    :category   => 0x2,
> >>    :event_id   => 0x3,
> >>    :event_type => EventLog::WARN
> >> )
> >>
> >> log.close
> >>
> >
> > You must call with event_id value 0xC0000003 instead of 0x3.
> >
> > But it raises error
> > test.rb:7:in `write'': bignum too big to convert into
`long'' (RangeError)
> >         from test.rb:7
> >
> > It is another problem.
>
> I take it Win32API.c would have to be modified to use ULL2NUM. :(
>
> >
> >> I also made sure that it wasn''t a path separator issue by
doing a
> >> String#tr in the add_event_source, but that didn''t seem
to matter.
> >>
> >> Also, I''m not sure that doing File.expand_path on the dll
name within
> >> add_event_source is a good idea - I just tossed that in there for
now,
> >> but I''m curious what others think.
> >>
> > And tail method raises insufficient resource error after reading six
> > event log messages.
>
> Confirmed.  I tried wrapping the WaitForSingleObject() function in its
> own thread and/or calling GC.start but that didn''t seem to help. 
Any ideas?
>
One workaround is open event log every time like this:

      def notify_change(&block)
         @handle = OpenEventLog(@server, @source)
         unless block_given?
            raise EventLogError, ''block missing for
notify_change()''
         end
         event = CreateEvent(0, 0, 0, 0)
         unless NotifyChangeEventLog(@handle, event)
            error = ''NotifyChangeEventLog() failed: '' +
get_last_error
            raise EventLogError, error
         end
         wait_result = WaitForSingleObject(event, INFINITE)
         CloseHandle(event)

         if wait_result == WAIT_FAILED
            error = ''WaitForSingleObject() failed: '' +
get_last_error
            raise EventLogError, error
         else
            last = read_last_event
            block.call(last)
         end
         CloseEventLog(@handle)
         self
      end

The other is GetNumberOfEventLogRecords instead of NotifyChangeEventLog
refer to http://support.microsoft.com/kb/q245609/

Regards,

Park Heesob

Heesob Park wrote:

<snip>
> One workaround is open event log every time like this:
> 
>       def notify_change(&block)
>          @handle = OpenEventLog(@server, @source)
>          unless block_given?
>             raise EventLogError, ''block missing for
notify_change()''
>          end
>          event = CreateEvent(0, 0, 0, 0)
>          unless NotifyChangeEventLog(@handle, event)
>             error = ''NotifyChangeEventLog() failed: '' +
get_last_error
>             raise EventLogError, error
>          end
>          wait_result = WaitForSingleObject(event, INFINITE)
>          CloseHandle(event)
> 
>          if wait_result == WAIT_FAILED
>             error = ''WaitForSingleObject() failed: '' +
get_last_error
>             raise EventLogError, error
>          else
>             last = read_last_event
>             block.call(last)
>          end
>          CloseEventLog(@handle)
>          self
>       end
For some reason this didn''t work right.  It would start returning empty
structs if too many events happened too quickly.
> The other is GetNumberOfEventLogRecords instead of NotifyChangeEventLog
> refer to http://support.microsoft.com/kb/q245609/
The problem with that approach is that, according to other docs I''ve 
read, the record numbers can get reused.  That leads me to believe that 
GetNumberOfEventLogRecords() would not necessarily correspond to the 
last record number.

However, I took that general idea and came up with this solution:

# Remove references to the @last instance variable first
def tail(frequency=5)
    unless block_given?
       raise EventLogError, ''block missing for tail()''
    end

    old_total = total_records()
    flags     = FORWARDS_READ | SEEK_READ
    rec_num   = read_last_event.record_number

    while true
       new_total = total_records()
       if new_total != old_total
          read(flags, rec_num).each{ |log| yield log }
          old_total = new_total
          rec_num   = read_last_event.record_number
       end
       sleep frequency
    end
end

I tail''d the Security log (where I could force lots of log entries by 
doing some random things with user accounts) and it handled it just fine.

If you see any problems with this approach please let me know. 
Otherwise, I''m going to commit it later this week (along with updated
docs).

However, that still leaves us with the bigint/long issue.

Many thanks,

Dan

Hi,

2006/5/22, Daniel Berger <djberg96 at gmail.com>:
> Heesob Park wrote:
>
> <snip>
> However, I took that general idea and came up with this solution:
>
> # Remove references to the @last instance variable first
> def tail(frequency=5)
>    unless block_given?
>       raise EventLogError, ''block missing for tail()''
>    end
>
>    old_total = total_records()
>    flags     = FORWARDS_READ | SEEK_READ
>    rec_num   = read_last_event.record_number
>
>    while true
>       new_total = total_records()
>       if new_total != old_total
>          read(flags, rec_num).each{ |log| yield log }
>          old_total = new_total
>          rec_num   = read_last_event.record_number
>       end
>       sleep frequency
>    end
> end
>
> I tail''d the Security log (where I could force lots of log entries
by
> doing some random things with user accounts) and it handled it just fine.
>
> If you see any problems with this approach please let me know.
> Otherwise, I''m going to commit it later this week (along with
updated docs).
>
It works fine. go ahead.
> However, that still leaves us with the bigint/long issue.
>
The bigint/long issue is only in c version of eventlog.
The source  eventlog.c line #711
  dwEventID = NUM2INT(v_event_id);
should be
  dwEventID = NUM2ULONG(v_event_id);

Pure ruby version works fine.

Regards,

Park Heesob

> -----Original Message-----
> From: win32utils-devel-bounces at rubyforge.org 
> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of 
> Heesob Park
> Sent: Sunday, May 21, 2006 11:22 PM
> To: Development and ideas for win32utils projects
> Subject: Re: [Win32utils-devel] Possible problems with EventLog#write
> 
> 
> Hi,
> 
> 2006/5/22, Daniel Berger <djberg96 at gmail.com>:
> > Heesob Park wrote:
> >
> > <snip>
> > However, I took that general idea and came up with this solution:
> >
> > # Remove references to the @last instance variable first
> > def tail(frequency=5)
> >    unless block_given?
> >       raise EventLogError, ''block missing for
tail()''
> >    end
> >
> >    old_total = total_records()
> >    flags     = FORWARDS_READ | SEEK_READ
> >    rec_num   = read_last_event.record_number
> >
> >    while true
> >       new_total = total_records()
> >       if new_total != old_total
> >          read(flags, rec_num).each{ |log| yield log }
> >          old_total = new_total
> >          rec_num   = read_last_event.record_number
> >       end
> >       sleep frequency
> >    end
> > end
> >
> > I tail''d the Security log (where I could force lots of log 
> entries by 
> > doing some random things with user accounts) and it handled it just 
> > fine.
> >
> > If you see any problems with this approach please let me know. 
> > Otherwise, I''m going to commit it later this week (along 
> with updated 
> > docs).
> >
> It works fine. go ahead.
Ok, I''m going to get it out sometime in the next few days.  I got a
bunch of the preliminary work out of the way last night, but I need to
put out the next release of windows-pr first.
 
> > However, that still leaves us with the bigint/long issue.
> >
> The bigint/long issue is only in c version of eventlog.
> The source  eventlog.c line #711
>   dwEventID = NUM2INT(v_event_id);
> should be
>   dwEventID = NUM2ULONG(v_event_id);
> 
> Pure ruby version works fine.
You''re right, thank you.  Well, I guess we won''t have to worry
about
that any more. :)

Thanks for you time and help.

Dan


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.