0

I want to get event entries by their description (data). I know how to get the event entry with a certain description, however I want to get an entry whith a description which contains a string (not equals to it). That, I don't know how to do. Please help :)

Shaked Bu
  • 41
  • 1
  • 8

1 Answers1

1

According to my answer here: https://stackoverflow.com/a/34119006/5089204 you should be able to retrieve EventRecords.

Dealing with these events is a quite complex issue... Each event has its own internal structure. The common properties are bundled in EventRecord, but the specific data must be taken from the internal details. Use the ToXml() method of an EventRecord...

In order to get the right events you must define an EventLogQuery. You must know the Provider's name and specify the filter.

Try the following: Open eventvwr and there the Windows-System queue. Right click one event, open the "Details" and choose the "XML-View". Look over different events and you will find, that they are quite differing.

But: You'll find everything you need there: First the "Provider Name" and the "EventId", these two are most important for the `EventLogQuery'.

Now go to the "define a user filter on the current protocoll"-action and type in some values. Then switch to the filter's XML and you'll learn how to define the correct query.

I'm sorry, there is no "easy and general" approach :-)

Community
  • 1
  • 1
Shnugo
  • 66,100
  • 9
  • 53
  • 114
  • I already know the filter at the eventviewer and using it. Now I'm asking for a tip there not at my code – Shaked Bu Dec 07 '15 at 12:15
  • 1
    @Shaked.B This article might help you: http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx. Not all XPath-functions are supported! Regrettfully `contains` isn't. You'd probably load the records as shown and filter them within your application... – Shnugo Dec 07 '15 at 12:27