Eventlog entries

Eventlog entries

Post by Srira » Tue, 04 Jun 2002 17:37:35



I am writing an intermediate driver and want to know how
to log my events into system's event log.
I have read the NdisWriteEventLogEntry but does make much
sense to me. Any sample code will be helpful.
 
 
 

Eventlog entries

Post by Youssef Barakat [MS » Wed, 05 Jun 2002 02:33:17


Here is a sample function take from a sample protocol driver that writes to
the event log:

VOID
StWriteGeneralErrorLog(
    IN PDEVICE_CONTEXT DeviceContext,
    IN NTSTATUS ErrorCode,
    IN ULONG Uni*rorValue,
    IN NTSTATUS FinalStatus,
    IN PWSTR SecondString,
    IN ULONG DumpDataCount,
    IN ULONG DumpData[]
    )

/*++

Routine Description:

    This routine allocates and writes an error log entry indicating
    a general problem as indicated by the parameters. It handles
    event codes REGISTER_FAILED, BINDING_FAILED, ADAPTER_NOT_FOUND,
    TRANSFER_DATA, TOO_MANY_LINKS, and BAD_PROTOCOL. All these
    events have messages with one or two strings in them.

Arguments:

    DeviceContext - Pointer to the device context, or this may be
        a driver object instead.

    ErrorCode - The transport event code.

    Uni*rorValue - Used as the Uni*rorValue in the error log
        packet.

    FinalStatus - Used as the FinalStatus in the error log packet.

    SecondString - If not NULL, the string to use as the %3
        value in the error log packet.

    DumpDataCount - The number of ULONGs of dump data.

    DumpData - Dump data for the packet.

Return Value:

    None.

--*/

{
    PIO_ERROR_LOG_PACKET errorLogEntry;
    UCHAR EntrySize;
    ULONG SecondStringSize;
    PUCHAR StringLoc;
    static WCHAR DriverName[3] = L"St";

    EntrySize = (UCHAR)(sizeof(IO_ERROR_LOG_PACKET) +
                (DumpDataCount * sizeof(ULONG)));

    if (DeviceContext->Type == IO_TYPE_DEVICE) {
        EntrySize += (UCHAR)DeviceContext->DeviceNameLength;
    } else {
        EntrySize += sizeof(DriverName);
    }

    if (SecondString) {
        SecondStringSize = (wcslen(SecondString)*sizeof(WCHAR)) +
sizeof(UNICODE_NULL);
        EntrySize += (UCHAR)SecondStringSize;
    }

    errorLogEntry = (PIO_ERROR_LOG_PACKET)IoAllocateErrorLogEntry(
        (PDEVICE_OBJECT)DeviceContext,
        EntrySize
    );

    if (errorLogEntry != NULL) {

        errorLogEntry->MajorFunctionCode = (UCHAR)-1;
        errorLogEntry->RetryCount = (UCHAR)-1;
        errorLogEntry->DumpDataSize = (USHORT)(DumpDataCount *
sizeof(ULONG));
        errorLogEntry->NumberOfStrings = (SecondString == NULL) ? 1 : 2;
        errorLogEntry->StringOffset = (USHORT)(sizeof(IO_ERROR_LOG_PACKET)
+ ((DumpDataCount-1) * sizeof(ULONG)));
        errorLogEntry->EventCategory = 0;
        errorLogEntry->ErrorCode = ErrorCode;
        errorLogEntry->Uni*rorValue = Uni*rorValue;
        errorLogEntry->FinalStatus = FinalStatus;
        errorLogEntry->SequenceNumber = (ULONG)-1;
        errorLogEntry->IoControlCode = 0;

        if (DumpDataCount) {
            RtlCopyMemory(errorLogEntry->DumpData, DumpData, DumpDataCount
* sizeof(ULONG));
        }

        StringLoc = ((PUCHAR)errorLogEntry) + errorLogEntry->StringOffset;
        if (DeviceContext->Type == IO_TYPE_DEVICE) {
            RtlCopyMemory (StringLoc, DeviceContext->DeviceName,
DeviceContext->DeviceNameLength);
            StringLoc += DeviceContext->DeviceNameLength;
        } else {
            RtlCopyMemory (StringLoc, DriverName, sizeof(DriverName));
            StringLoc += sizeof(DriverName);
        }
        if (SecondString) {
            RtlCopyMemory (StringLoc, SecondString, SecondStringSize);
        }

        IoWriteErrorLogEntry(errorLogEntry);

    }

Quote:}   /* StWriteGeneralErrorLog */

Hope this helps.

-Youssef.

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Eventlog entries

Post by Rohit Rain » Wed, 05 Jun 2002 04:38:51


Create a message file, compile it and include it in your binary (.sys).Also,
include this information in the INF file (EventMessageFile)
Now you can use "NdisWriteErrorLogEntry" with the message numbers from the
message file...
You can also use standard NDIS messages (in netevent.dll file).
What exactly are the problems you are facing...
-- -R!This posting is provided "AS IS" with no warranties, and confers no
rights.
 
