Search code examples
c#event-viewer

Exporting Event viewer Log File As A *.evtx File

I'm trying to export information from event viewer.

I am attempting to do this with EventLogSession so I can have it in a .evtx format and not just a text file.

public static void ExportEventViewerLog(int YearsAgo = 0, int MonthsAgo = 0, int DaysAgo = 0)
{
        int Year = 0;
        int Month = 0;
        int Day = 0;

        if (YearsAgo != 0)
        {
            Year = YearsAgo;
        }
        else if (MonthsAgo != 0)
        {
            Month = MonthsAgo;
        }
        else if (DaysAgo != 0)
        {
            Day = DaysAgo;
        }

        DateTime previousDate = DateTime.Now.AddYears(-Year).AddMonths(-Month).AddDays(-Day);
        DateTime now = DateTime.Now.Date;

        Console.WriteLine(previousDate.ToString("yyyy-MM-dd"));
        //2018-06-12
        Console.WriteLine(now.ToString("hh:mm:ss"));
        //12:00:00

        string path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Desktop), "test.evtx");
        string query = "<QueryList> " + $@"<Select Path=""Application"">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime&gt;='{previousDate.ToString("yyyy-MM-dd")}T{previousDate.ToString("hh:mm:ss")}.000Z' and @SystemTime&lt;='{now.ToString("yyyy-MM-dd")}T{now.ToString("hh:mm:ss")}.999Z']]]</Select> " + "</Query> " + "</QueryList>";

        EventLogSession eventLogSession = new EventLogSession();
        eventLogSession.ExportLogAndMessages("Application", PathType.LogName, query, path, false, CultureInfo.CurrentCulture);
}

Here is how I'm calling it

static void Main()
{
        ExportEventViewerLog(YearsAgo: 0, MonthsAgo: 0, DaysAgo: 1);
        Console.WriteLine("Press Any Key To Exit");
        Console.ReadKey();
}

Here is the error

System.Diagnostics.Eventing.Reader.EventLogException

System.Diagnostics.Eventing.Reader.EventLogException HResult=0x80131500 Source=System.Core StackTrace: at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtExportLog(EventLogHandle session, String channelPath, String query, String targetFilePath, Int32 flags) at System.Diagnostics.Eventing.Reader.EventLogSession.ExportLog(String path, PathType pathType, String query, String targetFilePath, Boolean tolerateQueryErrors) at System.Diagnostics.Eventing.Reader.EventLogSession.ExportLogAndMessages(String path, PathType pathType, String query, String targetFilePath, Boolean tolerateQueryErrors, CultureInfo targetCultureInfo) at app.Program.ExportEventViewerLog(Int32 YearsAgo, Int32 MonthsAgo, Int32 DaysAgo) in C:\Users\User\app\Program.cs:line 296 atapp_1._0.Program.Main() in C:\Users\User\Google Drive\app\Program.cs:line 34

Note: I don't believe the path is the problem because if I change the query to a wildcard *, the method will execute without any errors, I generated the query from event viewer -> filter current log -> xml

Here is the original query that was generated from Event Viewer

<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime&gt;='1991-07-24T21:12:12.000Z' and @SystemTime&lt;='2018-06-12T21:12:12.999Z']]]</Select>

Solution

  • You are missing the XML tag:

    <Query Id=\"0\" Path=\"Application\">

    Fixing this still caused that exception for me, even as admin, however using a different path fixed it (perhaps because the event viewer service lacks permissions on the users path)

    string path = Path.Combine(Path.GetTempPath(), "test.evtx");