Read a specific Windows event log event

Question

Read a specific Windows event log event

I am working on a program and do not know how I will read a specific entry in the Windows event log based on the record number that this script already has. Below is the code I'm working with, but I don't want to iterate over all the events until I find the one I'm looking for. Any ideas?

import win32evtlog server = 'localhost' # name of the target computer to get event logs logtype = 'System' hand = win32evtlog.OpenEventLog(server,logtype) flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ total = win32evtlog.GetNumberOfEventLogRecords(hand) while True: events = win32evtlog.ReadEventLog(hand, flags,0) if events: for event in events: if event.EventID == "27035": print 'Event Category:', event.EventCategory print 'Time Generated:', event.TimeGenerated print 'Source Name:', event.SourceName print 'Event ID:', event.EventID print 'Event Type:', event.EventType data = event.StringInserts if data: print 'Event Data:' for msg in data: print msg break

+7

python windows event-log

Zac brown Jun 27 '12 at 3:59

source share

3 answers

I understand that this is an old question, but I stumbled upon it, and if I do, others can too.

You can also write custom requests that allow you to request any WMI parameters that you can script (including the event identifier). It also gives you the ability to pull and delete all the VBS WMI requests that are there. I use this function more often than any other. Examples:

Here's a sample for requesting a specific event in the application log. I did not seal it, but you can also create a temporary WMI string and request events between or from a specific date / time.

 #! py -3 import wmi def main(): rval = 0 # Default: Check passes. # Initialize WMI objects and query. wmi_o = wmi.WMI('.') wql = ("SELECT * FROM Win32_NTLogEvent WHERE Logfile=" "'Application' AND EventCode='3036'") # Query WMI object. wql_r = wmi_o.query(wql) if len(wql_r): rval = -1 # Check fails. return rval if __name__ == '__main__': main()

+6

Doug R. May 22, '14 at 19:54

source share

Now there is a python library that will do what you request, winevt . What you are looking for can be done using the following:

 from winevt import EventLog query = EventLog.Query("System","Event/System[EventID=27035]") event = next(query)

0

Owl owl May 06 '17 at 19:02

source share

pyfunc · Accepted Answer · 2012-06-27T05:16:32+0000

Not! There are no functions available that allow you to retrieve an event based on the event ID.

Link: Event Logging Functions

 GetNumberOfEventLogRecords Retrieves the number of records in the specified event log. GetOldestEventLogRecord Retrieves the absolute record number of the oldest record in the specified event log. NotifyChangeEventLog Enables an application to receive notification when an event is written to the specified event log. ReadEventLog Reads a whole number of entries from the specified event log. RegisterEventSource Retrieves a registered handle to the specified event log.

Only another method of interest is the oldest event.

You will have to go through the results in any way, and your approach is correct :)

You can change the form of your approach, as shown below, but this is optional.

 events = win32evtlog.ReadEventLog(hand, flags,0) events_list = [event for event in events if event.EventID == "27035"] if event_list: print 'Event Category:', events_list[0].EventCategory

It is the same as you do, but more concise

Read a specific Windows event log event

More articles: