Read Specific Windows Event Log Event

Question

I am working on a program and need ot know how I would read a specific entry to the Windows Event Log based on a Record number, which this script will already have. Below is the code I have been working with, but I don't want to loop through all of the events until I find the one I'm looking for. Any ideas?

import win32evtlog

server = 'localhost' # name of the target computer to get event logs
logtype = 'System'
hand = win32evtlog.OpenEventLog(server,logtype)
flags = win32evtlog.EVENTLOG_BACKWARDS_READ|win32evtlog.EVENTLOG_SEQUENTIAL_READ
total = win32evtlog.GetNumberOfEventLogRecords(hand)

while True:
    events = win32evtlog.ReadEventLog(hand, flags,0)
    if events:
        for event in events:
            if event.EventID == "27035":
                print 'Event Category:', event.EventCategory
                print 'Time Generated:', event.TimeGenerated
                print 'Source Name:', event.SourceName
                print 'Event ID:', event.EventID
                print 'Event Type:', event.EventType
                data = event.StringInserts
                if data:
                    print 'Event Data:'
                    for msg in data:
                        print msg
                break

Answer 1

No! There are no functions available which allows you to obtain the event based on event id.

Reference: Event logging functions

GetNumberOfEventLogRecords  Retrieves the number of records in the specified event log.
GetOldestEventLogRecord     Retrieves the absolute record number of the oldest record 
                            in the specified event log.
NotifyChangeEventLog        Enables an application to receive notification when an event
                            is written to the specified event log.

ReadEventLog                Reads a whole number of entries from the specified event log.
RegisterEventSource         Retrieves a registered handle to the specified event log.

Only other method of interest is reading the oldest event.

You will have to iterate through the results any way and your approach is correct :)

You can only change the form of your approach like below but this is unnecessary.

events = win32evtlog.ReadEventLog(hand, flags,0)
events_list = [event for event in events if event.EventID == "27035"]
if event_list:
    print 'Event Category:', events_list[0].EventCategory

This is just the same way as you are doing but more succinct

Answer 2

I realize this is an old question, but I came across it, and if I did, others may too.

You can also write custom queries, which allow you to query by any of the WMI parameters you can script (including event ID). It also has the benefit of letting you pull out and dust off all those VBS WMI queries that are out there. I actually use this functionality more frequently than any other. For examples, see:

• http://technet.microsoft.com/en-us/library/ee176693.aspx
• http://technet.microsoft.com/library/ee176695.aspx

Here's a sample to query for a specific event in the Application log. I haven't fleshed it out, but you can also build a WMI time string and query for events between or since specific date/times as well.

#! py -3

import wmi

def main():
    rval = 0  # Default: Check passes.

    # Initialize WMI objects and query.
    wmi_o = wmi.WMI('.')
    wql = ("SELECT * FROM Win32_NTLogEvent WHERE Logfile="
           "'Application' AND EventCode='3036'")

    # Query WMI object.
    wql_r = wmi_o.query(wql)

    if len(wql_r):
        rval = -1  # Check fails.

    return rval



if __name__ == '__main__':
    main()

Answer 3

There is a python library now (python 3 and up) that will do what you're asking called winevt. What you're looking for could be done via the following:

from winevt import EventLog
query = EventLog.Query("System","Event/System[EventID=27035]")
event = next(query)