none
how to write query for ExportLogAndMessages in c#? RRS feed

  • Question

  • Hi all,
    i am working on wpf application and in this im exportin evtx files using ExportLogAndMessages function using below code
     
    EventLogSession logsession = new EventLogSession();
    logsession.ExportLogAndMessages(LogName, PathType.LogName, "*", subfolderpath, false, CultureInfo.CurrentCulture);


    and it is fetching all the data but now i want to fetch the events only between of selected time period so please tell me how to write query to get event which are created in particular time span.
    TIA 

    sumitk

    Monday, November 27, 2017 6:34 AM

Answers

  • Hello Sumitk,

    You query string should be a complete XML format and it is provided by " Create Custom Vies" window that Castorix31 mentioned. The following is a simple demo.

     string query = "<QueryList><Query Id=\"0\" Path= \"System\"><Select Path = \"System\">*[System[TimeCreated[@SystemTime &gt;= '2017-11-01T10:14:09.000Z' and @SystemTime&lt;= '2017-11-28T10:14:09.999Z']]]</Select> </Query></QueryList>";
    
                XDocument xDocument = XDocument.Parse(query);
                EventLogSession logsession = new EventLogSession();
    
                logsession.ExportLogAndMessages("System", PathType.LogName, query, @"D:\t6.evtx", false, CultureInfo.CurrentCulture);
    
                Console.Write("sssss");
    
                Console.ReadKey();

    Note. I use XDocument.Parse method to check if the query string has a correct xml format. 

    Best regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Edited by Fei HuModerator Tuesday, November 28, 2017 10:59 AM
    • Marked as answer by Sumitk.cdac Wednesday, November 29, 2017 4:29 AM
    Tuesday, November 28, 2017 10:59 AM
    Moderator

All replies

  • You can see the generated XML queries in Event Viewer with "Create Custom View"
    Monday, November 27, 2017 8:50 AM
  • You can see the generated XML queries in Event Viewer with "Create Custom View"

    Hi,

    Thanks for your reply. can you please tell me how to use this query in above function.

     if (EventLog.Exists(LogName))
                {
                    EventLogSession logsession = new EventLogSession();
                   
                    logsession.ExportLogAndMessages(LogName, PathType.LogName, "*[System[TimeCreated[@SystemTime&gt;='2017-11-28T02:49:35.000Z' and @SystemTime&lt;='2017-11-28T03:50:51.999Z']]]", subfolderpath, false, CultureInfo.CurrentCulture);
    
                }

    i tried like this but it is saying invalid query


    sumitk

    Tuesday, November 28, 2017 5:08 AM
  • Hello Sumitk,

    You query string should be a complete XML format and it is provided by " Create Custom Vies" window that Castorix31 mentioned. The following is a simple demo.

     string query = "<QueryList><Query Id=\"0\" Path= \"System\"><Select Path = \"System\">*[System[TimeCreated[@SystemTime &gt;= '2017-11-01T10:14:09.000Z' and @SystemTime&lt;= '2017-11-28T10:14:09.999Z']]]</Select> </Query></QueryList>";
    
                XDocument xDocument = XDocument.Parse(query);
                EventLogSession logsession = new EventLogSession();
    
                logsession.ExportLogAndMessages("System", PathType.LogName, query, @"D:\t6.evtx", false, CultureInfo.CurrentCulture);
    
                Console.Write("sssss");
    
                Console.ReadKey();

    Note. I use XDocument.Parse method to check if the query string has a correct xml format. 

    Best regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Edited by Fei HuModerator Tuesday, November 28, 2017 10:59 AM
    • Marked as answer by Sumitk.cdac Wednesday, November 29, 2017 4:29 AM
    Tuesday, November 28, 2017 10:59 AM
    Moderator