locked
C++ Program for Extracting data from windows logs in different formats(xml,evts,csv,txt) RRS feed

  • Question

  • Hi,

    How we can do the filtering and save each log entry into that file format ?  

    Tuesday, August 27, 2013 7:30 PM

Answers

  • EvtExportLog() is used to export to another evtx file. EvtRender() can be used to render each event as a XML string which you can store yourself in an xml file. For text and cvs, use EvtFormatMessage(). Filtering is done by using the appropriate XML Query.

    The MSDN documentation looks pretty good. Start reading here.

    This question is actually out of scope for this Visual C++ forum. You might want to try posting in the Windows SDK forum instead.

    Tuesday, August 27, 2013 8:16 PM
  • Hi,

    >How can i link these 3 api's to make a complete project for extracting data from windows logs(System,Security,Application) and save them into a xml file .

    You can have the API functions included into one application to implement what you need.

    Please refer to the following sample code,which shows how to copy events from a channel to a log file and then relogs specific events from the newly created log file to a new log file.

    #include <windows.h>
    #include <stdio.h>
    #include <winevt.h>
    
    #pragma comment(lib, "wevtapi.lib")
    
    #define ARRAY_SIZE 10
    
    DWORD DumpEvents(LPCWSTR pwsLogFile);
    DWORD PrintResults(EVT_HANDLE hResults);
    DWORD PrintEvent(EVT_HANDLE hEvent);
    
    void main(void)
    {
        DWORD status = ERROR_SUCCESS;
        LPWSTR pPath = L"<path to channel goes here>";
        LPWSTR pQuery = NULL;
        LPWSTR pTargetLogFile = L".\\log.evtx";
    
        // Export all the events in the specified channel to the target log file.
        if (!EvtExportLog(NULL, pPath, pQuery, pTargetLogFile, EvtExportLogChannelPath))
        {
            wprintf(L"EvtExportLog failed for initial export with %lu.\n", GetLastError());
            goto cleanup;
        }
    
        // Dump the events from the log file.
        wprintf(L"Events from %s log file\n\n", pTargetLogFile);
        DumpEvents(pTargetLogFile);
    
        // Create a new log file that will contain all events from the specified 
        // log file where the event ID is 2.
        pPath =  L".\\log.evtx";
        pQuery = L"Event/System[EventID=2]";
        pTargetLogFile = L".\\log2.evtx";
    
        // Export all events from the specified log file that have an ID of 2 and
        // write them to a new log file.
        if (!EvtExportLog(NULL, pPath, pQuery, pTargetLogFile, EvtExportLogFilePath))
        {
            wprintf(L"EvtExportLog failed for relog with %lu.\n", GetLastError());
            goto cleanup;
        }
    
        // Dump the events from the log file.
        wprintf(L"\n\n\nEvents from %s log file\n\n", pTargetLogFile);
        DumpEvents(pTargetLogFile);
    
    cleanup:
    
        return;
    }
    
    
    // Dump all the events in the from the log file.
    DWORD DumpEvents(LPCWSTR pwsPath)
    {
        EVT_HANDLE hResults = NULL;
        DWORD status = ERROR_SUCCESS;
    
        hResults = EvtQuery(NULL, pwsPath, NULL, EvtQueryFilePath);
        if (NULL == hResults)
        {
            wprintf(L"EvtQuery failed with %lu.\n", status = GetLastError());
            goto cleanup;
        }
    
        status = PrintResults(hResults);
    
    cleanup:
    
        if (hResults)
            EvtClose(hResults);
    
        return status;
    }
    
    
    // Enumerate all the events in the result set. 
    DWORD PrintResults(EVT_HANDLE hResults)
    {
        DWORD status = ERROR_SUCCESS;
        EVT_HANDLE hEvents[ARRAY_SIZE];
        DWORD dwReturned = 0;
    
        while (true)
        {
            // Get a block of events from the result set.
            if (!EvtNext(hResults, ARRAY_SIZE, hEvents, INFINITE, 0, &dwReturned))
            {
                if (ERROR_NO_MORE_ITEMS != (status = GetLastError()))
                {
                    wprintf(L"EvtNext failed with %lu\n", status);
                }
    
                goto cleanup;
            }
    
            // For each event, call the PrintEvent function which renders the
            // event for display. PrintEvent is shown in RenderingEvents.
            for (DWORD i = 0; i < dwReturned; i++)
            {
                if (ERROR_SUCCESS == (status = PrintEvent(hEvents[i])))
                {
                    EvtClose(hEvents[i]);
                    hEvents[i] = NULL;
                }
                else
                {
                    goto cleanup;
                }
            }
        }
    
    cleanup:
    
