How to: Query for Events
You can query for a group of events that match a specified query criteria to filter the events stored in an event log. The query filters events based on event properties. For example, you can query for all level 2 events in a certain event log that occurred in a certain time period, or you can query for all the events with an identifier equal to 105.
Example
Description
The following code example uses the System.Diagnostics.Eventing.Reader classes to query for all the level 2 events from the Application event log. The description, event ID, and the event publisher name are displayed for each event returned from the query. The code example shows how to query for events from an active event log, an external event log, and from a remote computer. Each method in this code example follows a series of steps to query for events.
-
Create an instance of the EventLogQuery class by specifying a query string used to filter events, and the name or location of the event log to query. To query an external event log, specify the path to the log file (.evtx). For more information about how to find event log names, see the code example in How to: Configure and Read Event Log Properties or search for event logs in the Event Viewer tool. For more information about how to create an event query string, see Event Queries and Event XML.
-
(Optional) To query for events from a remote computer, set the Session property to an instance of the EventLogSession class and specify the remote computer name, domain, and the user name and password used to connect to the remote computer.
-
Create an instance of the EventLogReader class by specifying the EventLogQuery instance that was created in Step 1.
-
To get the query results, use the EventRecord instances returned from the ReadEvent method. Each returned instance holds event information for an event in the query results. For more information about reading the event information from an event instance, see How to: Access and Read Event Information.
Code
Visual Basic
Imports System Imports System.Diagnostics.Eventing.Reader Imports System.Security Public Class EventQueryExample Public Overloads Shared Function Main( _ ByVal args() As String) As Integer Dim ex As New EventQueryExample() ex.QueryActiveLog() ex.QueryExternalFile() ex.QueryRemoteComputer() End Function Public Sub QueryActiveLog() ' Query two different event logs using a structured query. Dim queryString As String = _ "<QueryList>" & _ " <Query Id=""0"" Path=""Application"">" & _ " <Select Path=""Application"">" & _ " *[System[(Level <= 3) and" & _ " TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _ " </Select>" & _ " <Suppress Path=""Application"">" & _ " *[System[(Level = 2)]]" & _ " </Suppress>" & _ " <Select Path=""System"">" & _ " *[System[(Level=1 or Level=2 or Level=3) and" & _ " TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _ " </Select>" & _ " </Query>" & _ "</QueryList>" Dim eventsQuery As New EventLogQuery("Application", PathType.LogName, queryString) Dim logReader As New EventLogReader(eventsQuery) ' Display query results. DisplayEventAndLogInformation(logReader) End Sub Public Sub QueryExternalFile() Dim queryString As String = "*[System/Level=2]" ' XPATH Query Dim eventLogLocation As String = "C:\MyEvents.evtx" Dim eventsQuery As New EventLogQuery(eventLogLocation, PathType.FilePath, queryString) Try Dim logReader As New EventLogReader(eventsQuery) ' Display query results. DisplayEventAndLogInformation(logReader) Catch e As EventLogNotFoundException Console.WriteLine("Could not find the external log to query! " & e.Message) Return End Try End Sub Public Sub QueryRemoteComputer() Dim queryString As String = "*[System/Level=2]" ' XPATH Query Dim pw As SecureString = GetPassword() Dim session As EventLogSession = New EventLogSession( _ "RemoteComputerName", _ "Domain", _ "Username", _ pw, _ SessionAuthentication.Default) pw.Dispose() ' Query the Application log on the remote computer. Dim query As EventLogQuery = New EventLogQuery( _ "Application", PathType.LogName, queryString) query.Session = session Try Dim logReader As New EventLogReader(query) ' Display query results. DisplayEventAndLogInformation(logReader) Catch e As EventLogException Console.WriteLine("Could not query the remote computer! " & e.Message) Return End Try End Sub ' Displays the event query results (the event information and log ' information for all the events returned from the query). Private Sub DisplayEventAndLogInformation(ByVal logReader As EventLogReader) Dim eventInstance As EventRecord = logReader.ReadEvent() While Not eventInstance Is Nothing ' Display event info Console.WriteLine("-----------------------------------------------------") Console.WriteLine("Event ID: {0}", eventInstance.Id) Console.WriteLine("Publisher: {0}", eventInstance.ProviderName) Try Console.WriteLine("Description: {0}", eventInstance.FormatDescription()) Catch e As EventLogException ' The event description contains parameters, and no parameters were ' passed to the FormatDescription method, so an exception is thrown. End Try eventInstance = logReader.ReadEvent() ' Cast the EventRecord object as an EventLogRecord object to ' access the EventLogRecord class properties. Dim logRecord As EventLogRecord = CType(eventInstance, EventLogRecord) Console.WriteLine("Container Event Log: {0}", logRecord.ContainerLog) End While End Sub ' Read a password from the console into a SecureString ' <returns>Password stored in a secure string</returns> Public Function GetPassword() As SecureString Dim password As New SecureString() Console.WriteLine("Enter password: ") ' get the first character of the password Dim nextKey As ConsoleKeyInfo = Console.ReadKey(True) While nextKey.Key <> ConsoleKey.Enter If nextKey.Key = ConsoleKey.Backspace Then If password.Length > 0 Then password.RemoveAt(password.Length - 1) ' erase the last * as well Console.Write(nextKey.KeyChar) Console.Write(" ") Console.Write(nextKey.KeyChar) End If Else password.AppendChar(nextKey.KeyChar) Console.Write("*") End If nextKey = Console.ReadKey(True) End While Console.WriteLine() ' lock the password down password.MakeReadOnly() Return password End Function End Class
C#
using System; using System.Diagnostics.Eventing.Reader; using System.Security; namespace EventQuery { class EventQueryExample { static void Main(string[] args) { EventQueryExample ex = new EventQueryExample(); ex.QueryActiveLog(); ex.QueryExternalFile(); ex.QueryRemoteComputer(); } public void QueryActiveLog() { // Query two different event logs using a structured query. string queryString = "<QueryList>" + " <Query Id=\"0\" Path=\"Application\">" + " <Select Path=\"Application\">" + " *[System[(Level <= 3) and" + " TimeCreated[timediff(@SystemTime) <= 86400000]]]" + " </Select>" + " <Suppress Path=\"Application\">" + " *[System[(Level = 2)]]" + " </Suppress>" + " <Select Path=\"System\">" + " *[System[(Level=1 or Level=2 or Level=3) and" + " TimeCreated[timediff(@SystemTime) <= 86400000]]]" + " </Select>" + " </Query>" + "</QueryList>"; EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, queryString); EventLogReader logReader = new EventLogReader(eventsQuery); // Display event info DisplayEventAndLogInformation(logReader); } public void QueryExternalFile() { string queryString = "*[System/Level=2]"; // XPATH Query string eventLogLocation = @"C:\MyEvents.evtx"; EventLogQuery eventsQuery = new EventLogQuery(eventLogLocation, PathType.FilePath, queryString); try { EventLogReader logReader = new EventLogReader(eventsQuery); // Display event info DisplayEventAndLogInformation(logReader); } catch (EventLogNotFoundException e) { Console.WriteLine("Could not find the external log to query! " + e.Message); return; } } public void QueryRemoteComputer() { string queryString = "*[System/Level=2]"; // XPATH Query SecureString pw = GetPassword(); EventLogSession session = new EventLogSession( "RemoteComputerName", // Remote Computer "Domain", // Domain "Username", // Username pw, SessionAuthentication.Default); pw.Dispose(); // Query the Application log on the remote computer. EventLogQuery query = new EventLogQuery("Application", PathType.LogName, queryString); query.Session = session; try { EventLogReader logReader = new EventLogReader(query); // Display event info DisplayEventAndLogInformation(logReader); } catch (EventLogException e) { Console.WriteLine("Could not query the remote computer! " + e.Message); return; } } /// <summary> /// Displays the event information and log information on the console for /// all the events returned from a query. /// </summary> private void DisplayEventAndLogInformation(EventLogReader logReader) { for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent()) { Console.WriteLine("-----------------------------------------------------"); Console.WriteLine("Event ID: {0}", eventInstance.Id); Console.WriteLine("Publisher: {0}", eventInstance.ProviderName); try { Console.WriteLine("Description: {0}", eventInstance.FormatDescription()); } catch (EventLogException) { // The event description contains parameters, and no parameters were // passed to the FormatDescription method, so an exception is thrown. } // Cast the EventRecord object as an EventLogRecord object to // access the EventLogRecord class properties EventLogRecord logRecord = (EventLogRecord)eventInstance; Console.WriteLine("Container Event Log: {0}", logRecord.ContainerLog); } } /// <summary> /// Read a password from the console into a SecureString /// </summary> /// <returns>Password stored in a secure string</returns> public static SecureString GetPassword() { SecureString password = new SecureString(); Console.WriteLine("Enter password: "); // get the first character of the password ConsoleKeyInfo nextKey = Console.ReadKey(true); while (nextKey.Key != ConsoleKey.Enter) { if (nextKey.Key == ConsoleKey.Backspace) { if (password.Length > 0) { password.RemoveAt(password.Length - 1); // erase the last * as well Console.Write(nextKey.KeyChar); Console.Write(" "); Console.Write(nextKey.KeyChar); } } else { password.AppendChar(nextKey.KeyChar); Console.Write("*"); } nextKey = Console.ReadKey(true); } Console.WriteLine(); // lock the password down password.MakeReadOnly(); return password; } } }
Compiling the Code
This code example requires references to the System.dll, System.Security.dll, and System.Core.dll files.
See Also
Copyright © 2007 by Microsoft Corporation. All rights reserved.