Hi, Hm, the string inserts are different, too. Any encoding issues? Your user name uses extended ASCII, too, right? Not sure if that''s significant or not. I''ve cc''d the win32utils-devel list to see if anyone has any ideas. Thanks, Dan botp wrote:> On 12/4/07, Daniel Berger <djberg96 at gmail.com> wrote: >> Can you tell us which record numbers in particular are causing you >> problems? We aren''t finding any issues. > > all of them. the description is not complete or empty. > > in windows xp it works fine, eg > > #<struct Struct::EventLogStruct record_number=268, time_generated=Tue Dec 04 12: > 10:48 +0800 2007, time_written=Tue Dec 04 12:10:48 +0800 2007, event_id=642, eve > nt_type="audit_success", category=7, source="Security", computer="BG-MIS-PBOT", > user="Pe\361aIJM", string_inserts=["-", "Guest", "BG-MIS-PBOT", "%{S-1-5-21-3438 > 18398-1177238915-839522115-501}", "Pe\361aIJM", "DMPI", "(0x0,0x14863)", "-"], d > escription="User Account Changed:\r\n\r\n\t-\r\n\r\n\tTarget Account Name:\tGues > t\r\n\r\n\tTarget Domain:\tBG-MIS-PBOT\r\n\r\n\tTarget Account ID:\t%{S-1-5-21-3 > 43818398-1177238915-839522115-501}\r\n\r\n\tCaller User Name:\tPe\361aIJM\r\n\r\ > n\tCaller Domain:\tDMPI\r\n\r\n\tCaller Logon ID:\t(0x0,0x14863)\r\n\r\n\tPrivil > eges:\t-"> > > note the description, it''s in full text. > > but running it in win 2003 server, i get something like > > #<struct Struct::EventLogStruct record_number=674805, time_generated=Tue Dec 04 > 12:05:18 +0800 2007, time_written=Tue Dec 04 12:05:18 +0800 2007, event_id=560, > event_type="audit_success", category=3, source="Security", computer="BGDC01", us > er="pe\361aijm", string_inserts=["Security", "Key", "\\REGISTRY\\MACHINE\\SYSTEM > \\ControlSet001\\Services\\Eventlog\\Security\\Security", "1884", "0", "17829690 > 9", "956", "C:\\tools\\psloglist.exe", "pe\361aijm", "DMPI", "(0x0,0xA9E1DBF)", > "-", "-", "-", "%%1537\r\n\t\t\t%%1538\r\n\t\t\t%%1539\r\n\t\t\t%%1540\r\n\t\t\t > %%4432\r\n\t\t\t%%4433\r\n\t\t\t%%4434\r\n\t\t\t%%4435\r\n\t\t\t%%4436\r\n\t\t\t > %%4437\r\n\t\t\t", "-", "0", "0xF003F"], description=""> > > note the empty description > > comparing it with sysinternals psloglist command, i get > > recno : 674805 > datetime: 12/4/2007 12:05:18 PM > eventid : 560 > user : pe?aijm\DMPI > description: Object Open: Object Server: Security Object Type: Key > Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\ > Security Handle ID: 1884 Operation ID: {0,178296909} Process ID: 956 > Image File Name: C:\tools\psloglist.exe Primary User Name: pe?aijm > Primary Domain: DMPI Primary Logon ID: (0x0,0xA9E1DBF) Client User Name: > - Client Domain: - Client Logon ID: - Accesses: DELETE READ_C > ONTROL WRITE_DAC WRITE_OWNER Query key value Set key val > ue Create sub-key Enumerate sub-keys Notify about changes to k > eys Create Link Privileges: - Restricted Sid Count: 0 A > ccess Mask: 0xF003F > > note how complete psloglist''s description is. > > but anyway, i think you''ll be releasing 0.4.7. maybe i''ll try that too. > > kind regards -botp >
Hi, 2007/12/4, Daniel Berger <djberg96 at gmail.com>:> > Hi, > > Hm, the string inserts are different, too. Any encoding issues? Your > user name uses extended ASCII, too, right? Not sure if that''s > significant or not. > > I''ve cc''d the win32utils-devel list to see if anyone has any ideas. > > Thanks, > > DanThe win32-eventlog module needs to support of handling parameters using ParameterMessageFile. Refer to http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm#nt_event_log , Regards, Park Heesob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/win32utils-devel/attachments/20071205/68f6745f/attachment.html
