个人中心
gpt4 book ai didi

events - JNA 事件日志阅读器

转载 作者:行者123 更新时间:2023-12-02 00:23:22 24 4
gpt4 key购买 nike

我正在使用以下代码使用 JNA 读取 Windows 应用程序事件日志。我希望能够指定从哪个事件开始,而不是总是从第一个事件开始。有没有人有什么建议?

import java.io.IOException;
import com.sun.jna.*;
import com.sun.jna.platform.win32.*;
import com.sun.jna.platform.win32.WinNT.*;
import com.sun.jna.ptr.IntByReference;

public class test {

    public static void main(String[] args) throws NumberFormatException, IOException {

        HANDLE h = Advapi32.INSTANCE.OpenEventLog("ServerName", "Application");
        IntByReference pnBytesRead = new IntByReference();
        IntByReference pnMinNumberOfBytesNeeded = new IntByReference();
        Memory buffer = new Memory(1024 * 64);
        IntByReference pOldestRecord = new IntByReference();
        assertTrue(Advapi32.INSTANCE.GetOldestEventLogRecord(h, pOldestRecord));

        int dwRecord = pOldestRecord.getValue();
        int rc = 0;
        while(true) {
            if (! Advapi32.INSTANCE.ReadEventLog(h, WinNT.EVENTLOG_SEQUENTIAL_READ | WinNT.EVENTLOG_FORWARDS_READ, 
                        0, buffer, (int) buffer.size(), pnBytesRead, pnMinNumberOfBytesNeeded)) {
                rc = Kernel32.INSTANCE.GetLastError();
                if (rc == W32Errors.ERROR_INSUFFICIENT_BUFFER) {
                    buffer = new Memory(pnMinNumberOfBytesNeeded.getValue());
                    continue;
                }                
                break;
            }
            int dwRead = pnBytesRead.getValue();
            Pointer pevlr = buffer;
            while (dwRead > 0) 
            {
                EVENTLOGRECORD record = new EVENTLOGRECORD(pevlr);
                System.out.println(dwRecord + " Event ID: " + record.EventID.intValue());

                dwRecord++;
                dwRead -= record.Length.intValue();
                pevlr = pevlr.share(record.Length.intValue());
            }
       }
       assertTrue(rc == W32Errors.ERROR_HANDLE_EOF);
       assertTrue(Advapi32.INSTANCE.CloseEventLog(h));        
   }


   private static void assertTrue(boolean getOldestEventLogRecord) {
   }

}

最佳答案

邦多,这是一个可能的解决方案。在我的测试中,它读取了应用程序事件下的所有 570 个事件日志;每个事件日志将详细显示其事件日志记录数据。

代码解决方案:

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.util.Arrays;

import com.sun.jna.*;
import com.sun.jna.platform.win32.*;
import com.sun.jna.platform.win32.WinNT.*;
import com.sun.jna.ptr.IntByReference;

public class Test {

    public static void main(String[] args) throws NumberFormatException, IOException {

        HANDLE h = com.sun.jna.platform.win32.Advapi32.INSTANCE.OpenEventLog(null, "Application");
        IntByReference pnBytesRead = new IntByReference();
        IntByReference pnMinNumberOfBytesNeeded = new IntByReference();

        IntByReference pOldestRecord = new IntByReference();
        assertTrue(com.sun.jna.platform.win32.Advapi32.INSTANCE.GetOldestEventLogRecord(h, pOldestRecord));
        int dwRecord = pOldestRecord.getValue();
        System.out.println("OLD: " + dwRecord);
        IntByReference pRecordCount = new IntByReference();
        assertTrue(com.sun.jna.platform.win32.Advapi32.INSTANCE.GetNumberOfEventLogRecords(h, pRecordCount));
        int dwRecordCnt = pRecordCount.getValue();
        System.out.println("CNT: " + dwRecordCnt);

        int bufSize = 0x7ffff; //(r.size()) * 2048;
        Memory buffer = new Memory(bufSize);
        int rc = 0;
        int cnt = 0;
        while(com.sun.jna.platform.win32.Advapi32.INSTANCE.ReadEventLog(h, 
                WinNT.EVENTLOG_SEEK_READ  /*
                | WinNT.EVENTLOG_SEQUENTIAL_READ */ 
                | WinNT.EVENTLOG_FORWARDS_READ /*
                | WinNT.EVENTLOG_BACKWARDS_READ*/
                , 
                dwRecord, buffer, 
                bufSize, 
                pnBytesRead, 
                pnMinNumberOfBytesNeeded)) {

