public static void Export(string path) { using (var log = new EventLogSession()) { log.ExportLogAndMessages("Application", PathType.LogName, Query, path); } }
public IEnumerable <XElement> ProvideInfo(XElement root) { foreach (var element in root.Elements("Log")) { var name = (string)element.Attribute("Name"); var filename = (string)element.Attribute("Filename"); var query = (string)element.Attribute("Query") ?? "*"; var temp = Path.GetTempPath(); var success = false; try { using (var session = new EventLogSession()) { session.ExportLogAndMessages(name, PathType.LogName, query, temp + filename); } _host.AddFile(temp + filename, filename, true); success = true; } catch (Exception ex) { _log.Warn($"Error: {ex.Message}"); continue; } if (success) { yield return(new XElement("Log", new XAttribute("Name", name), new XAttribute("Filename", filename), new XAttribute("Query", query))); } } }
public static void ExtractLog(string query, string dirName, string fileName, string serverName, string domainName, string userName, string password) { string fileNameFullPath = string.Empty; try { fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\"); //query = "*"; if (File.Exists(fileNameFullPath)) { File.Delete(fileNameFullPath); } var secureString = new SecureString(); password.ToCharArray().ToList().ForEach(p => secureString.AppendChar(p)); using (var logSession = new EventLogSession(serverName, domainName, userName, secureString, SessionAuthentication.Default)) { logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture); logSession.Dispose(); } } catch (Exception ex) { throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false); } }
public static void ExtractLog(string query, string dirName, string fileName) { string fileNameFullPath = string.Empty; try { //query = "*[System[TimeCreated[@SystemTime >= '" + DateTime.Now.AddHours(-1).ToUniversalTime().ToString("o") + "']]]"; // "(Provider/@Name=\"AD FS 2.0 Auditing\") and " + // "(TimeCreated/@SystemTime <= \"" + toDate.ToString("yyyy-MM-ddTHH:mm:ss") + "\") and " + //"(TimeCreated/@SystemTime >= " + DateTime.Now.AddHours(-10).ToString("o") + ")" + //"]]"; //" and (TimeCreated/@SystemTime <= " + toDate.Ticks + ")]]"; //" and TimeCreated[timediff(@SystemTime) <= 86400000]]]"; fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\"); //query = "*"; if (File.Exists(fileNameFullPath)) { File.Delete(fileNameFullPath); } using (var logSession = new EventLogSession()) { logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture); logSession.Dispose(); } } catch (Exception ex) { throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false); } }
public static string ExtractLogByPeriod(string directoryFullPath, string clientCode, int hourFromNow) { string query = "*[System[TimeCreated[@SystemTime >= '" + DateTime.Now.AddHours(-1 * hourFromNow).ToUniversalTime().ToString("o") + "']]]"; // "(Provider/@Name=\"AD FS 2.0 Auditing\") and " + // "(TimeCreated/@SystemTime <= \"" + toDate.ToString("yyyy-MM-ddTHH:mm:ss") + "\") and " + //"(TimeCreated/@SystemTime >= " + DateTime.Now.AddHours(-10).ToString("o") + ")" + //"]]"; //" and (TimeCreated/@SystemTime <= " + toDate.Ticks + ")]]"; //" and TimeCreated[timediff(@SystemTime) <= 86400000]]]"; string eventLogFile = clientCode + ".EventLog." + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss", new CultureInfo("en-AU")); if (!Directory.Exists(directoryFullPath)) { Directory.CreateDirectory(directoryFullPath); } string fileNameWithFullPath = (directoryFullPath + @"\" + eventLogFile + ".evtx").Replace(@"\\", @"\"); using (var logSession = new EventLogSession()) { if (File.Exists(fileNameWithFullPath)) { File.Delete(fileNameWithFullPath); } logSession.ExportLogAndMessages("System", PathType.LogName, query, fileNameWithFullPath, true, CultureInfo.CurrentCulture); } return(fileNameWithFullPath); }
