How to open saved event log archive in .NET?

Asked 8/6, 2010 at 19:21 Answered 3/10, 2017 at 16:22

I have used the System.Diagnostics.EventLog to view the logs on the local computer. However, I would like to open a saved event log archive (.evt or .evtx) and view the logs that are contained in the saved file. I just need to view timestamps, messages, sources, etc. associated with the logs in the file. Can this be done in C#?

Arianearianie answered 8/6, 2010 at 19:21 Comment(0)

Check out the System.Diagnostics.Eventing.Reader namespace. Specifically the EventLogQuery class.

http://msdn.microsoft.com/en-us/library/bb671200(v=VS.90).aspx

Nimbostratus answered 8/6, 2010 at 19:40 Comment(0)

Try LogParser tool from Microsoft. It can fetch any data from logs of any log format using SQL-like selecting language. It can also be used from any .NET application. The example parsing of CSV logs (I believe you can use this code for EVT files with small modifications):

        public IList<LogRow> GetLog()
        {
            return Load("SELECT *, OUT_ROW_NUMBER() FROM logfile*.log WHERE Field2='Performance' ORDER BY Field1 ASC");
        }

    private static IList<LogRow> Load(string sql)
    {
        IEnumerable<string[]> log = ParseLog(sql);

        return Convert(log);
    }

    private static IList<LogRow> Convert(IEnumerable<string[]> log)
    {
        return log.Select(logRecord => new LogRow
                                           {
                                               TimeStamp = logRecord[2],
                                               Category = logRecord[3],
                                               Machine = logRecord[4],
                                               ThreadId = logRecord[5],
                                               ProcessId = logRecord[6],
                                               ProcessName = logRecord[7],
                                               DomainName = logRecord[8],
                                               Message = logRecord[9],
                                               Number = logRecord[10]
                                           }).ToList();
    }


        private static IEnumerable<string[]> ParseLog(string query)
        {
            var records = new LogQueryClassClass().Execute(
                query,
                new COMCSVInputContextClass { headerRow = false, iTsFormat = "yyyy-MM-dd HH:mm:ss.fff" });
            var entries = new List<string[]>();

            while (!records.atEnd())
            {
                entries.Add(records.getRecord().toNativeString("CSVseparator").Split(
                                new[] { "CSVseparator" },
                                StringSplitOptions.None));
                records.moveNext();
            }

            records.close();
            return entries;
        }

Octillion answered 8/6, 2010 at 19:51 Comment(0)

If your intention is to read the saved logs, we can do it using EventLogReader. It basically takes two parameters - filename (as in file path), and second parameter specifying path type. For your reference, say you have a saved .evtx file - temp.evtx, you can read it as in:

new EventLogReader(filepath, PathType.Filepath);

This gives you an event log reader, which can be used to read events. And further more, if you would want to read content out of it, we can use Properties which is basically a list of string. Can read it, parse it, and get whatever information you need.

I agree that we don't have the provision to directly get all the details as like what we get using EventLogEntry. Never the less, we just need to have some parsing done to get what we need using event record.

Came answered 3/10, 2017 at 16:22 Comment(0)

Recommended topics

Hot tags