none
EventLogWatcher with Query *[System[(EventID = 4624) and (EventRecordID >= 108801)]] RRS feed

  • Question

  • Hi team,

    I am looking to get realtime events from security log.When i am using EventLogQuery(Xpath Query) with EventRecordID filter callback mathod not called.This is my code please advice me if any correction in my code.

    using System;
    using System.Diagnostics.Eventing.Reader;

    namespace SubscribeToEventsExample
    {
        class Program
        {
            static void Main(string[] args)
            {
                EventLogWatcher watcher = null;

                try
                {
                        // Subscribe to receive event notifications
                        // in the Application log. The query specifies
                        // that only level 2 events will be returned.
                        EventLogQuery subscriptionQuery = new EventLogQuery("Security", PathType.LogName, "<QueryList>  <Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID = 4624) and (EventRecordID >= 108801)]]</Select></Query></QueryList>");

                        watcher = new EventLogWatcher(subscriptionQuery);

                        // Set watcher to listen for the EventRecordWritten
                        // event.  When this event happens, the callback method
                        // (EventLogEventRead) will be called.
                        watcher.EventRecordWritten +=
                            new EventHandler<EventRecordWrittenEventArgs>(
                                EventLogEventRead);

                        // Begin subscribing to events the events
                        watcher.Enabled = true;
                        while (true)
                        {

                        }             
                }
                catch (EventLogReadingException e)
                {
                    Console.WriteLine("Error reading the log: {0}", e.Message);
                    Console.WriteLine("Error reading the log: {0}", e.StackTrace);
                }
                finally
                {
                    // Stop listening to events
                    watcher.Enabled = false;

                    if (watcher != null)
                    {
                        watcher.Dispose();
                    }
                }
            }

            /// <summary>
            /// Callback method that gets executed when an event is
            /// reported to the subscription.
            /// </summary>
            public static void EventLogEventRead(object obj,
                EventRecordWrittenEventArgs arg)
            {
                // Make sure there was no error reading the event.
                if (arg.EventRecord != null)
                {
                    Console.WriteLine("Received event {0} from the subscription.",arg.EventRecord.Id);
                    Console.WriteLine("Received event {0} from the subscription.", arg.EventRecord.RecordId);
                    // Console.WriteLine("Description: {0}", arg.EventRecord.FormatDescription());
                }
                else
                {
                    Console.WriteLine("The event instance was null.");
                }
            }
        }
    }

    Note  :

    When i am using EventLogQuery like this works for me

    EventLogQuery subscriptionQuery = new EventLogQuery("Security", PathType.LogName, "<QueryList>  <Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID = 4624)]]</Select></Query></QueryList>");

    Thanks in Advance


    • Edited by Balakumar Smart Monday, March 12, 2018 9:42 AM Xpath query changed
    Tuesday, February 20, 2018 6:08 PM

All replies