3.1.1.8 Queries

Events within log files can be queried through the protocol. The protocol methods for querying the events are EvtRpcRegisterLogQuery (as specified in section 3.1.4.12) and EvtRpcQueryNext (as specified in section 3.1.4.13). An event query is an expression string that selects events within the log file or files. Because all events in the system have an event XML representation, the expression string can be based on this representation.

The syntax of the filter for a query is specified in sections 2.2.15 and 2.2.16.