public static string QueryExportLogAndMessages ( string path , string query , string exportFile , string machine = "." , PathType pathType = PathType.LogName , string domain = "." , string user = null , string password = null , SessionAuthentication logOnType = SessionAuthentication.Kerberos ) { var r = string.Empty; EventLogSession eventLogSession = null; if ( TryGetEventLogSession ( machine , domain , user , password , out eventLogSession , logOnType ) ) { //Console.WriteLine(exportFile); eventLogSession .ExportLogAndMessages ( path , pathType , query , exportFile , false , CultureInfo.CurrentCulture ); } r = exportFile; return(r); }
public static bool ExportSystemEvent(SystemEventKind eventKind, string strExportPath, DateTime dateFrom, DateTime dateTo) { string strDateFrom = dateFrom.ToUniversalTime().ToString(_DATETIME_FORMAT); string strDateTo = dateTo.ToUniversalTime().ToString(_DATETIME_FORMAT); string strExportFileName = _ExportFileName[(int)eventKind]; string strFullPath = Path.Combine(strExportPath, strExportFileName); try { if (!Directory.Exists(strExportPath)) { Directory.CreateDirectory(strExportPath); } if (File.Exists(strFullPath)) { File.Delete(strFullPath); } string queryStr = string.Format(_EVENT_SEARCH_CONDITION, strDateFrom, strDateTo); EventLogSession els = new EventLogSession(); els.ExportLogAndMessages( _systemEventKindName[(int)eventKind], // Log Name to archive PathType.LogName, // Type of Log queryStr, // Query selecting events strFullPath, // Exported Log Path(log created by this operation) false, // Stop the archive if the query is invalid CultureInfo.CurrentCulture); // Culture to archive the events in } catch (Exception ex) { Console.WriteLine(ex.ToString()); return(false); } return(true); }
public static void Main(string[] args) { int exitCode = 0; String logPath = "Application"; String query = "*/System[Level <= 3 and Level >= 1]"; // XPath selecting all events of level warning or higher. String targetFile = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\export.evtx"); String targetFileWithMessages = Environment.ExpandEnvironmentVariables("%USERPROFILE%\\exportWithMessages.evtx"); try { // // Parse the command line. // if (args.Length > 0) { if (args[0] == "/?" || args[0] == "-?") { Console.WriteLine("Usage: LogManagement [<logname> [<exportFile> [<exportFileWithMessages>]]]\n" + "<logname> is the name of an existing event log.\n" + "When <logname> is not specified, Application is assumed.\n" + "EXAMPLE: LogManagement Microsoft-Windows-TaskScheduler/Operational archive.evtx archiveWithMessages.evtx\n"); Environment.Exit(0); } else { logPath = args[0]; if (args.Length > 1) { targetFile = args[1]; } if (args.Length > 2) { targetFileWithMessages = args[2]; } } } // // Get log information. // EventLogSession session = new EventLogSession(); EventLogInformation logInfo = session.GetLogInformation(logPath, PathType.LogName); Console.WriteLine("The {0} log contains {1} events.", logPath, logInfo.RecordCount); // // Export selected events from a log to a file. // if (File.Exists(targetFile)) { Console.WriteLine("Could not export log {0}: file {1} already exists", logPath, targetFile); Environment.Exit(1); } else { session.ExportLog(logPath, PathType.LogName, query, targetFile, true); Console.WriteLine("Selected events from the {0} log have been exported to file {1}.", logPath, targetFile); } // // Capture localized event information so that the exported log can be viewed on // systems that might not have some of the event providers installed. // if (File.Exists(targetFileWithMessages)) { Console.WriteLine("Could not archive log {0}: file {1} already exists", logPath, targetFileWithMessages); Environment.Exit(1); } else { session.ExportLogAndMessages(logPath, PathType.LogName, query, targetFileWithMessages, true, CultureInfo.CurrentCulture); Console.WriteLine("The export file {0} has been localized into {1} for archiving.", targetFileWithMessages, CultureInfo.CurrentCulture.DisplayName); } // // Clear the log. // session.ClearLog(logPath); Console.WriteLine("The {0} log has been cleared.", logPath); } catch (UnauthorizedAccessException e) { Console.WriteLine("You do not have the correct permissions. " + "Try re-running the sample with administrator privileges.\n" + e.ToString()); } catch (Exception e) { Console.WriteLine(e.ToString()); exitCode = 1; } Environment.Exit(exitCode); }