The event log functions are fairly primitive, but quite useful for certain things anyway. Their basic limitation is that they do not expand the message strings to include the message text. In other words, rather than getting back a complete event log message like "User btlizard printed 5 pages on printer hplaser" you'll get back {btlizard} {5} {hplaser}. This may seem limiting, but you do get the event code, which you can correlate with the event code from the event viewer. I've used this to do some primitive printer accounting, by looking up the code for the successful print message in event viewer, then using these functions to retrieve each record and tallying each user's printing.
NT_EventLogOpen ?computerName? eventLogName
NT_EventLogOpen opens the specified log on the local or specified computer, and returns a handle to pass to the other event log functions. NT_CloseHandle should be called to free resources associated with this handle when it is no longer needed.
NT_EventLogOpenBackup ?computerName? fileName
NT_EventLogOpenBackup opens the backup log file on the local or specified computer, and returns a handle to pass to the other event log functions. NT_CloseHandle should be called to free resources associated with this handle when it is no longer needed.
NT_EventLogRead eventLogHandle ?startRecord?
NT_EventLogRead returns a list of events, with each element having the following members:
Record Number
Time Generated
Time Written
Event ID
Event Type
Event Catagory
Source Name
Computer Name
(insertion strings, one element each)
If specified, the optional startRecord parameter sets the beginning point for the read, otherwise, it will start from the beginning. Each call to NT_EventLogRead will continue from the where the last read ended if an offset is not specified. NT_EventLogRead will cause an error when the end of the log is reached. Here's a sample read loop:
set elh [NT_EventLogOpen system]
while {![catch {set reclist [NT_EventLogRead $elh]}]} {
foreach rec $reclist {
puts "here's a record: $rec"
}
}
NT_CloseHandle $elh
NT_EventLogGetNumberOfRecords eventLogHandle
NT_EventLogGetNumberOfRecords returns the number of records in the log associated with eventLogHandle.
NT_EventLogBackup eventLogHandle fileName
NT_EventLogBackup stores a copy of the event log associated with eventLogHandle in the file specified by fileName. This filename cannot contain a UNC--If you want to put the file on another computer, you will need to store it locally first, then copy it.
NT_EventLogClear eventLogHandle ?fileName?
NT_EventLogClear clears the log associated with eventLogHandle. If the fileName parameter is specified, it stores a copy of the event log associated with eventLogHandle in the file specified. This filename cannot contain a UNC--If you want to put the file on another computer, you will need to store it locally first, then copy it.
NT_EventLogRegisterSource ?computerName? sourceName
NT_EventLogRegisterSource returns a handle registered with the event log system to allow you to report events which will show in the application event log under the specified sourceName. NT_CloseHandle should be use to release resources associated with this handle when it is no longer needed.
NT_EventLogReportEvent eventSourceHandle eventType eventCategory eventID eventMessage
NT_EventLogReportEvent adds an entry to the event log, specified by the eventSourceHandle (obtained from NT_EventLogRegisterSource). eventType, eventCatagory, and eventID must be integers.