如何將.evtx事件日誌轉換爲csv

Question

我的Windows服務需要將一個事件日誌的內容保存到文件中。這由EventLogSession.ClearLog完成。但是，我不能強迫它直接將事件日誌保存到CSV。保存的格式是EVTX。

  EventLogSession els = new EventLogSession(); 

      //stel de filename samen door het appdata pad te combinen met een tempfile name 
      string tempData = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "templog.csv"); 
      // Clears all the events and archives them to the .evtx file 

      els.ClearLog(eventLogName, tempData); // Backup File Path 

如何強制EventlogSession類直接保存到CSV，或者，如果這是不可能的。如何將EVTX轉換爲CSV（使用C＃或VB.net）

謝謝！

Answer 1

事實證明，所有現有的解決方案都不符合我的要求。 我只是想要一個工具，將一個evtx作爲輸入並導出一個csv。沒有什麼比這更少。 我自己做了一個，它工作正常。其所謂的EVTX2CSV

您可以在這裏下載：http://essaver.net/evtxecsv或直接通過http://www.essaver.net/downloads/setupevtx2csv.exe

Answer 2

這對使用Log Parser提供的API來說非常容易。

下載&安裝Log Parser 2.2

添加一個參考COM庫 「MS工具1.0類型庫 - LOGPARSER的接口集」。搜索日誌顯着縮小了列表的範圍。

改變參考的特性，使得它沒有嵌入互操作類型。 如果你不這樣做，你會得到像這樣的編譯錯誤： 互操作類型'MSUtil.COMCSVOutputContextClassClass'不能被嵌入。改爲使用適用的界面。

的LOGPARSER的幫助文件的內容有這種API的一個很好的參考，但我將我所用內聯的代碼部分。

using System; 
using MSUtil; 

namespace LogParserTest 
{ 
using LogQuery = LogQueryClassClass; 
using EventLogInput = COMEventLogInputContextClassClass; 
using CSVOutput = COMCSVOutputContextClassClass; 
using XMLOutput = COMXMLOutputContextClassClass; 

class Program 
{ 
    static void Main(string[] args) 
    { 
    try 
    { 
    // Instantiate the LogQuery object 
    LogQuery oLogQuery = new LogQuery(); 

    // Instantiate the Event Log Input Format object 
    EventLogInput eventInputFormat = new EventLogInput(); 

    // When set to "FW", events are retrieved from the oldest to the 
    // newest. When set to "BW", events are retrieved from the newest 
    // to the oldest. 
    eventInputFormat.direction = "FW"; 

    // Event text messages often span multiple lines. When this parameter 
    // is set to "ON", the EVT input format preserves readability of the 
    // messages by removing carriage-return, line-feed, and multiple space 
    // characters from the message text. 
    // When this parameter is set to "OFF", the EVT input format returns 
    // the original message text with no intervening post-processing. 
    eventInputFormat.formatMessage = true; 

    eventInputFormat.binaryFormat = "ASC"; 
    eventInputFormat.stringsSep = ","; 

    CSVOutput csvOutputFormat = new CSVOutput(); 

    // ON: always write the header; 
    // OFF: never write the header; 
    // AUTO: write the header only when not appending to an existing file. 
    csvOutputFormat.headers = "ON"; 

    // Setting this parameter to "ON" causes the CSV output format to write 
    // a tab character after each comma field separator, in order to 
    // improve readability of the CSV output. Note that using tabs between 
    // field values might generate output that is not compatible with 
    // certain spreadsheet applications. 
    csvOutputFormat.tabs = false; 

    // ON: always enclose field values within double-quote characters; 
    // OFF: never enclose field values within double-quote characters; 
    // AUTO: enclose within double-quote characters only those field 
    // values that contain comma (,) characters. 
    csvOutputFormat.oDQuotes = "AUTO"; 

    // This parameter specifies the date and/or time format to use when 
    // formatting values of the TIMESTAMP data type. 
    csvOutputFormat.oTsFormat = "yyyy-MM-dd"; 

    // 0 is the system codepage, -1 is UNICODE. 
    csvOutputFormat.oCodepage = -1; 

    // 0: existing files are appended with the output; 
    // 1: existing files are overwritten with the output; 
    // 2: existing files are left intact, discarding the output. 
    csvOutputFormat.fileMode = 1; 

    /* 
    EventLog  STRING Name of the Event Log or Event Log backup file 
    RecordNumber INTEGER Index of this event 
    TimeGenerated TIMESTAMP Event generated date/time (local time) 
    TimeWritten TIMESTAMP Event logged date/time (local time) 
    EventID  INTEGER The ID of the event 
    EventType  INTEGER The numeric type of the event 
    EventTypeName STRING The descriptive type of the event 
    EventCategory INTEGER The numeric category of the event 
    EventCategoryName STRING The descriptive category of the event 
    SourceName STRING The source that generated the event 
    Strings  STRING The textual data 
    ComputerName STRING The name of the computer 
    SID  STRING The Security Identifier associated with the event 
    Message  STRING The full event message 
    Data  STRING The binary data associated with the event 
    */ 

    string query = @"SELECT TOP 10 EventLog, RecordNumber, Message INTO " 
    // Enclose path in single ticks to handle spaces. 
    query += "'" + FullPathToCsv + "' FROM "; 
    // Name of application Log, System, Security, Application, CustomLogName 
    query += "System";  
    oLogQuery.ExecuteBatch(query, eventInputFormat, csvOutputFormat); 
    } 
    catch (System.Runtime.InteropServices.COMException ex) 
    { 
    Console.WriteLine("Unexpected error: " + ex.Message); 
    } 
    } 
} 
} 

Answer 3

這Powershell的功能是最有效的，我能找到。不是C＃代碼，但我認爲它可能有用。它使用一個文件名（evtx）或文件名中Powershell的一個變量數組這樣的：

[數組] $文件列表= 「文件1」， 「file2的」， 「file3的」

Function Convert-Logs3 { 
[cmdletbinding()] 
Param(
$filelist=$NULL 
) 
$filelist | foreach-object { 
Get-WinEvent -Path "$PSItem"| Select RecordID,ID,TimeCreated, Message | export-csv - ``notypeinformation -path $(write "$PSItem.csv"); 
[System.gc]::collect(); 

}} 

Answer 4

如果你只是想要一個工具，轉換EVTX到CSV，您可以直接使用的工具LOGPARSER的：

C:\> logparser "SELECT TimeGenerated, SourceName, EventCategoryName, EventId, Message INTO C:\eventlog.csv FROM C:\eventlog.evtx" -i:EVT 

我能夠使用到3 GB EVTX文件轉換爲CSV在10分鐘左右。