[Win32utils-devel] EventLog#tail is broken

Daniel Berger djberg96 at gmail.com
Fri May 19 22:16:31 EDT 2006


I just discovered something awful.  The EventLog#tail method does not 
work the way I thought it did.  Instead of picking up new events as 
they're added, it's really just iterating backwards through the current 
event log backwards.

Look at this sample below.  The first record is correct.  Then another 
event happens, but instead of the latest record, I get an *earlier* 
record.  Thinking about the flags that are set, EVENTLOG_BACKWARDS_READ 
| EVENTLOG_SEQUENTIAL_READ in the read_last_event() function, it makes 
sense.  It will read backwards sequentially.


C:\eclipse\workspace\win32-eventlog>irb
irb(main):001:0> require 'win32/eventlog'
=> true
irb(main):002:0> include Win32
=> Object
irb(main):003:0> EventLog.open('Security').tail{ |log| p log }
#<struct Struct::EventLogStruct record_number=15399, time_generated=Fri 
May 19 19:54:25 MDT 2006, time_written=Fri May 1
9 19:54:25 MDT 2006, event_id=680, event_type="audit failure", 
category=9, source="Security", computer="IMPERATOR", user
="SYSTEM", description="Logon attempt by: 
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\r\n\r\nLogon account: 
Daniel\r\n\r\nSou
rce Workstation: IMPERATOR\r\n\r\nError Code: 0xC000006A\r\n\r\n">

#<struct Struct::EventLogStruct record_number=15064, time_generated=Sun 
May 07 18:46:31 MDT 2006, time_written=Sun May 0
7 18:46:31 MDT 2006, event_id=615, event_type="audit failure", 
category=6, source="Security", computer="IMPERATOR", user
="NETWORK SERVICE", description="IPSec Services: \tIPSec Services failed 
to get the complete list of network interfaces
on the machine. This can be a potential security hazard to the machine 
since some of the network interfaces may not get
the protection as desired by the applied IPSec filters. Please run IPSec 
monitor snap-in to further diagnose the problem
.\r\n\r\n\r\n">

UGH.

So, what's the solution?  Just start at the offset returned by 
GetNumberOfEventLogRecords() and use EVENTLOG_FORWARDS_READ | 
EVENTLOG_SEEK_READ instead?

Was it always like this and no one noticed?  Did I goof a commit 
somewhere?  Or are things actually working and I'm panicked for no reason?

Dan


More information about the win32utils-devel mailing list