EvtExportLog function

Copies events from the specified channel or log file and writes them to the target log file.

Syntax


BOOL WINAPI EvtExportLog(
  _In_opt_ EVT_HANDLE Session,
  _In_     LPCWSTR    Path,
  _In_     LPCWSTR    Query,
  _In_     LPCWSTR    TargetFilePath,
  _In_     DWORD      Flags
);

Parameters

Session [in, optional]

A remote session handle that the EvtOpenSession function returns. Set to NULL for local channels.

Path [in]

The name of the channel or the full path to a log file that contains the events that you want to export. If the Query parameter contains an XPath query, you must specify the channel or log file. If the Flags parameter contains EvtExportLogFilePath, you must specify the log file. If the Query parameter contains a structured XML query, the channel or path that you specify here must match the channel or path in the query. If the Flags parameter contains EvtExportLogChannelPath, this parameter can be NULL if the query is a structured XML query that specifies the channel.

Query [in]

A query that specifies the types of events that you want to export. You can specify an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, use a structured XML query. To export all events, set this parameter to NULL or "*".

TargetFilePath [in]

The full path to the target log file that will receive the events. The target log file must not exist.

Flags [in]

Flags that indicate whether the events come from a channel or log file. For possible values, see the EVT_EXPORTLOG_FLAGS enumeration.

Return value

Return code/valueDescription
TRUE

The function succeeded.

FALSE

The function failed. Use the GetLastError function to get the error code.

 

Remarks

You can export events from multiple channels using a structured XML query (see Consuming Events); however, you cannot use this function to merge events from multiple log files. If the query result is empty, the service creates a file that contains header information but no events.

To remove events from a channel and write them to a target log file, call the EvtClearLog function. To include localized strings with the events in the log file, call the EvtArchiveExportedLog function.

You must specify the absolute path to the target log file; you cannot use relative paths and environment variables to specifying the target log file. The path can be a Universal Naming Convention (UNC) path. You should use .evtx as the file name extension.

This function affects only the specified channel or log file—if the channel uses autoBackup or fileMax, this function will not affect those backup files.

Examples

For an example that shows how to use this function, see Saving Events to a Log File.

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Header

WinEvt.h

Library

Wevtapi.lib

DLL

Wevtapi.dll

See also

EvtArchiveExportedLog
EvtClearLog

 

 

Show: