1

I have developed a MFC application which reads windows event logs from event log file (EVTX) file and parse it to render in application

For reading log file, I am using XPATH query to retrieve specific event logs from event log file file consist of 40000 records

Sample log records look like below code

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Error_Log"/>
    <EventID Qualifiers="20225">6002</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-05-31T10:37:16.000000000Z"/>
    <EventRecordID>11679958</EventRecordID>
    <Channel>Application</Channel>
    <Security/>
  </System>
  <EventData>
    <Data>16:07:16.339:(A)[app.exe] [scan] m_id = [1254]</Data>
    <Binary>31363A30373A31362E3333393A2841295B7275706170702E6578655D205B5363616E5D206D5F6964203D205B313235345D</Binary>
  </EventData>
</Event>

Here I want to retrieve only those log records where <DATA> tag contains sub-string value m_id. To achieve this I tried below query 

LPWSTR Query = _T("Event/EventData[Data(Data='m_id')]");

EVT_HANDLE Results = EvtQuery(NULL, Path, Query, EvtQueryFilePath | EvtQueryForwardDirection);

But I am not able to retrieve any logs even if string m_id is present in input log file as shown in above code

Barmak Shemirani
  • 30,904
  • 6
  • 40
  • 77
Kiran Choudhary
  • 1,125
  • 7
  • 15

1 Answers1

1

You should be able to do this with XPath 2 by using contains()

Full Events:

/Event[EventData/Data[contains(text(),'m_id')]]
/Event[EventData/Data[contains(string(),'m_id')]]

Data Only:

/Event/EventData/Data[contains(string(),'m_id')]
/Event/EventData/Data[contains(text(),'m_id')]

Test Xpaths here

Advanced Xpath Filtering

string vs text

ffhighwind
  • 165
  • 4
  • 13
  • Hi @ffhighwind , I tried mentioned all 4 combinations . but no luck , Still below method returning nothing EVT_HANDLE Results = EvtQuery(NULL, Path, Query, EvtQueryFilePath | EvtQueryForwardDirection); – Kiran Choudhary Jun 21 '18 at 06:18
  • 1
    It's possible it's related to system32 redirection and you may need to call wow64DisableWow64FsRedirection. It could also be a UAC issue. Try opening Path to see if it exists. Also you should try calling [GetLastError](https://stackoverflow.com/questions/1387064/how-to-get-the-error-message-from-the-error-code-returned-by-getlasterror) if EvtQuery returned NULL. – ffhighwind Jun 21 '18 at 22:22
  • 1
    By "opening" Path I mean calling fopen or fstream::open(Path).good() on it. Either way I would appreciate an upvote. – ffhighwind Jun 21 '18 at 23:09