4.14 Backup and Archive the Event Log Example

In this example, the client wants to export all the events in the application channel into a backup event log file and then bring the backup file to another computer to view the events with no publisher registered on the destination computer. This involves the following steps:

  1. The client calls the EvtRpcRegisterControllableOperation method (section to get an operation control handle.

     error_status_t EvtRpcRegisterControllableOperation(
       [out, context_handle] PCONTEXT_HANDLE_OPERATION_CONTROL* handle
  2. The client calls the EvtRpcExportLog method (section to export the events into a backup log file.

     error_status_t EvtRpcExportLog(
       [in, context_handle] PCONTEXT_HANDLE_OPERATION_CONTROL control = {handle from step 1},
       [in, unique, range(0, MAX_RPC_CHANNEL_NAME_LENGTH), string] 
         LPCWSTR channelPath = L"Application",
       [in, range(1, MAX_RPC_QUERY_LENGTH), string] 
         LPCWSTR query = L"*",
       [in, range(1, MAX_RPC_FILE_PATH_LENGTH), string] 
         LPCWSTR backupPath = L"c:\\backup\\application.evtx",
       [in] DWORD flags = 0x00000001 (EvtExportLogChannelPath),
       [out] RpcInfo* error
  3. In the implementation of the server, it opens the application channel and reads every event and copies the events from the channel into the file "c:\backup\application.evtx". Now the backup event log file contains all the events from the application channel except the localized strings for each event's level, task, opcode, keyword, and description.

  4. To get those localized strings, the client calls the EvtRpcLocalizeExportLog method (section to save the localized strings in a separate file in a subdirectory of the directory where the backup file is located.

     error_status_t EvtRpcLocalizeExportLog(
       [in, context_handle] PCONTEXT_HANDLE_OPERATION_CONTROL control = {handle from step 1},
       [in, range(1, MAX_RPC_FILE_PATH_LENGTH), string] 
         LPCWSTR logFilePath = L"c:\\backup\\application.evtx",
       [in] LCID locale = 1033,
       [in] DWORD flags = 0,
       [out] RpcInfo* error

After the server returns, there file is created on the server under with the name "c:\backup\LocalMedadata\Application_1033.MTA". The file contains all the localized English strings for all events.