0

I would like to save the event log to a CSV file, both in Windows XP and Windows 7.

In Windows XP I can manually do it: I open the "Event viewer" (EVENTVWR or EVENTVWR.MSC on the command line), then for example I right click on the "Application" log, then I choose the contextual menu command "Save log file as" and "CSV (Comma delimited)(*.csv)" and I finally get the log saved on a file.

The file contains all the log information: it contains the full formatted message for every events.

If you simply launch the contextual menu command "Export list" you will instead get a mere list of event's "metadata" like Type, Date, Time, Source, Category, Event, User, Computer.

I browsed the available APIs in Windows XP, that is the Event Logging Functions (Windows), and I have found that:

  1. BackupEventLog does not allow me to choose the format of the backup file, i.e. it will save in a binary format that to me will be useless.
  2. ReadEventLog gives me just the metadata via the structure EVENTLOGRECORD and the instructions to get the full formatted message with a lot of work:

The event identifier together with source name and a language identifier identify a string that describes the event in more detail. The strings are used as replacement strings and are merged into the message string to make a complete message. The message strings are contained in a message file specified in the source entry in the registry. To obtain the appropriate message string from the message file, load the message file with the LoadLibrary function and use the FormatMessage function.

Now, it is a lot of work: with the source go into the registry (where? I am afraid there are multiple possible places...) to find the resource file name, load the file with LoadLibrary and then format the message with FormatMessage.

Am I missing something? Is there any shortcut? Why don't Microsoft gives us a plain API to backup the log in CSV format? After all they already wrote the code inside eventvwr...

Now I am a bit discouraged and I did not browsed the Evt* APIs (Windows Event Log Functions (Windows)) available since Windows Vista.

Alessandro Jacopson
  • 18,047
  • 15
  • 98
  • 153
  • 1
    Don't know your context and if C++ is a mandatory choice for you, but using PowerShell and WMI would make your life easier. Get-EventLog Application -EntryType Error | Select-Object Timegenerated, EntryType, MachineName, Message | Format-Table >.\Desktop\Log.csv – David Brabant Nov 30 '12 at 10:14
  • @DavidBrabant Thank you but unfortunately C++ is a mandatory choice for me. – Alessandro Jacopson Nov 30 '12 at 17:30
  • @uvts_cvs I think it's not the API functionality, but own written, i.e. just extracting date, time, event id, etc. and writing them sequentially in txt or csv file. – westwood Dec 03 '12 at 10:05

0 Answers0