Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to Query for an event log details with a given event id?

Tags:

c#

events

  1. How to know whether a particular event (given event ID, time and node as inputs) is logged or not? [In this case, I know only one event will be logged]
  2. If the event is logged, how do I get details like event description, Log-name etc..

for eg, I want to query for an event under the node Applications and Services Logs > Microsoft > Windows > groupPolicy > Operational, and event id is 5315 and time is current time.

like image 813
satya Avatar asked Mar 17 '10 13:03

satya

2 Answers

There are a few new twists if your going to query events from the new style Windows EventLogs.

  1. You will have to use the classes from the System.Diagnostics.Eventing.Reader namespace to read the new events.
  2. Your query will be in Xpath form, so that time value is tricky, see msdn for the EventLogQuery definition.
  3. Your program will run into access issues, be ready to impersonate a user that's included in the EventReaders AD group on the logging machine.

This sample shows some of the new access methods:

string eventID = "5312";
string LogSource = "Microsoft-Windows-GroupPolicy/Operational";  
string sQuery = "*[System/EventID=" + eventID + "]";

var elQuery = new EventLogQuery(LogSource, PathType.LogName, sQuery);
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{

    List<EventRecord> eventList = new List<EventRecord>();
    EventRecord eventInstance = elReader.ReadEvent();
    try
    {
        for (null != eventInstance; eventInstance = elReader.ReadEvent())
        {
            //Access event properties here:
            //eventInstance.LogName;
            //eventInstance.ProviderName;
            eventList.Add(eventInstance);
        }
    }
    finally
    {
        if (eventInstance != null)
            eventInstance.Dispose();
    }
}
like image 144
Tj Kellie Avatar answered Oct 27 '22 18:10

Tj Kellie

You could query the event log in question:

var sourceName = "MySource";
var el = new EventLog("Application");
var latestEntryTime = (from entry in el.Entries.Cast<EventLogEntry>()
                       where entry.Source == sourceName
                       && // put other where clauses here...
                       orderby entry.TimeWritten descending
                       select entry).First();

However, be warned that this approach is slow, since the Entries collection tends to be quite big.

like image 36
Mark Seemann Avatar answered Oct 27 '22 20:10

Mark Seemann
Sign in to Comment

Related questions

Why Does .NET 4.6 Specific Code Compile When Targeting Older Versions of the Framework? [duplicate]
Change a Windows Store App's title text
Why can't we debug a method with yield return for the following code? [duplicate]
Python multiline lambda
Auto format C# code In Visual Studio Code
How to WhenAll when some tasks can be null?
Using multiple authentication schemes in ASP.NET Core 3.1?
TDD and Mocking out TcpClient
Creating a Popup Balloon like Windows Messenger or AVG
Check if output is redirected
How to normalize a list of int values
what is the cleanest way to remove all extra spaces from a user input comma delimited string into an array
Is C# suitable for a scripting language? [closed]
Celsius symbol in RichTextBox
Converting Enums to Key,Value Pairs
How do I protect this function from SQL injection?
Triggering an event after a Winform layout is complete
How can I swallow all exceptions and protect my application from crashing?
What to pass? Reference Object or Value Type?
FileStream: used by another process error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!