WMI查询-查找最旧的应用程序日志事件
本文关键字:应用程序 日志 事件 查询 查找 WMI | 更新日期: 2023-09-27 18:21:55
我浏览了所有相关的主题,但没有找到答案。我正在运行WMI查询以检索应用程序日志中最旧事件的日期时间。不幸的是,下面的查询总是返回0个值,但显然语法是正确的,因为没有返回错误消息。知道为什么会发生这种事吗?实际上,c#嵌入式解决方案下载了整个Eventviewer,由于我正在连接远程机器,性能非常糟糕。因此,我选择WMI查询
SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where Logfile ='" + logFileName + "' and RecordNumber = '1'");
using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, opt)) {
foreach (ManagementObject mo in searcher.Get()) {
DateTime firstEventTime;
DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);
// if the time of the first entry of the application log is older that the dayback to check date
// set dayback to check to first app log entry date
logbox.writetoLogFile(this.GetType().Name, "First event time is " + firstEventTime, LogLevel.Debug);
if (firstEventTime > endDate) {
endDate = firstEventTime;
logbox.writetoLogTextbox("First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", Color.Black);
logbox.writetoLogFile(this.GetType().Name, "First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", LogLevel.Info);
}
}
}
不幸的是,我现在想明白了。记录编号未重置,因此事件1已消失多年。:(你知道我该如何收集这些信息吗?
谢谢,Marco
RecordNumber是一个唯一的标识符,不一定与您使用的LogFile匹配,有点像主键,您可以为每台计算机获得不同的编号,RecordNumber:的msdn定义
- 标识Windows NT事件日志文件中的事件。这是特定于日志文件,并与日志文件名一起使用以唯一地标识此类的实例
因此,您应该做的是获取具有特定LogFile的所有事件,按TimeGenerated排序,然后获取旧事件,并再次搜索旧事件的编号:即:
using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Management;
namespace WmiEventQuery
{
class Program
{
static void Main(string[] args)
{
SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where LogFile = 'Application' ");
//execute the query using WMI
ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
//loop through each log found
List<EventDateTime> datetimesEvents = new List<EventDateTime>();
foreach (ManagementObject mo in searcher.Get())
{
DateTime firstEventTime;
DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);
datetimesEvents.Add(new EventDateTime
{
RecordNumber = Convert.ToInt32(mo["RecordNumber"]),
TimeGenerated = firstEventTime
});
}
int olderRecordNumber = datetimesEvents.OrderBy(p => p.RecordNumber).FirstOrDefault().RecordNumber;
SelectQuery queryUnique = new SelectQuery(
System.String.Format("select * from Win32_NtLogEvent where RecordNumber = {0}", olderRecordNumber)
);
ManagementObjectSearcher searcherUnique = new ManagementObjectSearcher(queryUnique);
foreach (ManagementObject mo in searcherUnique.Get())
{
//get the older event
Console.WriteLine(mo["Message"]);
Console.WriteLine(mo["RecordNumber"]);
}
Console.Read();
}
}
public class EventDateTime
{
public DateTime TimeGenerated { get; set; }
public int RecordNumber { get; set; }
}
}