如何使用给定的事件 ID 查询事件日志详细信息? [英] How to Query for an event log details with a given event id?
本文介绍了如何使用给定的事件 ID 查询事件日志详细信息?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
- 如何知道是否记录了特定事件(给定事件 ID、时间和节点作为输入)?[在这种情况下,我知道只会记录一个事件]
- 如果记录了事件,我如何获取事件描述、日志名称等详细信息.
例如,我想在节点 Applications and Services Logs > Microsoft > Windows > groupPolicy > Operational 下查询事件,事件 ID 为 5315,时间为当前时间.
for eg, I want to query for an event under the node Applications and Services Logs > Microsoft > Windows > groupPolicy > Operational, and event id is 5315 and time is current time.
推荐答案
如果您要从新样式的 Windows EventLogs 查询事件,则有一些新的变化.
There are a few new twists if your going to query events from the new style Windows EventLogs.
- 您必须使用
System.Diagnostics.Eventing.Reader命名空间中的类来读取新事件. - 您的查询将采用 Xpath 形式,因此时间值很棘手,请参阅 msdn 以了解
EventLogQuery定义. - 您的程序将遇到访问问题,请准备好模拟记录机器上
EventReadersAD 组中包含的用户.
- You will have to use the classes from the
System.Diagnostics.Eventing.Readernamespace to read the new events. - Your query will be in Xpath form, so that time value is tricky, see msdn for the
EventLogQuerydefinition. - Your program will run into access issues, be ready to impersonate a user that's included in the
EventReadersAD group on the logging machine.
此示例展示了一些新的访问方法:
This sample shows some of the new access methods:
string eventID = "5312";
string LogSource = "Microsoft-Windows-GroupPolicy/Operational";
string sQuery = "*[System/EventID=" + eventID + "]";
var elQuery = new EventLogQuery(LogSource, PathType.LogName, sQuery);
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{
List<EventRecord> eventList = new List<EventRecord>();
EventRecord eventInstance = elReader.ReadEvent();
try
{
for (null != eventInstance; eventInstance = elReader.ReadEvent())
{
//Access event properties here:
//eventInstance.LogName;
//eventInstance.ProviderName;
eventList.Add(eventInstance);
}
}
finally
{
if (eventInstance != null)
eventInstance.Dispose();
}
}
这篇关于如何使用给定的事件 ID 查询事件日志详细信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