            rc = Kernel32.INSTANCE.GetLastError();
            if (rc == W32Errors.ERROR_INSUFFICIENT_BUFFER) {
                break;
            }        

            int dwRead = pnBytesRead.getValue();
            Pointer pevlr = buffer;

            while (dwRead > 0) 
            {
                cnt++;
                EVENTLOGRECORD record = new EVENTLOGRECORD(pevlr);
                System.out.println("------------------------------------------------------------");
                System.out.println(cnt+". " + dwRecord + " Event ID: " + record.EventID.shortValue() + " SID: " + record.UserSidLength);

                dwRecord++;

                // WCHAR SourceName[]
                // WCHAR Computername[]
                {
                    ByteBuffer names = pevlr.getByteBuffer(record.size(), 
                            (record.UserSidLength.intValue() != 0 ? record.UserSidOffset.intValue() : record.StringOffset.intValue()) - record.size());
                    names.position(0);
                    CharBuffer namesBuf = names.asCharBuffer();
                    String[] splits = namesBuf.toString().split("\0");
                    System.out.println("SOURCE NAME: \n" + splits[0]);
                    System.out.println("COMPUTER NAME: \n" + splits[1]);
                }
                // SID   UserSid
                if (record.UserSidLength.intValue() != 0){
                    ByteBuffer sid = pevlr.getByteBuffer(record.UserSidOffset.intValue(), record.UserSidLength.intValue());
                    sid.position(0);
                    //CharBuffer sidBuf = sid.asCharBuffer();
                    byte[] dst = new byte[record.UserSidLength.intValue()];
                    sid.get(dst);
                    System.out.println("SID: \n" + Arrays.toString(dst));
                }
                else {
                    System.out.println("SID: \nN/A");
                }
                // WCHAR Strings[]
                {
                    ByteBuffer strings = pevlr.getByteBuffer(record.StringOffset.intValue(), record.DataOffset.intValue() - record.StringOffset.intValue());
                    strings.position(0);
                    CharBuffer stringsBuf = strings.asCharBuffer();
                    System.out.println("STRINGS["+record.NumStrings.intValue()+"]: \n" + stringsBuf.toString());
                }
                // BYTE  Data[]
                {
                    ByteBuffer data = pevlr.getByteBuffer(record.DataOffset.intValue(), record.DataLength.intValue());
                    data.position(0);
                    CharBuffer dataBuf = data.asCharBuffer();
                    System.out.println("DATA: \n" + dataBuf.toString());
                }
                // CHAR  Pad[]
                // DWORD Length;

                dwRead -= record.Length.intValue();
                pevlr = pevlr.share(record.Length.intValue());
            }
        }
        assertTrue(rc == W32Errors.ERROR_HANDLE_EOF);
        assertTrue(com.sun.jna.platform.win32.Advapi32.INSTANCE.CloseEventLog(h));        
    }


    private static void assertTrue(boolean getOldestEventLogRecord) {

    }

}

示例输出(最后一个事件日志): 
------------------------------------------------------------
570. 26957 Event ID: 107 SID: 0
SOURCE NAME: 
Report Server Windows Service (VOSTRO)
COMPUTER NAME: 
CVS
SID: 
N/A
STRINGS[1]: 
Report Server Windows Service (VOSTRO)
DATA:

备注:

我已经设置了 lpBuffer 最大大小为 0x7FFFF 字节。

它使用 WinNT.EVENTLOG_SEEK_READ记录号偏移量 的模式dwRecordOffset 从最早的记录号开始。

while 循环将在 ReadEventLog() 时中断方法返回零及其 GetLastError()返回 W32Errors.ERROR_INSUFFICIENT_BUFFER .

事件 ID 应在 中读取短正确的值: record.EventID.shortValue()

关于events - JNA 事件日志阅读器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9949798/

24 4 0
文章推荐: visual-studio-2010 - IIS Express + Visual Studio 2010 + 非本地项目 Url
文章推荐: cdi - 指定带有限定符的构造型不起作用?
文章推荐: Django查询集按时间间隔聚合
文章推荐: vim - vimscript 函数输出中显示不需要的控制字符
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com