EventLogQuery没有拉动结果

时间:2014-10-07 14:17:21

标签: c#

编辑:确定我知道查询不正确。当我删除TimeCreated部分时,我得到了结果。在某一天拉出所有事件的正确方法是什么?

startTime = DateTime.Now.Date

string query = "*[System/Level=1 or System/Level=2] and TimeCreated[@SystemTime >= '" + startTime + "']";
using (EventLogSession session = new EventLogSession(serverName))
{
    EventLogQuery eventQuery = new EventLogQuery(logName, PathType.LogName, query);
    eventQuery.Session = session;

    using (EventLogReader reader = new EventLogReader(eventQuery))
    {
        for (EventRecord eventDetail = reader.ReadEvent(); eventDetail != null; eventDetail = reader.ReadEvent())
        {
            entries.Add(eventDetail);
        }
    }
}

我也厌倦了以下

"*[System/Level=1 or System/Level=2] and *[System/TimeCreated[@SystemTime >= '" + startTime + "']]";

"*[System[(Level=1) or System[(Level=2)] and TimeCreated[@SystemTime >= '" + startTime.ToUniversalTime().ToString("o") + "']]";

1 个答案:

答案 0 :(得分:1)

在这里,我帮助从事件查看器中检索日志,您可以非常轻松地对其进行参数化

public static void WriteEventViewerHistoryByTypes(IList<EventViewerCriticalityLevel> levelTypes, string logType, string filePath, IList<string> sources, DateTime? startDate = new System.Nullable<DateTime>(), DateTime? endDate = new System.Nullable<DateTime>())
    {
        if (levelTypes == null || levelTypes.Count == 0)
            levelTypes = new List<EventViewerCriticalityLevel> { EventViewerCriticalityLevel.Comment, EventViewerCriticalityLevel.Error, EventViewerCriticalityLevel.Fatal, EventViewerCriticalityLevel.Info, EventViewerCriticalityLevel.Warning };

        StringBuilder sb = new StringBuilder();
        sb.Append("<QueryList>");
        sb.AppendFormat("<Query Id=\"0\" Path=\"{0}\">", logType);
        sb.AppendFormat("   <Select Path=\"{0}\">", logType);
        sb.AppendFormat("   *[System[(");

        sb.AppendFormat("({0})", string.Join(" or ", levelTypes.Select(lev =>
           {

               if (lev == EventViewerCriticalityLevel.Info)
                   return string.Format("Level={0} or Level=0", (int)lev);
               else
                   return string.Format("Level={0}", (int)lev);
           })));

        if (sources != null && sources.Count > 0)
        {
            sb.AppendFormat(" or ");
            sb.AppendFormat("(Provider[{0}])", string.Join(" or ", sources.Select(el => "@Name='" + el + "'")));
        }
        sb.AppendFormat(")");
        if (startDate.HasValue)
        {
            sb.AppendFormat(" and TimeCreated[@SystemTime >= '{0}']", startDate.Value.ToString("o"));
        }
        if (endDate.HasValue)
        {
            sb.AppendFormat(" and TimeCreated[@SystemTime <= '{0}']", endDate.Value.ToString("o"));
        }
        sb.AppendFormat("]]");
        sb.AppendFormat("   </Select>");
        sb.AppendFormat("</Query>");
        sb.Append("</QueryList>");

        try
        {
            EventLogSession sess = new EventLogSession();
            sess.ExportLogAndMessages(logType, PathType.LogName, sb.ToString(), filePath, true, CultureInfo.CurrentCulture);
        }
        catch (Exception ex)
        {
            throw ex;
        }
    }

这里是枚举

public enum EventViewerCriticalityLevel
{
    Fatal = 1,
    Error = 2,
    Warning = 3,
    Info = 4,
    Comment = 5
}

它将生成可以使用事件查看器控制台读取的evtx文件。

希望它有所帮助!

相关问题
最新问题