How to Query for an event log details with a given event id?

Asked 17/3, 2010 at 13:13 Answered 17/3, 2010 at 16:43

How to know whether a particular event (given event ID, time and node as inputs) is logged or not? [In this case, I know only one event will be logged]
If the event is logged, how do I get details like event description, Log-name etc..

for eg, I want to query for an event under the node Applications and Services Logs > Microsoft > Windows > groupPolicy > Operational, and event id is 5315 and time is current time.

Derman answered 17/3, 2010 at 13:13 Comment(0)

There are a few new twists if your going to query events from the new style Windows EventLogs.

You will have to use the classes from the System.Diagnostics.Eventing.Reader namespace to read the new events.
Your query will be in Xpath form, so that time value is tricky, see msdn for the EventLogQuery definition.
Your program will run into access issues, be ready to impersonate a user that's included in the EventReaders AD group on the logging machine.

This sample shows some of the new access methods:

string eventID = "5312";
string LogSource = "Microsoft-Windows-GroupPolicy/Operational";  
string sQuery = "*[System/EventID=" + eventID + "]";

var elQuery = new EventLogQuery(LogSource, PathType.LogName, sQuery);
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{

    List<EventRecord> eventList = new List<EventRecord>();
    EventRecord eventInstance = elReader.ReadEvent();
    try
    {
        for (null != eventInstance; eventInstance = elReader.ReadEvent())
        {
            //Access event properties here:
            //eventInstance.LogName;
            //eventInstance.ProviderName;
            eventList.Add(eventInstance);
        }
    }
    finally
    {
        if (eventInstance != null)
            eventInstance.Dispose();
    }
}

Veraveracious answered 17/3, 2010 at 16:43 Comment(4)

how about getting event withing given dates? query = "*[System[" + "(Provider/@Name=\"Microsoft Office 15 Alerts\") and " + //"(EventID=300) and " + "(TimeCreated/@SystemTime >= \"" + t1 + "\") and " + "(TimeCreated/@SystemTime <= \"" + t2 + "\")" + "]]"; I am getting query exception – Royden 16/1, 2014 at 17:15

What is the LogSource if I want to see Windows Logs/System? – Trainbearer 6/3, 2019 at 22:34

elReader should be wrapped in a using statement – Keelboat 15/5, 2019 at 10:17

Should you be disposing each instance of eventInstance--not just the very last one? – Covenantee 13/5, 2020 at 22:5

You could query the event log in question:

var sourceName = "MySource";
var el = new EventLog("Application");
var latestEntryTime = (from entry in el.Entries.Cast<EventLogEntry>()
                       where entry.Source == sourceName
                       && // put other where clauses here...
                       orderby entry.TimeWritten descending
                       select entry).First();

However, be warned that this approach is slow, since the Entries collection tends to be quite big.

Sentient answered 17/3, 2010 at 13:23 Comment(0)

Recommended topics

Hot tags