none
Save EventBookmark in file RRS feed

  • Question

  • I have read through the article that wevtutil.exe can store eventbookmark value to xml file using /sbm switch.

    I am writing an application where reading the forwarded event continuously. I want to make sure I want to start reading events from where it left before process get stopped. I read that the EventBookmarks can help. I have instance of "EventRecord" and it has the property "Bookmark" but I am not sure how to store the bookmark value in file as I can refer and use it in next iteration.

    The bookmark file created by wevtutil looks like as below.

    <BookmarkList Direction='backward'> <Bookmark Channel='C:\Windows\System32\winevt\Logs\ForwardedEvents.evtx' RecordId='159121' IsCurrent='true'/> </BookmarkList>

    I know there is a RecordId property but it can't be used as the value is copied from the originating host and WEC collector is receiving the events from multiple hosts.

    There is a record identifier created by Bookmarks but not sure how to get it.

    Please let me know the better way to do the same.

    Thursday, April 4, 2019 10:08 AM

All replies

  • Hello,

    The following is not a solution but perhaps will lead you in the right direction.

    Code Project: Real Time Event Log Reader.


    Please remember to mark the replies as answers if they help and unmarked them if they provide no help, this will help others who are looking for solutions to the same or similar problem. Contact via my Twitter (Karen Payne) or Facebook (Karen Payne) via my MSDN profile but will not answer coding question on either.

    NuGet BaseConnectionLibrary for database connections.

    StackOverFlow
    profile for Karen Payne on Stack Exchange

    Thursday, April 4, 2019 11:13 AM
    Moderator
  • Hi Jitendra Sanghani83,

    Thank you for posting here.

    Could you provide the code for me to test?

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, April 5, 2019 7:15 AM
    Moderator