> -----Original Message----- > From: win32utils-devel-bounces at rubyforge.org > [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > Heesob Park<snip>> The win32-eventlog module needs to support of handling > parameters using ParameterMessageFile. > > Refer to > http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm#nt_ev > ent_log ,I guess I''m not sure how supporting ParameterMessageFiles in the EventLog.add_event_source will fix what appears to be an issue in the get_description private method. In any case, is this patch all that''s needed for the EventLog.add_event_source? ### Eclipse Workspace Patch 1.0 #P win32-eventlog Index: lib/win32/eventlog.rb ==================================================================RCS file: /var/cvs/win32utils/win32-eventlog/lib/win32/eventlog.rb,v retrieving revision 1.36 diff -u -r1.36 eventlog.rb --- lib/win32/eventlog.rb 4 Dec 2007 02:53:43 -0000 1.36 +++ lib/win32/eventlog.rb 4 Dec 2007 17:28:24 -0000 @@ -169,7 +169,7 @@ raise TypeError unless args.is_a?(Hash) valid_keys = %w/source key_name category_count event_message_file - category_message_file supported_types/ + category_message_file parameter_message_file supported_types/ key_base = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\" @@ -315,6 +315,25 @@ end end + if hash[''parameter_message_file''] + data = File.expand_path(hash[''parameter_message_file'']) + + rv = RegSetValueEx( + hkey, + ''ParameterMessageFile'', + 0, + REG_EXPAND_SZ, + data, + data.size + ) + + if rv != ERROR_SUCCESS + error = ''RegSetValueEx() failed: '' + get_last_error + RegCloseKey(hkey) + raise Error, error + end + end + data = [hash[''supported_types'']].pack(''L'') rv = RegSetValueEx( hkey, Thanks, Dan This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Hi, 2007/12/5, Berger, Daniel <Daniel.Berger at qwest.com>:> > > -----Original Message----- > > From: win32utils-devel-bounces at rubyforge.org > > [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of > > Heesob Park > > <snip> > > > The win32-eventlog module needs to support of handling > > parameters using ParameterMessageFile. > > > > Refer to > > http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm#nt_ev > > ent_log , > > I guess I''m not sure how supporting ParameterMessageFiles in the > EventLog.add_event_source will fix what appears to be an issue in the > get_description private method. > > In any case, is this patch all that''s needed for the > EventLog.add_event_source? > > ### Eclipse Workspace Patch 1.0 > #P win32-eventlog > Index: lib/win32/eventlog.rb > ==================================================================> RCS file: /var/cvs/win32utils/win32-eventlog/lib/win32/eventlog.rb,v > retrieving revision 1.36 > diff -u -r1.36 eventlog.rb > --- lib/win32/eventlog.rb 4 Dec 2007 02:53:43 -0000 1.36 > +++ lib/win32/eventlog.rb 4 Dec 2007 17:28:24 -0000 > @@ -169,7 +169,7 @@ > raise TypeError unless args.is_a?(Hash) > > valid_keys = %w/source key_name category_count > event_message_file > - category_message_file supported_types/ > + category_message_file parameter_message_file > supported_types/ > > key_base = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\" > > @@ -315,6 +315,25 @@ > end > end > > + if hash[''parameter_message_file''] > + data = File.expand_path(hash[''parameter_message_file'']) > + > + rv = RegSetValueEx( > + hkey, > + ''ParameterMessageFile'', > + 0, > + REG_EXPAND_SZ, > + data, > + data.size > + ) > + > + if rv != ERROR_SUCCESS > + error = ''RegSetValueEx() failed: '' + get_last_error > + RegCloseKey(hkey) > + raise Error, error > + end > + end > + > data = [hash[''supported_types'']].pack(''L'') > rv = RegSetValueEx( > hkey, > > Thanks, > > DanI meant the get_description method could handle not just EventMessagFile but also ParameterMessageFile and other MessaeFiles like CategoryMessageFile, GuidMessageFile to acquire correct description. Regards, Park Heesob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/win32utils-devel/attachments/20071205/30503484/attachment.html
Heesob Park wrote:> Hi,<snip>> I meant the get_description method could handle not just EventMessagFile > but also ParameterMessageFile and other MessaeFiles like > CategoryMessageFile, GuidMessageFile to acquire correct description.Ah, ok. I''ll put together a patch this week and see how it goes. Thanks, Dan