Search for specific event ID's in archived Windows event logs

StackOverflow https://stackoverflow.com/questions/18128985

  •  24-06-2022
  •  | 
  •  

Question

Situation: I have many old security event logs on a server (about 18 GB). The logs are saved on a dedicated HDD partition as evt files (-> the logs are not included in eventviewer).

Want: I want to search for a specific event ID in every log.

Problem: I cant open a event log file, which isn't "included" in Event Viewer with EventLog-Class

Idea: I use .NET's EventLogClass. EventLog log = new EventLog();
But I cant refer to the specific event log file, which is on the other HDD partition.

I tried every, in my opinion, possible way like:

EventLog log = new EventLog(filepath, Computername)
EventLog log = new EventLog(filepath, ".")
EventLog log = new EventLog(filename, Computername, filepath)
EventLog log = new EventLog(filename, ".", filepath)

At first two, the error message says, that there is no special character like "\" allowed. At the last two, there error message say, that there is no such file "filename" found on Computer (I think he search in the event logs, which are "included" in Event Viewer)

Question: I want to open such files - it doesnt matter if it works with the class my idea is with. I only want to search for an event ID and if specific id is found, export the whole event to a txt, csv or whatever.

Thanks in advance!

Was it helpful?

Solution

Here is the method that takes event file and ID as parameters, it returns EventRecord

public static EventRecord GetEventRecord(string eventFile, int eventID)
{
  var xpathQuery = string.Format("*[System/EventID={0}]", eventID);
  var query = new EventLogQuery(eventFile, PathType.FilePath, xpathQuery);
  var reader = new EventLogReader(query);
  return reader.ReadEvent();
}

usage example : 

static void Main(string[] args)
{
  var rec = GetEventRecord(@"w:\kanta\eventi.evtx", 903);
  /// due to a bug you have to set current culture to en-US or FormatDescription won't work
  /// https://connect.microsoft.com/VisualStudio/feedback/details/498054/net-3-5-sp1-eventrecord-formatdescription#
  Thread.CurrentThread.CurrentCulture = new CultureInfo("en-US");
  Console.Write(rec.FormatDescription());
  Console.ReadKey();
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top