 
 

Eventlog entries

Post by Srira » Thu, 06 Jun 2002 01:16:38


I have already created the .mc file and compiled  it with
message compiler. This creates a .rc,.h and .bin file.
I understand that the.h file contains all the definitions.

I want clarification for the following :
1.
Do we need to create a .res file if so how do I do that
otherwise which file should I include in the build process
other that the .h file.

2.
I want in the event view to put the clasification like
information/error/warning, time of occurance etc.
With "NdisWriteErrorLogEntry" how do we indicate these
parameter.

with regards

Sriram.

Quote:>-----Original Message-----
>Create a message file, compile it and include it in your
binary (.sys).Also,
>include this information in the INF file
(EventMessageFile)
>Now you can use "NdisWriteErrorLogEntry" with the message
numbers from the
>message file...
>You can also use standard NDIS messages (in netevent.dll
file).
>What exactly are the problems you are facing...
>-- -R!This posting is provided "AS IS" with no

warranties, and confers no
Quote:>rights.

>.

 
 
 

Eventlog entries

Post by Rohit Rain » Sat, 08 Jun 2002 04:46:36


Quote:> 1.
> Do we need to create a .res file if so how do I do that
> otherwise which file should I include in the build process
> other that the .h file.

U don't need to create a .RES file.  Include the .RC file in the build
process.
The contents of the RC file will be something like this (say FooMsg.rc)...

"Language 0x9, 0x1
1  11  MSGxxxx.bin"

In the sources file use it with the "sources" line like :
SOURCES=foo.c\
                    FooMsg.rc

The header file can be included in "foo.c"

Quote:> 2.
> I want in the event view to put the clasification like
> information/error/warning, time of occurance etc.
> With "NdisWriteErrorLogEntry" how do we indicate these
> parameter.

  The event code/number are 32 bit values layed out as follows:

   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
  +--+-+-+-----------------------+-------------------------------+
  |Sev|C|R |     Facility                    |
Code            |
  +--+-+-+-----------------------+-------------------------------+

  where

      Sev (two bits) - is the severity code

          00 - Success
          01 - Informational
          10 - Warning
          11 - Error

      C - is the Customer code flag
      R - is a reserved bit
      Facility - is the facility code
      Code - is the facility's status code

--
-R!
This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Eventlog entries

Post by Srira » Sat, 08 Jun 2002 13:24:46


Thanks Rohit.

I still have major problem with NDisWriteEventLog.
I want help for the following badly:

I was able to use NDisWriteEventLog function
in the following manner.

Status =
NdisWriteEventLogEntry(IMDriverObject,
                  MSG_INFO_1,
                  1,     // Unique Event Id; What is this ?
                  0,     // String List Count
                  NULL,  // String List
                  0,     // Data Size
                  NULL); // Data

With the above call I am able to put the entries
in the Event Log.

But if I use like this it the function call FAILS

for(i=0; i < 64; i++)
    DeviceX[i] = 0;

Devicelen = wcslen(L"MyProtocol");

memcpy(DeviceX + len, L"MyProtocol",
        Devicelen * sizeof(WCHAR));

len += Devicelen;
DeviceX[len] = '\0';
len += sizeof(CHAR);

Devicelen = wcslen(L"Test Message");
memcpy(DeviceX + len, L"Test Message",
       Devicelen * sizeof(WCHAR));
len += Devicelen;
DeviceX[len] = '\0';

Status =
NdisWriteEventLogEntry(IMDriverObject,
                    MSG_INFO_2,
                    2,
                    2, //StringList Count
                    (PVOID) DeviceX,
                    0,
                    NULL);

The function crashes.

Basically my idea is
I have a resource defined string like
Adapter Link up [%1]
I want to provide the additional string through
the stringlist and I expect the %1 will be replace
by that.

Any help on this will be greately appreciated.

with regards

Sriram.

Quote:>-----Original Message-----
>> 1.
>> Do we need to create a .res file if so how do I do that
>> otherwise which file should I include in the build
process
>> other that the .h file.

>U don't need to create a .RES file.  Include the .RC file
in the build
>process.
>The contents of the RC file will be something like this
(say FooMsg.rc)...

>"Language 0x9, 0x1
>1  11  MSGxxxx.bin"

>In the sources file use it with the "sources" line like :
>SOURCES=foo.c\
>                    FooMsg.rc

>The header file can be included in "foo.c"

>> 2.
>> I want in the event view to put the clasification like
>> information/error/warning, time of occurance etc.
>> With "NdisWriteErrorLogEntry" how do we indicate these
>> parameter.

