问题描述

1. 如何知道是否记录了特定事件（给定事件ID，时间和节点作为输入）？ [在这种情况下，我知道只会记录一个事件]


2. 如果记录了事件，如何获取事件描述，日志名称等详细信息。

例如，我想在节点应用程序和服务日志> Microsoft> Windows> groupPolicy>可操作下查询事件，事件ID为5315时间是当前时间。

for eg, I want to query for an event under the node Applications and Services Logs > Microsoft > Windows > groupPolicy > Operational, and event id is 5315 and time is current time.

推荐答案

如果要从新样式的Windows EventLogs查询事件，则会有一些新的变化。

There are a few new twists if your going to query events from the new style Windows EventLogs.

1. 您将不得不使用 System.Diagnostics.Eventing.Reader 名称空间以读取新事件。


2. 您的查询将采用Xpath形式，因此时间值比较棘手，有关。


3. 您的程序将遇到访问问题，准备好模拟记录机上 EventReaders AD组中包含的用户。

1. You will have to use the classes from the System.Diagnostics.Eventing.Reader namespace to read the new events.
2. Your query will be in Xpath form, so that time value is tricky, see msdn for the EventLogQuery definition.
3. Your program will run into access issues, be ready to impersonate a user that's included in the EventReaders AD group on the logging machine.

此示例显示了一些新的访问方法，欢呼声。

This sample shows some of the new access methods, cheers.

string eventID = "5312";
string LogSource = "Microsoft-Windows-GroupPolicy/Operational";
string sQuery = "*[System/EventID=" + eventID + "]";

var elQuery = new EventLogQuery(LogSource, PathType.LogName, sQuery);
using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery))
{

    List<EventRecord> eventList = new List<EventRecord>();
    EventRecord eventInstance = elReader.ReadEvent();
    try
    {
        for (null != eventInstance; eventInstance = elReader.ReadEvent())
        {
            //Access event properties here:
            //eventInstance.LogName;
            //eventInstance.ProviderName;
            eventList.Add(eventInstance);
        }
    }
    finally
    {
        if (eventInstance != null)
            eventInstance.Dispose();
    }
}