public static void Export(string path)
{
using (var log = new EventLogSession())
{
log.ExportLogAndMessages("Application", PathType.LogName, Query, path);
}
}
public IEnumerable <XElement> ProvideInfo(XElement root)
{
foreach (var element in root.Elements("Log"))
{
var name = (string)element.Attribute("Name");
var filename = (string)element.Attribute("Filename");
var query = (string)element.Attribute("Query") ?? "*";
var temp = Path.GetTempPath();
var success = false;
try
{
using (var session = new EventLogSession())
{
session.ExportLogAndMessages(name, PathType.LogName, query, temp + filename);
}
_host.AddFile(temp + filename, filename, true);
success = true;
}
catch (Exception ex)
{
_log.Warn($"Error: {ex.Message}");
continue;
}
if (success)
{
yield return(new XElement("Log",
new XAttribute("Name", name),
new XAttribute("Filename", filename),
new XAttribute("Query", query)));
}
}
}
public static void ExtractLog(string query, string dirName, string fileName, string serverName, string domainName, string userName, string password)
{
string fileNameFullPath = string.Empty;
try
{
fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\");
//query = "*";
if (File.Exists(fileNameFullPath))
{
File.Delete(fileNameFullPath);
}
var secureString = new SecureString();
password.ToCharArray().ToList().ForEach(p => secureString.AppendChar(p));
using (var logSession = new EventLogSession(serverName, domainName, userName, secureString, SessionAuthentication.Default))
{
logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture);
logSession.Dispose();
}
}
catch (Exception ex)
{
throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false);
}
}
public static void ExtractLog(string query, string dirName, string fileName)
{
string fileNameFullPath = string.Empty;
try
{
//query = "*[System[TimeCreated[@SystemTime >= '" + DateTime.Now.AddHours(-1).ToUniversalTime().ToString("o") + "']]]";
// "(Provider/@Name=\"AD FS 2.0 Auditing\") and " +
// "(TimeCreated/@SystemTime <= \"" + toDate.ToString("yyyy-MM-ddTHH:mm:ss") + "\") and " +
//"(TimeCreated/@SystemTime >= " + DateTime.Now.AddHours(-10).ToString("o") + ")" +
//"]]";
//" and (TimeCreated/@SystemTime <= " + toDate.Ticks + ")]]";
//" and TimeCreated[timediff(@SystemTime) <= 86400000]]]";
fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\");
//query = "*";
if (File.Exists(fileNameFullPath))
{
File.Delete(fileNameFullPath);
}
using (var logSession = new EventLogSession())
{
logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture);
logSession.Dispose();
}
}
catch (Exception ex)
{
throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false);
}
}
public static string ExtractLogByPeriod(string directoryFullPath, string clientCode, int hourFromNow)
{
string query = "*[System[TimeCreated[@SystemTime >= '" + DateTime.Now.AddHours(-1 * hourFromNow).ToUniversalTime().ToString("o") + "']]]";
// "(Provider/@Name=\"AD FS 2.0 Auditing\") and " +
// "(TimeCreated/@SystemTime <= \"" + toDate.ToString("yyyy-MM-ddTHH:mm:ss") + "\") and " +
//"(TimeCreated/@SystemTime >= " + DateTime.Now.AddHours(-10).ToString("o") + ")" +
//"]]";
//" and (TimeCreated/@SystemTime <= " + toDate.Ticks + ")]]";
//" and TimeCreated[timediff(@SystemTime) <= 86400000]]]";
string eventLogFile = clientCode + ".EventLog." + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss", new CultureInfo("en-AU"));
if (!Directory.Exists(directoryFullPath))
{
Directory.CreateDirectory(directoryFullPath);
}
string fileNameWithFullPath = (directoryFullPath + @"\" + eventLogFile + ".evtx").Replace(@"\\", @"\");
using (var logSession = new EventLogSession())
{
if (File.Exists(fileNameWithFullPath))
{
File.Delete(fileNameWithFullPath);
}
logSession.ExportLogAndMessages("System", PathType.LogName, query, fileNameWithFullPath, true, CultureInfo.CurrentCulture);
}
return(fileNameWithFullPath);
}
public static string QueryExportLogAndMessages
(
string path
, string query
, string exportFile
, string machine = "."
, PathType pathType = PathType.LogName
, string domain = "."