>  The event code/number are 32 bit values layed out as
follows:

>   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
>   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5
4 3 2 1 0
>  +--+-+-+-----------------------+------------------------
-------+
>  |Sev|C|R |     Facility                    |
>Code            |
>  +--+-+-+-----------------------+------------------------
-------+

>  where

>      Sev (two bits) - is the severity code

>          00 - Success
>          01 - Informational
>          10 - Warning
>          11 - Error

>      C - is the Customer code flag
>      R - is a reserved bit
>      Facility - is the facility code
>      Code - is the facility's status code

>--
>-R!
>This posting is provided "AS IS" with no warranties, and
confers no rights.

>.

 
 
 

Eventlog entries

Post by Rohit Rain » Sun, 09 Jun 2002 05:16:22


Sriram, Hi

NdisWriteEventLogEntry essentially is *IoAllocateErrorLogEntry +
IoWriteErrorLogEntry*.
You can relate the members of   *IO_ERROR_LOG_PACKET* and the parameters to
NdisWriteEventLogEntry...

Before trying to use resource types -- try some thing simpler. Try using a
constant string (with numstrings = 1) and make sure that your string is a
proper unicode string -- get it to work.

Also give a try to *NdisWriteErrorLogEntry*

when you say that NdisWriteEventLogEntry fails -- what return value do you
get ??

--
-R!
This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Eventlog entries

Post by Srira » Thu, 13 Jun 2002 00:24:10


Rohit,
I was able to crack the problem finally.
The problem is that in the .mc file I need
to start from %2 for replacements instead of
%1.

Once I did that it started working.

I have a small problem though.
If any message is longer than 84 charecters
the function returning failure code (-1073676266).

Can you tell me how to overcome this problem.

with regards

Sriram

Quote:>-----Original Message-----
>Sriram, Hi

>NdisWriteEventLogEntry essentially is

*IoAllocateErrorLogEntry +
Quote:>IoWriteErrorLogEntry*.
>You can relate the members of   *IO_ERROR_LOG_PACKET* and
the parameters to
>NdisWriteEventLogEntry...

>Before trying to use resource types -- try some thing

simpler. Try using a
Quote:>constant string (with numstrings = 1) and make sure that
your string is a
>proper unicode string -- get it to work.

>Also give a try to *NdisWriteErrorLogEntry*

>when you say that NdisWriteEventLogEntry fails -- what
return value do you
>get ??

>--
>-R!
>This posting is provided "AS IS" with no warranties, and
confers no rights.

>.

 
 
 

Eventlog entries

Post by Rohit Rain » Fri, 14 Jun 2002 01:53:28


Quote:> I have a small problem though.
> If any message is longer than 84 charecters
> the function returning failure code (-1073676266).

> Can you tell me how to overcome this problem.

The system places a limit on the potential size of an error log record. For
Windows 2000 and later versions, the limit is defined as
ERROR_LOG_MAXIMUM_SIZE.

--
-R!
This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Eventlog entries

Post by Srira » Sun, 16 Jun 2002 22:06:32


I find that ERROR_LOG_MAXIMUM_SIZE is defined as

#define ERROR_LOG_LIMIT_SIZE (256-16)

In which case I should not be facing the problem.
What could be the problem ?

with regards

Sriram.

Quote:>-----Original Message-----
>> I have a small problem though.
>> If any message is longer than 84 charecters
>> the function returning failure code (-1073676266).

>> Can you tell me how to overcome this problem.

>The system places a limit on the potential size of an

error log record. For
Quote:>Windows 2000 and later versions, the limit is defined as
>ERROR_LOG_MAXIMUM_SIZE.

>--
>-R!
>This posting is provided "AS IS" with no warranties, and
confers no rights.

>.

 
 
 

Eventlog entries

Post by Rohi » Fri, 21 Jun 2002 06:33:03


Sriram, try some trial and error here forth :)

-R!
This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

1. OID mystery and NT Eventlog traps

Hi.

I'm new at this SNMP stuff and I need some help. My biggest problem is to
find the info I need. First of all I would like to identify corporation on
the OID. I'm getting a trap on my manager from 1.3.6.1.4.1.944. How do I
figure out who 944 is ??

Secondly I would like to get all entries to the NT eventlog as a SNMP trap,
anyone know a way.

Thanks in advance
Brian Schmidt

2. 4 gig 7200rpm disk survey

3. Openview and NT Eventlog management

4. HELP: XFIG and ROTATED text for LaTeX?

5. Win32::EventLog

6. swpackage ...

7. Getting text entry in one cell to return text entry in adjoining cell

8. Cisco 2950 LED question

9. Converting image entry to grseg entry in scl code

10. Importing DOS-Data Entry files in Data Entry 2.0 for Windows

11. Vuescan Repeated Entries in Apple System Profiler

12. Best "Entry Level" Professional Scanner

13. Recommend entry level SCSI scanner?