Hello everyone,
I am making a program that reads and stores data from Windows
EventLog files (.evt) in C++. I am using the calls OpenBackupEventLog(ServerName, FileName) and ReadEventLog(...). Also using this: PEVENTLOGRECORD
Anyway, without supplying all of the code, here is the basic idea:
1. I get a handle to the .evt file using OpenBackupEventLog() and passing in a file name.
2. I then use ReadEventLog() to fill up a buffer with an unknown number of
EventLog messages.
3. I traverse through the buffer and add each message to a vector
4. I keep filling up buffers (repeat steps 2 and 3) until I reach the end of the file.
Here is my code for filling the vector:
vector<PEVENTLOGRECORD> allRecords;
while(_status == ERROR_SUCCESS)
{
if(!ReadEventLog(...))
CheckStatus();
else
FillVectorFromBuffer(allRecords)
}
// Function FillVectorFromBuffer
FillVectorFromBuffer(vector(PEVENTLOGRECORD) &allRecords)
{
int bytesExamined = 0;
PBYTE pRecord = (PBYTE)_lpBuffer; // This is one of the params in ReadEventLog()
while(bytesExamined < _pnBytesRead) // Another param from ReadEventLog
{
PEVENTLOGRECORD currentRecord = (PEVENTLOGRECORD)(pRecord);
allRecords.push_back(currentRecord);
pRecord += currentRecord->Length;
bytesExamined += currentRecord->Length;
}
}
Anyway, whenever I run this, it will get all the EventLogs in the file, and the vector will have everything I want it to. But as soon as this line:
if(!ReadEventLog())
gets called and returns true (aka ReadEventLog() returns false), then every field in my vector gets set to zero.
The vector will still contain the correct number of elements, it's just that all of the fields in the PEVENTLOGRECORD struct are now zero.
Anyone with better debugging experience have any ideas?
Thanks.
