unit EventLog; //habe die unit aus google.

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms,
Dialogs;

type
  TEventLogRecord = record
    SourceName: AnsiString;
    ComputerName: AnsiString;
    Account: AnsiString;
    Domain: AnsiString;
    TimeGenerated: TDateTime;
    TimeWritten: TDateTime;
    EventID: DWORD;
    EventType: WORD;
    Catagory: WORD;
    Strings: array of AnsiString;
  end;

  TEventLog = class(TComponent)
  private
    { Private declarations }
    m_hEventLog: THandle;
  protected
    { Protected declarations }
    function UCTToDateTime(DateTime: DWORD): TDateTime;
  public
    { Public declarations }
    constructor Create(AOwner: TComponent); override;
    destructor Destroy; override;

    procedure Open(SourceName, UNCServerName: AnsiString); overload;
    procedure Open(SourceName: AnsiString); overload;
    procedure Close;

    // EVENTLOG_ERROR_TYPE, EVENTLOG_WARNING_TYPE,
    // EVENTLOG_INFORMATION_TYPE, EVENTLOG_AUDIT_SUCCESS,
    // EVENTLOG_AUDIT_FAILURE

    procedure Report(AType: WORD; Strings: TStringList; dwEventID: DWORD = 0;
                     ACatagory: WORD = 0; lpRawData: Pointer = nil;
                     dwDataSize:DWORD = 0); overload;
    procedure Report(AType: WORD; Strings: AnsiString; dwEventID: DWORD = 0;
                     ACatagory: WORD = 0; lpRawData: Pointer = nil;
                     dwDataSize: DWORD = 0); overload;
    procedure Clear; overload;
    procedure Clear(FileName: TFileName); overload;
    procedure Backup(FileName: TFileName);
    function Read(Index: Integer): TEventLogRecord;
    function Count: DWORD;
  published
    { Published declarations }
  end;

var
StandardEventLog:TEventLog;

Const
  EVENTLOG_SUCCESS = $0000; // habe ich aus der Unit Windows kopiert
  EVENTLOG_ERROR_TYPE = $0001;
  EVENTLOG_WARNING_TYPE = $0002;
  EVENTLOG_INFORMATION_TYPE = $0004;
  EVENTLOG_AUDIT_SUCCESS = $0008;
  EVENTLOG_AUDIT_FAILURE = $0010;
  
implementation


const
  EVENTLOG_SEEK_READ = 4;
  EVENTLOG_BACKWARDS_READ = 2;
  EVENTLOG_FORWARDS_READ = 2;
  EVENTLOG_SEQUENTIAL_READ = 0;

//------------------------------------------------------------------------------
constructor TEventLog.Create(AOwner: TComponent);
begin
  inherited Create(AOwner);
  m_hEventLog:= INVALID_HANDLE_VALUE;
end;
//------------------------------------------------------------------------------
destructor TEventLog.Destroy;
begin
  Close();
  inherited Destroy();
end;
//------------------------------------------------------------------------------
procedure TEventLog.Open(SourceName: AnsiString);
begin
  Self.Open(SourceName, '');
end;
//------------------------------------------------------------------------------
procedure TEventLog.Open(SourceName, UNCServerName: AnsiString);
var lpUNCServerName, lpSourceName: array[0..MAX_PATH] of char;
    AHandle: THandle;
begin
  if (m_hEventLog = INVALID_HANDLE_VALUE) then
  begin
    StrPCopy(lpUNCServerName, UNCServerName);
    StrPCopy(lpSourceName, SourceName);
    AHandle:= OpenEventLog(lpUNCServerName, lpSourceName);
    if (AHandle = 0) then
      raise Exception.Create(SysErrorMessage(GetLastError()));

