EvtExportLog API 将远程机器的事件日志保存在远程 PC 本身中。 如何将其保存到主机 PC？

Question

I have used EvtOpenSession API to create a session to a remote machine's eventlog, then used the session handle to call EvtExportLog API. I need the eventlog file in the host PC(where I am running this application), but this API is dumping the evenlog into the remote machine itself. What should I do to get the eventlog in host PC?

I have tried with a shared path in host PC as well(instead of _T("C:\\Test\\EventLogApplication.evt") I used _T("\\\\ComputerName\\Events\\EventLogApplication.evt"). In this case I am getting an access violation error.

here is the code snippet i used

......

hRemote = EvtOpenSession(EvtRpcLogin, &Credentials, 0, 0);

if (hRemote)    
{

   if (!EvtExportLog(hRemote, _T("Application"), NULL,_T("C:\\Test\\EventLogApplication.evt"), EvtExportLogChannelPath))    
   {
       std::cout << "Error-Code : " << GetLastError() << std::endl;
   }

}

......

Answer 1

As far as I know, EvtExportLog cannot be used to save eventlog of remote machine to host PC. But for the issue, you can use the workaround.

Beacuse this behavior is by designed since all the operation is based on the RPC server. To save the event logs on local PC, we can create a shared folder on remote PC which save the remote event logs.

Refer: How do you create a file share on a remote system?

After the logs save on remote PC, we can use CopyFile to copy the logs to local PC from the shared folder on the remote PC.

Note: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: Security resource properties for the existing file are not copied to the new file until Windows 8 and Windows Server 2012.

File attributes for the existing file are copied to the new file. For example, if an existing file has the FILE_ATTRIBUTE_READONLY file attribute, a copy created through a call to CopyFile will also have the FILE_ATTRIBUTE_READONLY file attribute. For more information, see Retrieving and Changing File Attributes.

This function fails with ERROR_ACCESS_DENIED if the destination file already exists and has the FILE_ATTRIBUTE_HIDDEN or FILE_ATTRIBUTE_READONLY attribute set.

When CopyFile is used to copy an encrypted file, it attempts to encrypt the destination file with the keys used in the encryption of the source file. If this cannot be done, this function attempts to encrypt the destination file with default keys. If neither of these methods can be done, CopyFile fails with an ERROR_ENCRYPTION_FAILED error code.

Refer: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfile#remarks

Hope to help you.