如何导出Windows系统和应用程序事件日志?
[英]How to export Windows System and Application event log?
问题描述
Using the EvtExportLog function , I currently fail to specify a correct value for the Path and/or Query parameter. 
使用EvtExportLog函数 ,当前无法为Path和/或Query参数指定正确的值。
My goal is to export the local Application and System event log. 我的目标是导出本地应用程序和系统事件日志。
I've tried: 我试过了:
EvtExportLog(
IntPtr.Zero,
"Application",
"*",
"C:\\SomePath\\Application.evtx",
EventExportLogFlags.LogFilePath);
with the following P/Invoke definition: 具有以下P / Invoke定义:
[Flags]
private enum EventExportLogFlags
{
ChannelPath = 1,
LogFilePath = 2,
TolerateQueryErrors = 0x1000
};
[DllImport(@"wevtapi.dll",
CallingConvention = CallingConvention.Winapi,
CharSet = CharSet.Auto,
SetLastError = true)]
private static extern bool EvtExportLog(
IntPtr sessionHandle,
string path,
string query,
string targetPath,
[MarshalAs(UnmanagedType.I4)] EventExportLogFlags flags);
Unfortunately the function returns false and a last error code of 2 ( ERROR_FILE_NOT_FOUND ). 不幸的是,该函数返回false和最后一个错误代码2( ERROR_FILE_NOT_FOUND )。
My question: 我的问题:
What to put in the Path and Query parameters to export the local Application and System event log? 要在Path和Query参数中添加什么以导出本地应用程序和系统事件日志?
1 个解决方案
解决方案1
5 已采纳 2015-05-27 10:04:13
To answer my own question: 要回答我自己的问题:
My Path and Query was actually correct. 我的Path和Query实际上是正确的。 What was wrong, was the Flags parameter. 出问题的是Flags参数。
Instead of specifying the EventExportLogFlags.LogFilePath parameter, I had to specify the EventExportLogFlags.ChannelPath parameter. 不必指定EventExportLogFlags.LogFilePath参数,而是必须指定EventExportLogFlags.ChannelPath参数。
Then the export succeeds: 然后导出成功:
EvtExportLog(
IntPtr.Zero,
"Application",
"*",
"C:\\SomePath\\Application.evtx",
EventExportLogFlags.ChannelPath); // <-- HERE!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.