    m_hEventLog:= AHandle;
  end;
end;
//------------------------------------------------------------------------------
procedure TEventLog.Close;
begin
  if (m_hEventLog <> INVALID_HANDLE_VALUE) then
  begin
    if (not CloseEventLog(m_hEventLog)) then
      raise Exception.Create(SysErrorMessage(GetLastError()));

    m_hEventLog:= INVALID_HANDLE_VALUE;
  end;
end;
//------------------------------------------------------------------------------
procedure TEventLog.Report(AType: WORD; Strings: TStringList;
dwEventID: DWORD = 0; ACatagory: WORD = 0; lpRawData: Pointer = nil;
dwDataSize: DWORD = 0);
var lpStrings: array of PChar;
    Result: Boolean;
    I: Integer;
begin
  SetLength(lpStrings, Strings.Count);
  for I:=0 to Strings.Count -1 do
  begin
    GetMem(lpStrings[I], Length(Strings[I]) +1);
    StrPCopy(lpStrings[I], Strings[I]);
  end;

  Result:= ReportEvent(m_hEventLog, AType, ACatagory, dwEventID, nil,
Strings.Count, dwDataSize, lpStrings, lpRawData);

  for I:=0 to Strings.Count -1 do
    FreeMem(lpStrings[I]);

  if (not Result) then
    raise Exception.Create(SysErrorMessage(GetLastError()));
end;
//------------------------------------------------------------------------------
procedure TEventLog.Report(AType: WORD; Strings: AnsiString; dwEventID:
DWORD = 0; ACatagory: WORD = 0; lpRawData: Pointer = nil; dwDataSize:
DWORD = 0);
var StringList: TStringList;
begin
  StringList:= TStringList.Create();
  try
    StringList.Add(Strings);
    Self.Report(AType, StringList, dwEventID, ACatagory, lpRawData,
dwDataSize);
  finally
    StringList.Free();
  end;
end;
//------------------------------------------------------------------------------
procedure TEventLog.Clear;
begin
  Self.Clear('');
end;
//------------------------------------------------------------------------------
procedure TEventLog.Clear(FileName: TFileName);
var lpFileName: PChar;
begin
  // if we need to backup the eventlog then copy the filename to a LPSTR
  lpFileName:= nil;

  if (Length(FileName) > 0) then
  begin
    GetMem(lpFileName, Length(FileName) +1);
    StrPCopy(lpFileName, FileName);
  end;

  try
    if (not ClearEventLog(m_hEventLog, lpFileName)) then
      raise Exception.Create(SysErrorMessage(GetLastError()));
  finally
    // free the memory
    FreeMem(lpFileName);
  end;
end;
//------------------------------------------------------------------------------
procedure TEventLog.Backup(FileName: TFileName);
var lpFileName: array[0..MAX_PATH] of char;
begin
  StrPCopy(lpFileName, FileName);

  // backup the current event log
  if (not BackupEventLog(m_hEventLog, lpFileName)) then
    raise Exception.Create(SysErrorMessage(GetLastError()));
end;
//------------------------------------------------------------------------------
function TEventLog.Read(Index: Integer): TEventLogRecord;
type
  PEVENTLOGRECORD = ^EVENTLOGRECORD;
  EVENTLOGRECORD = packed record
    Length: DWORD;
    Reserved: DWORD;
    RecordNumber: DWORD;
    TimeGenerated: DWORD;
    TimeWritted: DWORD;
    EventID: DWORD;
    EventType: WORD;
    NumStrings: WORD;
    EventCatagory: WORD;
    ReservedFlags: WORD;
    ClosingRecordNumber: DWORD;
    StringOffset: DWORD;
    UserSidLength: DWORD;
    UserSidOffset: DWORD;
    DataLength: DWORD;
    DataOffset: DWORD;
  end;

