查询事件日志时如何创建EventBookmark | 查询事件日志时如何创建EventBookmark

本文介绍了查询事件日志时如何创建EventBookmark的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个EventLogReader对象，以及事件日志中的查询，如下所示:

I have an EventLogReader object, and a query in the event log that looks like this:

string query = "*[System[(Level=2) and TimeCreated[@SystemTime>='%LastRun%']]]")

该代码基本上使用读取器查询自上次运行读取器以来与搜索查询匹配的所有事件.

The code basically uses the reader to query for all the events that match the search query since the last time the reader was run.

我宁愿将EventBookmark用于此目的.毕竟，这就是它的目的！但是我找不到任何有效的代码.

I would rather use the EventBookmark for this purpose. That's what it is for, after all! But I am having trouble finding any working code.

我现有的代码部分运行如下:

My existing code run, in part, like this:

// This line replaces the %LastRun% code with the date
var myQuery = myEventLogQuery.Query.Replace("%LastRun%", myEventLogQuery.LastRun.ToString("o"));
var query = new EventLogQuery(myEventLogQuery.Log, myEventLogQuery.PathType, myQuery);

// Now set the LastRun date. I want to avoid this...
myEventLogQuery.LastRun = DateTime.UtcNow;

// ... by making this next line smarter.
var reader = new EventLogReader(query);
// var reader = new EventLogReader(query, ??? new EventBookmark());

EventRecord eventRecord;
while ((eventRecord = reader.ReadEvent()) != null)
{
    EventRecords.Add(new EventRecordItem(eventRecord));
}

我应该能够使用第一个(或最后一个)EventRecord的EventBookmark属性来限制下一个查询，但是我想将EventBookmark最初设置为基本上是日志中的最高记录.

I should be able to use the EventBookmark property of the first (or last) EventRecord to restrict the next query, but I want to set the EventBookmark initially to be basically the highest record in the log.

当应用程序最初运行时，我不需要它来告诉我过去的所有事件日志条目，我只关心应用程序启动后发生的事件日志.

When the application runs initially, I don't need it to tell me about all the event log entries from the past, I only care about ones that occur after the application starts.

推荐答案

好的，我继续进行了很多实验，并设法为此设计了一个好的系统.由于未真正涵盖此主题，因此我将答案发布在这里.我希望它有用！

OK, I went ahead and experimented a lot, and managed to work out a good system for this. Since this topic isn't really covered, I'm posting my answer here. I hope it's useful!

第一个挑战是创建初始的EventBookmark.您不能只实例化一个.您需要从现有的EventRecord派生一个.为此，我查询日志中的最后一项，并基于此创建我的EventBookmark.

First challenge is creating the initial EventBookmark. You can't just instantiate one. You need to derive one from an existing EventRecord. To do this, I query for the last item in the log and base my EventBookmark on that.

using System.Diagnostics.Eventing.Reader;
public class MyEventLogQuery
{
    public string Log { get; set; }
    public PathType PathType { get; set; }
    public string Query { get; set; }
    public EventBookmark Bookmark { get; set; }

    public MyEventLogQuery(string log = "Application", PathType pathType = PathType.LogName, string query = "*[System[(Level=2)]]")
    {
        Log = log;
        PathType = pathType;
        Query = query;
        Bookmark = GetBookmark(log, pathType); // Query is not important here
    }

    // This method returns the bookmark of the most recent event
    // log EventRecord or null if the log is empty
    private static EventBookmark GetBookmark(string log, PathType pathType)
    {
        var elq = new EventLogQuery(log, pathType) {ReverseDirection = true};

        var reader = new EventLogReader(elq);
        var record = reader.ReadEvent();
        if (record != null)
            return record.Bookmark;
        return null;
    }
}

下一步是在随后查询事件日志时使用书签(或没有书签).

Next step is to use the bookmark (or lack of bookmark) when subsequently querying the Event Log.

using System.Diagnostics.Eventing.Reader;
public class EventLogTracker()
{
    public List<MyEventLogQuery> Queries { get; set; }

    // ... snipped some stuff
    public int Run()
    {
        var count = 0;
        foreach (var myQuery in Queries)
        {
            var query = new EventLogQuery(myQuery.Log, myQuery.PathType, myQuery.Query);

            // This is the important bit. Must take account that the
            // log may have been empty, so bookmark could be null
            var reader = myQuery.Bookmark != null ? new EventLogReader(query, myQuery.Bookmark) : new EventLogReader(query);
            EventRecord eventRecord;
            while ((eventRecord = reader.ReadEvent()) != null)
            {
                // Do stuff
                // ...
                // Then update the bookmark
                myQuery.Bookmark = eventRecord.Bookmark;
                count++;
            }
        }
        return count;
    }

瞧，您有使用EventBookmark的代码，仅向您提供自应用程序启动以来发生的事件.

And voila, you have code that uses the EventBookmark to only give you events that have occurred since the application was started.

这篇关于查询事件日志时如何创建EventBookmark的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！