public void CollectData() { try { var from = _sessionInfo.From.ToString("yyyy-MM-dd-hh-mm"); var to = _sessionInfo.To.ToString("yyyy-MM-dd-hh-mm"); var logsToCollect = new Dictionary <string, List <string> >(); foreach (var evLog in _sessionInfo.SelectedEVLogs) { if (!logsToCollect.ContainsKey(evLog.LogName)) { logsToCollect.Add(evLog.LogName, new List <string>()); } if (evLog.Sources != null && evLog.Sources.Count > 0) { foreach (var source in evLog.Sources) { if (!logsToCollect[evLog.LogName].Contains(source)) { logsToCollect[evLog.LogName].Add(source); } } } } EventLogSession eventLogSession = new EventLogSession(); foreach (var item in logsToCollect) { new Utilities.Logger().WriteInfo(" Started Collecting Event Logs"); string sources = ""; if (item.Value.Count > 0) { sources = "*[System[Provider["; int i = 1; foreach (var src in item.Value) { sources += $"@Name='{src}'"; if (i != item.Value.Count) { sources += " or "; } i++; } sources += "]]] and "; } name_for_error = item.Key; string path = $@"{_sessionInfo.SessionOtputFolderPath}\OutputData\{from}_{to}"; if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } string q = $@"{sources}*[System[TimeCreated[@SystemTime >= '{_sessionInfo.From.ToUniversalTime().ToString("o")}']]] and *[System[TimeCreated[@SystemTime <= '{_sessionInfo.To.ToUniversalTime().ToString("o")}']]]"; eventLogSession.ExportLog(item.Key, PathType.LogName, q, $@"{path}\{item.Key}.evtx"); new Utilities.Logger().WriteInfo("Successfully Collected Event Logs"); } }catch (Exception ex) { new Logger().WriteError($"faild to collect Evlog:{ex.Message}"); throw new Exception(name_for_error + " Log was not found"); } }
public void EventLogExceptionShouldHaveHResultSet() { using (var session = new EventLogSession()) { EventLogNotFoundException exception = Assert.Throws <EventLogNotFoundException>(() => session.ExportLog(LogName, PathType.FilePath, LogName, GetTestFilePath())); Assert.Equal(unchecked ((int)0x80070002), exception.HResult); session.CancelCurrentOperations(); } }
public static void Main(string[] args) { int exitCode = 0; String logPath = "Application"; String query = "*/System[Level <= 3 and Level >= 1]"; // XPath selecting all events of level warning or higher. String targetFile = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\export.evtx"); String targetFileWithMessages = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\exportWithMessages.evtx"); try { // // Parse the command line. // if (args.Length > 0) { if (args[0] == "/?" || args[0] == "-?") { Console.WriteLine("Usage: LogManagement [<logname> [<exportFile> [<exportFileWithMessages>]]]\n" + "<logname> is the name of an existing event log.\n" + "When <logname> is not specified, Application is assumed.\n" + "EXAMPLE: LogManagement Microsoft-Windows-TaskScheduler/Operational archive.evtx archiveWithMessages.evtx\n"); Environment.Exit(0); } else { logPath = args[0]; if (args.Length > 1) { targetFile = args[1]; } if (args.Length > 2) { targetFileWithMessages = args[2]; } } } // // Get log information. // EventLogSession session = new EventLogSession(); EventLogInformation logInfo = session.GetLogInformation(logPath, PathType.LogName); Console.WriteLine("The {0} log contains {1} events.", logPath, logInfo.RecordCount); // // Export selected events from a log to a file. // if (File.Exists(targetFile)) { Console.WriteLine("Could not export log {0}: file {1} already exists", logPath, targetFile); Environment.Exit(1); } else { session.ExportLog(logPath, PathType.LogName, query, targetFile, true); Console.WriteLine("Selected events from the {0} log have been exported to file {1}.", logPath, targetFile); } // // Capture localized event information so that the exported log can be viewed on // systems that might not have some of the event providers installed. // if (File.Exists(targetFileWithMessages)) { Console.WriteLine("Could not archive log {0}: file {1} already exists", logPath, targetFileWithMessages); Environment.Exit(1); } else { session.ExportLogAndMessages(logPath, PathType.LogName, query, targetFileWithMessages, true, CultureInfo.CurrentCulture); Console.WriteLine("The export file {0} has been localized into {1} for archiving.", targetFileWithMessages, CultureInfo.CurrentCulture.DisplayName); } // // Clear the log. // session.ClearLog(logPath); Console.WriteLine("The {0} log has been cleared.", logPath); } catch (UnauthorizedAccessException e) { Console.WriteLine("You do not have the correct permissions. " + "Try re-running the sample with administrator privileges.\n" + e.ToString()); } catch (Exception e) { Console.WriteLine(e.ToString()); exitCode = 1; } Environment.Exit(exitCode); }