How do I export the Windows and application event log?

Question

How do I export the Windows and application event log?

Using the EvtExportLog

function , I am currently unable to provide the correct value for the parameter Path

and / or Query

.

My goal is to export the local Application and System event log .

I tried:

EvtExportLog(
    IntPtr.Zero, 
    "Application", 
    "*", 
    "C:\\SomePath\\Application.evtx", 
    EventExportLogFlags.LogFilePath);

with the following P / Invoke definition:

[Flags]
private enum EventExportLogFlags
{
    ChannelPath = 1,
    LogFilePath = 2,
    TolerateQueryErrors = 0x1000
};

[DllImport(@"wevtapi.dll", 
    CallingConvention = CallingConvention.Winapi,
    CharSet = CharSet.Auto,
    SetLastError = true)]
private static extern bool EvtExportLog(
    IntPtr sessionHandle,
    string path,
    string query,
    string targetPath,
    [MarshalAs(UnmanagedType.I4)] EventExportLogFlags flags);

Unfortunately, the function also returns the false

last error code 2 ( ERROR_FILE_NOT_FOUND ).

My question is:

What to add options Path

and Query

to export the local application and system event log?

+3

c # windows .net event-log

Uwe keim May 27 '15 @ 9:14 am

source to share

1 answer

Uwe keim · Accepted Answer · 2015-05-27T10:04:13+0000

To answer my own question:

My Path

and Query

were indeed correct. What was wrong was the parameter Flags

.

Instead of specifying a parameter, EventExportLogFlags.LogFilePath

I had to specify a parameter EventExportLogFlags.ChannelPath

.

Then the export will be successful:

EvtExportLog(
    IntPtr.Zero, 
    "Application", 
    "*", 
    "C:\\SomePath\\Application.evtx", 
    EventExportLogFlags.ChannelPath); // <-- HERE!

How do I export the Windows and application event log?

More articles: