GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  PARSE::EVTX2 (3)

.ds Aq ’

NAME

Parse::Evtx2 - parses a Microsoft Windows Vista event log file (.evtx)

CONTENTS

SYNOPSIS



    use Parse::Evtx2;
       
    # create an object for your event log file
    my $fh = IO::File->new(Application.evtx, "r");
   
    # create a parser object
    my $parser = Parse::Evtx2->new(FH => $fh);

    # iterate through all event records
    my $event = $parser->get_first_event();
    while (defined $event) {
        print $event->get_xml();
        $event = $file->get_next_event();
    };
   
    # all done, close the file handle
    $fh->close();



DESCRIPTION

Microsoft Windows Vista records events in a proprietary binary file format. An object of this class represents a parser for a Vista event log file. The main purpose of this modules is to translate event log files from their native binary form into textual XML.

The Evtx object instantiates chunk objects as needed.

METHODS

    new

This is the constructor for the parser class.

Parameters
FH This is a handle object for the event log file. The object is required to be a descendant of <B>IO::FileB>.

    check

This method checks the file for certain errors and marks them in a return code. Right now, only the CRC32 check of the file header is implemented.

    get_current_chunk

This method returns a pointer to the current <B>Parse::Evtx2::ChunkB> object.

    get_first_chunk

This method retrieves the first chunk from a file. A prior call to <B>get_first_chunkB> must have succeeded. The method then returns a <B>Parse::Evtx2B> object on success and undef on failure. Note, that get_first_chunk changes the file pointer in the associated file handle object. A pointer to the chunk object is stored in the Evtx object and can be retrieved by calling <B>get_current_chunkB>.

    get_next_chunk

This method retrieves the next chunk from a file. It returns a <B>Parse::Evtx2B> object on success and undef on failure. Note, that get_next_chunk changes the file pointer in the associated file handle object. A pointer to the chunk object is stored in the Evtx object and can be retrieved by calling <B>get_current_chunkB>.

    get_first_event

This method retrieves the first event record from a file. It returns a <B>Parse::Evtx2::EventB> object on success and undef on failure. Note that get_first_event changes the file pointer in the associated file handle object. As a side effect the method will instantiate the first chunk object.

    get_next_event

This method retrieves the next event record from a file. It returns a <B>Parse::Evtx2::EventB> object on success and undef on failure. Note that get_next_event changes the file pointer in the associated file handle object. The methods loads new chunks as needed.

DIAGNOSTICS

<B>newB> returns undef, if it doesn’t recognize the format of the file. If you are attempting to parse a single chunk from a corrupted file, then create an instance of <B>Parse::Evtx2::ChunkB> instead.

Other errors will be signalled through assertions and make the parser die().

DEPENDENCIES

This module depends on the following non-standard modules, which are not part of this package:
Carp::Assert
Data::Hexify
Digest::CRC
Math::BigInt

SEE ALSO

evtxdump.pl, evtxtemplates.pl, Parse::Evtx2::Chunk, Parse::Evtx2::Event

HISTORY

v1.0.0 (2007-08-10) Initial release. =item v1.0.1 (2009-12-21) Bugfixes, improved parsing of header. =item v1.0.3 (2010-02-11) implemented CRC32 check. =item v1.0.4 (2010-03-23) updated CRC32 header check. =item v1.0.5 (2010-04-27) improved CRC32 checks. =item v1.0.6 (2010-05-13) fixed error in CRC32 checks. =item v1.0.8 (2011-05-25) parse OldestChunk in header. =item v1.1.1 (2011-11-17) fixed memory leak.

AUTHOR

Andreas Schuster (schuster@cpan.org)

LICENSE AND COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.

Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 PARSE::EVTX2 (3) 2012-05-28

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.