var lpEventLogRecord: PEVENTLOGRECORD;
    I, Offset, BufferSize, NumberOfBytesRead, NumberOfBytesNeeded:
Cardinal;
    lpStrings: PChar;
    lpSID: PSID;
    szAccount, szDomain: array[0..MAX_PATH] of Char;
    dwAccountSize, dwDomainSize: DWORD;
    peUse: Cardinal;
begin
  BufferSize:= SizeOf(EVENTLOGRECORD) + 8192;
  GetMem(lpEventLogRecord, BufferSize);

  try
    NumberOfBytesRead:= 0;
    NumberOfBytesNeeded:= 0;
    if (ReadEventLog(m_hEventLog, EVENTLOG_SEEK_READ or
        EVENTLOG_BACKWARDS_READ or EVENTLOG_FORWARDS_READ,
        Index +1, lpEventLogRecord, BufferSize, NumberOfBytesRead,
        NumberOfBytesNeeded)) then
    begin

      Offset:= SizeOf(EVENTLOGRECORD);
      Result.SourceName:= StrPas(@PChar(lpEventLogRecord)[Offset]);

      Inc(Offset, 1 + StrLen(@PChar(lpEventLogRecord)[Offset]));
      Result.ComputerName:= StrPas(@PChar(lpEventLogRecord)[Offset]);

      Result.TimeGenerated:= UCTToDateTime(lpEventLogRecord^.TimeGenerated);
      Result.TimeWritten:= UCTToDateTime(lpEventLogRecord^.TimeWritted);
      Result.EventID:= lpEventLogRecord^.EventID;
      Result.EventType:= lpEventLogRecord^.EventType;
      Result.Catagory:= lpEventLogRecord^.EventCatagory;

      SetLength(Result.Strings, lpEventLogRecord^.NumStrings);
      Offset:= lpEventLogRecord.StringOffset;
      if lpEventLogRecord^.NumStrings > 0 then
      begin
        for I:=0 to lpEventLogRecord^.NumStrings -1 do
        begin
          lpStrings:= @PChar(lpEventLogRecord)[Offset];
          Result.Strings[I]:= StrPas(lpStrings);
          Inc(Offset, 1 + StrLen(lpStrings));
        end;
      end;

      // get account information
      Offset:= lpEventLogRecord^.UserSidOffset;
      lpSID:= @(PChar(lpEventLogRecord)[Offset]);
      if (lpEventLogRecord^.UserSidLength > 0) then
      begin
        dwAccountSize:= MAX_PATH;
        dwDomainSize:= MAX_PATH;
        if (not LookupAccountSid(nil, lpSID, szAccount, dwAccountSize,
                                 szDomain, dwDomainSize, peUse)) then
          raise Exception.Create(SysErrorMessage(GetLastError()));

        Result.Domain:= StrPas(szDomain);
        Result.Account:= StrPas(szAccount);
      end;
    end else
      raise Exception.Create(SysErrorMessage(GetLastError()));
  finally
    FreeMem(lpEventLogRecord);
  end;
end;
//------------------------------------------------------------------------------
function TEventLog.Count: DWORD;
begin
  if (not GetNumberOfEventLogRecords(m_hEventLog, Result)) then
    raise Exception.Create(SysErrorMessage(GetLastError()));
end;
//------------------------------------------------------------------------------
function TEventLog.UCTToDateTime(DateTime: DWORD): TDateTime;
var Hour, Min, Sec: WORD;
    NumberOfDays: DWORD;
begin
  //
  // UTC: This time is measured in the number of seconds elapsed
  // since 00:00:00 January 1, 1970, Universal Coordinated Time.
  //

  NumberOfDays:= DateTime div (60*60*24);

  DateTime:= DateTime mod (60*60*24);
  Hour:= 1 + DateTime div (60*60);
  DateTime:= DateTime mod (60*60);
  Min:= DateTime div 60;
  DateTime:= DateTime mod (60);
  Sec:= DateTime;
  Result:= EncodeDate(1970, 1, 1) + NumberOfDays + EncodeTime(Hour,
Min, Sec, 0);
end;
//------------------------------------------------------------------------------

end.