, string user = null
, string password = null
, SessionAuthentication logOnType
= SessionAuthentication.Kerberos
)
{
var r = string.Empty;
EventLogSession eventLogSession = null;
if
(
TryGetEventLogSession
(
machine
, domain
, user
, password
, out eventLogSession
, logOnType
)
)
{
//Console.WriteLine(exportFile);
eventLogSession
.ExportLogAndMessages
(
path
, pathType
, query
, exportFile
, false
, CultureInfo.CurrentCulture
);
}
r = exportFile;
return(r);
}
public static bool ExportSystemEvent(SystemEventKind eventKind, string strExportPath, DateTime dateFrom, DateTime dateTo)
{
string strDateFrom = dateFrom.ToUniversalTime().ToString(_DATETIME_FORMAT);
string strDateTo = dateTo.ToUniversalTime().ToString(_DATETIME_FORMAT);
string strExportFileName = _ExportFileName[(int)eventKind];
string strFullPath = Path.Combine(strExportPath, strExportFileName);
try
{
if (!Directory.Exists(strExportPath))
{
Directory.CreateDirectory(strExportPath);
}
if (File.Exists(strFullPath))
{
File.Delete(strFullPath);
}
string queryStr = string.Format(_EVENT_SEARCH_CONDITION, strDateFrom, strDateTo);
EventLogSession els = new EventLogSession();
els.ExportLogAndMessages(
_systemEventKindName[(int)eventKind], // Log Name to archive
PathType.LogName, // Type of Log
queryStr, // Query selecting events
strFullPath, // Exported Log Path(log created by this operation)
false, // Stop the archive if the query is invalid
CultureInfo.CurrentCulture); // Culture to archive the events in
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
return(false);
}
return(true);
}
public static void Main(string[] args)
{
int exitCode = 0;
String logPath = "Application";
String query = "*/System[Level <= 3 and Level >= 1]"; // XPath selecting all events of level warning or higher.
String targetFile = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\export.evtx");
String targetFileWithMessages = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\exportWithMessages.evtx");
try
{
//
// Parse the command line.
//
if (args.Length > 0)
{
if (args[0] == "/?" || args[0] == "-?")
{
Console.WriteLine("Usage: LogManagement [<logname> [<exportFile> [<exportFileWithMessages>]]]\n" +
"<logname> is the name of an existing event log.\n" +
"When <logname> is not specified, Application is assumed.\n" +
"EXAMPLE: LogManagement Microsoft-Windows-TaskScheduler/Operational archive.evtx archiveWithMessages.evtx\n");
Environment.Exit(0);
}
else
{
logPath = args[0];
if (args.Length > 1)
{
targetFile = args[1];
}
if (args.Length > 2)
{
targetFileWithMessages = args[2];
}
}
}
//
// Get log information.
//
EventLogSession session = new EventLogSession();
EventLogInformation logInfo = session.GetLogInformation(logPath, PathType.LogName);
Console.WriteLine("The {0} log contains {1} events.", logPath, logInfo.RecordCount);
//
// Export selected events from a log to a file.
//
if (File.Exists(targetFile))
{
Console.WriteLine("Could not export log {0}: file {1} already exists", logPath, targetFile);
Environment.Exit(1);
}
else
{
session.ExportLog(logPath, PathType.LogName, query, targetFile, true);
Console.WriteLine("Selected events from the {0} log have been exported to file {1}.", logPath, targetFile);
}
//
// Capture localized event information so that the exported log can be viewed on
// systems that might not have some of the event providers installed.
//
if (File.Exists(targetFileWithMessages))
{
Console.WriteLine("Could not archive log {0}: file {1} already exists", logPath, targetFileWithMessages);
Environment.Exit(1);
}
else
{
session.ExportLogAndMessages(logPath, PathType.LogName, query, targetFileWithMessages, true, CultureInfo.CurrentCulture);
Console.WriteLine("The export file {0} has been localized into {1} for archiving.", targetFileWithMessages, CultureInfo.CurrentCulture.DisplayName);
}
//
// Clear the log.
//
session.ClearLog(logPath);
Console.WriteLine("The {0} log has been cleared.", logPath);
}
catch (UnauthorizedAccessException e)
{
Console.WriteLine("You do not have the correct permissions. " +
"Try re-running the sample with administrator privileges.\n" + e.ToString());
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
exitCode = 1;
}
Environment.Exit(exitCode);
}
