1. 首頁
  2. 問答
  3. EventLogQuery不拉動結果

EventLogQuery不拉動結果

2014-10-07 12 views
0

編輯:好的我知道查詢不正確。當我刪除TimeCreated部分時,我會返回結果。什麼是適當的方式來拉動所有事件的特定日子?EventLogQuery不拉動結果

startTime = DateTime.Now.Date 

string query = "*[System/Level=1 or System/Level=2] and TimeCreated[@SystemTime >= '" + startTime + "']"; 
using (EventLogSession session = new EventLogSession(serverName)) 
{ 
    EventLogQuery eventQuery = new EventLogQuery(logName, PathType.LogName, query); 
    eventQuery.Session = session; 

    using (EventLogReader reader = new EventLogReader(eventQuery)) 
    { 
     for (EventRecord eventDetail = reader.ReadEvent(); eventDetail != null; eventDetail = reader.ReadEvent()) 
     { 
      entries.Add(eventDetail); 
     } 
    } 
}

我已經厭倦了以下以及

"*[System/Level=1 or System/Level=2] and *[System/TimeCreated[@SystemTime >= '" + startTime + "']]"; 

"*[System[(Level=1) or System[(Level=2)] and TimeCreated[@SystemTime >= '" + startTime.ToUniversalTime().ToString("o") + "']]";

來源

2014-10-07 Tsukasa

+0

您可以直接在Windows事件查看器對話框中測試您的查詢。你可以參數化它,然後得到相應的查詢。我會發佈一個我爲我的項目製作的幫手。 – FloChanz 2014-10-07 14:29:11

回答

1

在這裏,我做了一個幫手檢索日誌從事件查看器,你可以很容易地參數化它

public static void WriteEventViewerHistoryByTypes(IList<EventViewerCriticalityLevel> levelTypes, string logType, string filePath, IList<string> sources, DateTime? startDate = new System.Nullable<DateTime>(), DateTime? endDate = new System.Nullable<DateTime>()) 
    { 
     if (levelTypes == null || levelTypes.Count == 0) 
      levelTypes = new List<EventViewerCriticalityLevel> { EventViewerCriticalityLevel.Comment, EventViewerCriticalityLevel.Error, EventViewerCriticalityLevel.Fatal, EventViewerCriticalityLevel.Info, EventViewerCriticalityLevel.Warning }; 

     StringBuilder sb = new StringBuilder(); 
     sb.Append("<QueryList>"); 
     sb.AppendFormat("<Query Id=\"0\" Path=\"{0}\">", logType); 
     sb.AppendFormat(" <Select Path=\"{0}\">", logType); 
     sb.AppendFormat(" *[System[("); 

     sb.AppendFormat("({0})", string.Join(" or ", levelTypes.Select(lev => 
      { 

       if (lev == EventViewerCriticalityLevel.Info) 
        return string.Format("Level={0} or Level=0", (int)lev); 
       else 
        return string.Format("Level={0}", (int)lev); 
      }))); 

     if (sources != null && sources.Count > 0) 
     { 
      sb.AppendFormat(" or "); 
      sb.AppendFormat("(Provider[{0}])", string.Join(" or ", sources.Select(el => "@Name='" + el + "'"))); 
     } 
     sb.AppendFormat(")"); 
     if (startDate.HasValue) 
     { 
      sb.AppendFormat(" and TimeCreated[@SystemTime >= '{0}']", startDate.Value.ToString("o")); 
     } 
     if (endDate.HasValue) 
     { 
      sb.AppendFormat(" and TimeCreated[@SystemTime <= '{0}']", endDate.Value.ToString("o")); 
     } 
     sb.AppendFormat("]]"); 
     sb.AppendFormat(" </Select>"); 
     sb.AppendFormat("</Query>"); 
     sb.Append("</QueryList>"); 

     try 
     { 
      EventLogSession sess = new EventLogSession(); 
      sess.ExportLogAndMessages(logType, PathType.LogName, sb.ToString(), filePath, true, CultureInfo.CurrentCulture); 
     } 
     catch (Exception ex) 
     { 
      throw ex; 
     } 
    }

而這裏enum

public enum EventViewerCriticalityLevel 
{ 
    Fatal = 1, 
    Error = 2, 
    Warning = 3, 
    Info = 4, 
    Comment = 5 
}

它將生成您可以使用事件查看器控制檯讀取的evtx文件。

希望它有幫助!

來源

2014-10-07 14:33:06 FloChanz

相關問題

 相關問題