        // Executed only if there was an error.
        for (DWORD i = 0; i < dwReturned; i++)
        {
            if (NULL != hEvents[i])
                EvtClose(hEvents[i]);
        }
    
        return status;
    }
    
    
    // Print the event as an XML string.
    DWORD PrintEvent(EVT_HANDLE hEvent)
    {
        DWORD status = ERROR_SUCCESS;
        DWORD dwBufferSize = 0;
        DWORD dwBufferUsed = 0;
        DWORD dwPropertyCount = 0;
        LPWSTR pRenderedContent = NULL;
    
        // The EvtRenderEventXml flag tells EvtRender to render the event as an XML string.
        if (!EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount))
        {
            if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
            {
                dwBufferSize = dwBufferUsed;
                pRenderedContent = (LPWSTR)malloc(dwBufferSize);
                if (pRenderedContent)
                {
                    EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount);
                }
                else
                {
                    wprintf(L"malloc failed\n");
                    status = ERROR_OUTOFMEMORY;
                    goto cleanup;
                }
            }
    
            if (ERROR_SUCCESS != (status = GetLastError()))
            {
                wprintf(L"EvtRender failed with %d\n", GetLastError());
                goto cleanup;
            }
        }
    
        wprintf(L"\n\n%s", pRenderedContent);
    
    cleanup:
    
        if (pRenderedContent)
            free(pRenderedContent);
    
        return status;
    }

    For more details,please refer to the following links:

    Saving Events to a Log File 

    Rendering Events

    Best Regards.

    Jane.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, August 30, 2013 5:46 AM

All replies

  • EvtExportLog() is used to export to another evtx file. EvtRender() can be used to render each event as a XML string which you can store yourself in an xml file. For text and cvs, use EvtFormatMessage(). Filtering is done by using the appropriate XML Query.

    The MSDN documentation looks pretty good. Start reading here.

    This question is actually out of scope for this Visual C++ forum. You might want to try posting in the Windows SDK forum instead.

    Tuesday, August 27, 2013 8:16 PM
  • Actually my final goal is to read windows logs in form of xml with the help of C++ Program. so can't i use this function ReadeventLog function 

    how can i specify my windows logs file which i usually see by typing "eventvwr" in Run. Will I have to include any dll for that ?

    I went through  EvtRender() function given.

    There are 3 api's given :

     DWORD PrintEventValues(EVT_HANDLE hEvent)

    DWORD PrintEventSystemData(EVT_HANDLE hEvent)

    DWORD PrintEvent(EVT_HANDLE hEvent)

    . But still i am not able to do what i want to achieve .

    May i ask you to help me in the same.?

    How can i link these 3 api's to make a complete project for extracting

    data from windows logs(System,Security,Application) and save them into a xml

     file.

     

    Wednesday, August 28, 2013 11:39 AM
  • Hi,

    >How can i link these 3 api's to make a complete project for extracting data from windows logs(System,Security,Application) and save them into a xml file .

    You can have the API functions included into one application to implement what you need.

    Please refer to the following sample code,which shows how to copy events from a channel to a log file and then relogs specific events from the newly created log file to a new log file.

    #include <windows.h>
    #include <stdio.h>
    #include <winevt.h>
    
    #pragma comment(lib, "wevtapi.lib")
    
    #define ARRAY_SIZE 10
    
    DWORD DumpEvents(LPCWSTR pwsLogFile);
    DWORD PrintResults(EVT_HANDLE hResults);
    DWORD PrintEvent(EVT_HANDLE hEvent);
    
    void main(void)
    {
        DWORD status = ERROR_SUCCESS;
        LPWSTR pPath = L"<path to channel goes here>";
        LPWSTR pQuery = NULL;
        LPWSTR pTargetLogFile = L".\\log.evtx";
    
        // Export all the events in the specified channel to the target log file.
        if (!EvtExportLog(NULL, pPath, pQuery, pTargetLogFile, EvtExportLogChannelPath))
        {
            wprintf(L"EvtExportLog failed for initial export with %lu.\n", GetLastError());
            goto cleanup;
        }
    
        // Dump the events from the log file.
        wprintf(L"Events from %s log file\n\n", pTargetLogFile);
        DumpEvents(pTargetLogFile);
    
        // Create a new log file that will contain all events from the specified 
        // log file where the event ID is 2.
        pPath =  L".\\log.evtx";
        pQuery = L"Event/System[EventID=2]";
        pTargetLogFile = L".\\log2.evtx";
    
