將事件查看器日志文件導出為A * .evtx文件
[英]Exporting Event viewer Log File As A *.evtx File
問題描述
我正在嘗試從事件查看器導出信息。
我試圖用EventLogSession這樣做,所以我可以用.evtx格式而不僅僅是文本文件。
public static void ExportEventViewerLog(int YearsAgo = 0, int MonthsAgo = 0, int DaysAgo = 0)
{
int Year = 0;
int Month = 0;
int Day = 0;
if (YearsAgo != 0)
{
Year = YearsAgo;
}
else if (MonthsAgo != 0)
{
Month = MonthsAgo;
}
else if (DaysAgo != 0)
{
Day = DaysAgo;
}
DateTime previousDate = DateTime.Now.AddYears(-Year).AddMonths(-Month).AddDays(-Day);
DateTime now = DateTime.Now.Date;
Console.WriteLine(previousDate.ToString("yyyy-MM-dd"));
//2018-06-12
Console.WriteLine(now.ToString("hh:mm:ss"));
//12:00:00
string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), "test.evtx");
string query = "<QueryList> " + $@"<Select Path=""Application"">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='{previousDate.ToString("yyyy-MM-dd")}T{previousDate.ToString("hh:mm:ss")}.000Z' and @SystemTime<='{now.ToString("yyyy-MM-dd")}T{now.ToString("hh:mm:ss")}.999Z']]]</Select> " + "</Query> " + "</QueryList>";
EventLogSession eventLogSession = new EventLogSession();
eventLogSession.ExportLogAndMessages("Application", PathType.LogName, query, path, false, CultureInfo.CurrentCulture);
}
這是我如何稱呼它
static void Main()
{
ExportEventViewerLog(YearsAgo: 0, MonthsAgo: 0, DaysAgo: 1);
Console.WriteLine("Press Any Key To Exit");
Console.ReadKey();
}
這是錯誤
System.Diagnostics.Eventing.Reader.EventLogException
System.Diagnostics.Eventing.Reader.EventLogException HResult=0x80131500 Source=System.Core StackTrace: at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtExportLog(EventLogHandle session, String channelPath, String query, String targetFilePath, Int32 flags) at System.Diagnostics.Eventing.Reader.EventLogSession.ExportLog(String path, PathType pathType, String query, String targetFilePath, Boolean tolerateQueryErrors) at System.Diagnostics.Eventing.Reader.EventLogSession.ExportLogAndMessages(String path, PathType pathType, String query, String targetFilePath, Boolean tolerateQueryErrors, CultureInfo targetCultureInfo) at app.Program.ExportEventViewerLog(Int32 YearsAgo, Int32 MonthsAgo, Int32 DaysAgo) in C:\\Users\\User\\app\\Program.cs:line 296 atapp_1._0.Program.Main() in C:\\Users\\User\\Google Drive\\app\\Program.cs:line 34
注意:我不相信路徑是問題,因為如果我將查詢更改為通配符* ,該方法將執行而沒有任何錯誤,我從event viewer -> filter current log -> xml生成查詢event viewer -> filter current log -> xml
這是從事件查看器生成的原始查詢
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='1991-07-24T21:12:12.000Z' and @SystemTime<='2018-06-12T21:12:12.999Z']]]</Select>
1 個解決方案
解決方案1
1 已采納 2018-06-13 13:23:32
您缺少XML標記:
<Query Id=\"0\" Path=\"Application\">
修復此問題仍然導致我的異常,即使是管理員,但是使用不同的路徑修復它(可能是因為事件查看器服務缺少用戶路徑上的權限)
string path = Path.Combine(Path.GetTempPath(), "test.evtx");
導出時如何在報告查看器中設置其他名稱而不是默認 pdf 文件名?
[英]How do I set other name instead of default pdf file name in report viewer while exporting it?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.