有人知道是否可以将给定时间间隔内的Windows事件日志保存为带C#的文本文件?例如,假设我想在10-11点之间将文本事件日志保存在文本文件中。如果有可能有人链接到一个好的教程或可能会让我走的代码片段?我在网上搜索但无法得到我想要的东西。
答案 0 :(得分:4)
答案 1 :(得分:2)
只需为其他人添加有关如何按时间范围过滤事件日志的信息,作为WMI查询的一部分。
请注意' TimeGenerated'就是当事件发生时,' TimeWritten'当他们被记录。 ' RecordNumber'是一个唯一索引,可用于防止冲突或重复记录。
System.Management.ManagementDateTimeConverter 可在C#DateTime和WMI CIM_DATETIME格式之间进行转换。 但请注意,它会将UTC CIM变为LOCAL DateTime,同时保留Kind Unspecified,因此请事后设置Kind以避免头痛!
这是在过去30分钟内抓取安全故障(跟踪锁定)的示例:
private void SearchEventViewer(string computerName, string userName, string userPass)
{
var scope = CreateManagementScope(computerName, userName, userPass);
var startTime = ManagementDateTimeConverter.ToDmtfDateTime(DateTime.UtcNow.AddMinutes(-30));
var query = new SelectQuery("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security' AND EventType = '5' AND TimeGenerated > '" + startTime + "'");
using (var searcher = new ManagementObjectSearcher(scope, query))
{
var result = searcher.Get();
foreach (var item in result)
{
var eventTimeLocal = DateTime.SpecifyKind(ManagementDateTimeConverter.ToDateTime(item["TimeGenerated"].ToString()), DateTimeKind.Local);
var eventTimeUtc = eventTimeLocal.ToUniversalTime();
var eventDetails = item["Message"].ToString().Replace("\r\n\r\n", "\r\n");
eventDetails += "\r\nEventCode: " + item["EventCode"];
eventDetails += "\r\nCatogory: " + item["Category"];
eventDetails += "\r\nRecord Number: " + item["RecordNumber"];
eventDetails += "\r\nLocal Time: " + eventTimeLocal.ToString("yyyy-MM-dd HH:mm:ss");
// Do something...
}
}
}
private ManagementScope CreateManagementScope(string computerName, string username = "", string password = "")
{
var managementPath = @"\\" + computerName + @"\root\cimv2";
var scope = new ManagementScope(managementPath);
if (username != "" && password != "")
{
scope.Options = new ConnectionOptions
{
Username = username,
Password = password,
Impersonation = ImpersonationLevel.Impersonate,
Authentication = AuthenticationLevel.PacketPrivacy
};
}
return scope;
}