        // Export all events from the specified log file that have an ID of 2 and
        // write them to a new log file.
        if (!EvtExportLog(NULL, pPath, pQuery, pTargetLogFile, EvtExportLogFilePath))
        {
            wprintf(L"EvtExportLog failed for relog with %lu.\n", GetLastError());
            goto cleanup;
        }
    
        // Dump the events from the log file.
        wprintf(L"\n\n\nEvents from %s log file\n\n", pTargetLogFile);
        DumpEvents(pTargetLogFile);
    
    cleanup:
    
        return;
    }
    
    
    // Dump all the events in the from the log file.
    DWORD DumpEvents(LPCWSTR pwsPath)
    {
        EVT_HANDLE hResults = NULL;
        DWORD status = ERROR_SUCCESS;
    
        hResults = EvtQuery(NULL, pwsPath, NULL, EvtQueryFilePath);
        if (NULL == hResults)
        {
            wprintf(L"EvtQuery failed with %lu.\n", status = GetLastError());
            goto cleanup;
        }
    
        status = PrintResults(hResults);
    
    cleanup:
    
        if (hResults)
            EvtClose(hResults);
    
        return status;
    }
    
    
    // Enumerate all the events in the result set. 
    DWORD PrintResults(EVT_HANDLE hResults)
    {
        DWORD status = ERROR_SUCCESS;
        EVT_HANDLE hEvents[ARRAY_SIZE];
        DWORD dwReturned = 0;
    
        while (true)
        {
            // Get a block of events from the result set.
            if (!EvtNext(hResults, ARRAY_SIZE, hEvents, INFINITE, 0, &dwReturned))
            {
                if (ERROR_NO_MORE_ITEMS != (status = GetLastError()))
                {
                    wprintf(L"EvtNext failed with %lu\n", status);
                }
    
                goto cleanup;
            }
    
            // For each event, call the PrintEvent function which renders the
            // event for display. PrintEvent is shown in RenderingEvents.
            for (DWORD i = 0; i < dwReturned; i++)
            {
                if (ERROR_SUCCESS == (status = PrintEvent(hEvents[i])))
                {
                    EvtClose(hEvents[i]);
                    hEvents[i] = NULL;
                }
                else
                {
                    goto cleanup;
                }
            }
        }
    
    cleanup:
    
        // Executed only if there was an error.
        for (DWORD i = 0; i < dwReturned; i++)
        {
            if (NULL != hEvents[i])
                EvtClose(hEvents[i]);
        }
    
        return status;
    }
    
    
    // Print the event as an XML string.
    DWORD PrintEvent(EVT_HANDLE hEvent)
    {
        DWORD status = ERROR_SUCCESS;
        DWORD dwBufferSize = 0;
        DWORD dwBufferUsed = 0;
        DWORD dwPropertyCount = 0;
        LPWSTR pRenderedContent = NULL;
    
        // The EvtRenderEventXml flag tells EvtRender to render the event as an XML string.
        if (!EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount))
        {
            if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
            {
                dwBufferSize = dwBufferUsed;
                pRenderedContent = (LPWSTR)malloc(dwBufferSize);
                if (pRenderedContent)
                {
                    EvtRender(NULL, hEvent, EvtRenderEventXml, dwBufferSize, pRenderedContent, &dwBufferUsed, &dwPropertyCount);
                }
                else
                {
                    wprintf(L"malloc failed\n");
                    status = ERROR_OUTOFMEMORY;
                    goto cleanup;
                }
            }
    
            if (ERROR_SUCCESS != (status = GetLastError()))
            {
                wprintf(L"EvtRender failed with %d\n", GetLastError());
                goto cleanup;
            }
        }
    
        wprintf(L"\n\n%s", pRenderedContent);
    
    cleanup:
    
        if (pRenderedContent)
            free(pRenderedContent);
    
        return status;
    }

    For more details,please refer to the following links:

    Saving Events to a Log File 

    Rendering Events

    Best Regards.

    Jane.


    <THE CONTENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED>
    Thanks
    MSDN Community Support

    Please remember to "Mark as Answer" the responses that resolved your issue. It is a common way to recognize those who have helped you, and makes it easier for other visitors to find the resolution later.

    Friday, August 30, 2013 5:46 AM
  • How can i link these api's to make a complete project for extracting data from windows logs(System,Security,Application) and save them into a txt file .
    Friday, July 18, 2014 1:50 AM