none
Getting Hyper-V Events Description RRS feed

  • Question

  • Hello,

    I am using,
    EvtQuery(), EvtNext() and then EvtRender() APIs to read Hyper-V events.
    Here EvtRender is returning the Event Log information in XML format.

    But I am not able to retrieve Event Description with these APIs.

    Please let me know If anyone knows a way / API to read the Hyper-V event description programatically.

    Please find the code snippet below:-
    ----------------------------------------------

    hQueryResult = EvtQuery(NULL, //session(for remote) \
                    szChannelIdea, //Path (channel)
                   szQuery, //Query 1:Critical;2:Error;3:Warning;4:Information)    
                    EvtQueryChannelPath
    //Flags
            );
    if(!hQueryResult)

    {

        wprintf(L"Failed to query the log!. Error = 0x%x", GetLastError());
        DWORD errorCode = GetLastError();
        wprintf(L
    "\nError code: %d\n", errorCode);
        return;

    }

    EVT_HANDLE hEvent = NULL; // Events array.

    DWORD dwReturned = 0; // Number of events returned.

    // Retrieve each event in the QueryResult and display the results on the console.

    while (EvtNext( hQueryResult, // QueryResult.
                1, // BatchSize.
                &hEvent, // EventArray.
                QUERY_TIMEOUT, // TimeOut.
                0, // dwFlags(reserved, must be zero).
                   &dwReturned // Returned.
            ) )

    {

        DWORD dwBuffSize = 0; //BufferSize.
        DWORD dwBuffUsed = 0; //Buffersize used or required.
        DWORD dwPropertyCount = 0;
        //Get the buffer size needed to render the event.
        BOOL bRet = EvtRender( NULL, // Context.
                            hEvent, // HANDLE.
                            EvtRenderEventXml, // Flags. 
                            dwBuffSize, // BufferSize.
                            pBuff, // Buffer
                            &dwBuffUsed, // Buffersize used or required.
                            &dwPropertyCount //no. of properties in the array used only when the flag is set to "EvtRenderEventValues"
                );

    if(!bRet)

    {

        DWORD dwRes = GetLastError();
        if( dwRes == ERROR_INSUFFICIENT_BUFFER )
        {

            //Allocate the BufferSize needed

            dwBuffSize = dwBuffUsed;    

            pBuff = new WCHAR[dwBuffSize/sizeof(WCHAR)];

            //Render the Event

            bRet = EvtRender( NULL, // Context.

                    hEvent, // HANDLE.

                    EvtRenderEventXml, // Flags.

                    dwBuffSize, // BufferSize.

                    pBuff, // Buffer

                    &dwBuffUsed, // Buffersize used or required.

                    &dwPropertyCount

                    );

            if(!bRet)

            {

                    wprintf(L"Could not Render Event!. Error = 0x%x", GetLastError());

                    delete[] pBuff;

                    EvtClose(hQueryResult);

                    EvtClose(hEvent);

                    return;

            }

        //Display the Event count

        wprintf(L"Event %d :\n", ++dwNumofEvents);

        //call the parsing method with all the properties

        parseXML(L"Provider Name", 13, pBuff); //EventSource

        parseXML(L"EventID", 7, pBuff);

        parseXML(L"Level", 5, pBuff); //Event Type(Input)

        parseXML(L"Task", 4, pBuff); //Event category

        parseXML(L"SystemTime", 10, pBuff); //Time Generated

        wprintf(L"\n");

        delete[] pBuff;

        }

        else

        {

        wprintf(L"EvtRender failed to get the buffersize needed to Render the Event!. Error = 0x%x",     GetLastError());

        EvtClose(hQueryResult);

        EvtClose(hEvent);

        return;

        }

    }

    EvtClose(hEvent);

     

     

    -----------------------------------------------------------------------

    NOTE: I have been redirected from technet forum to MSDN forum for following question.

    -----------------------------------------------------------------------

     

    Thanks,

    Geeta

    Thursday, January 8, 2009 6:35 AM