使用 C# 读取 Windows 事件日志(Source != ProviderName != SourceName)
我正在使用 C# 读取 Windows 事件日志,并且想从中选择/过滤条目。问题是事件查看器中显示的信息并不总是与我从 c# 获取的数据匹配。
例如:
EventViewer "Source": "User Profile Service"
使用 EventLogEntry 类: Property "Source": "Microsoft-Windows-User Profiles Service"
使用 EventLogReader 类:属性“ProviderName”:“Microsoft-Windows-User Profiles Service”
使用 WMI:“SourceName”:“Microsoft-Windows-User Profiles Service”
我需要能够读取显示的确切信息EventViewer,我可以从哪里获取此信息?
读取EventLog消息...
当使用EventLogEntry类读取EventLog消息时,我偶尔会得到以下字符串:
在源“xxx”中找不到事件 ID“xxx”的描述
再次,这与 EventViewer 中显示的消息不匹配...我尝试使用 EventLogReader.FormatDescription() 方法,它给了我正确的(与 EventViewer 相同)消息,但对于某些条目,它仅返回 null,而 EventLogEntry.Message 包含正确的文本。
检索事件消息以获得与事件查看器中显示的消息相同的消息的正确方法是什么?
I am using C# to read the Windows Event Log and I want to select/filter entries from it. The problem is that the information displayed in the Event Viewer is not always matching the data I get from c#.
for example:
EventViewer "Source": "User Profile Service"
Using the EventLogEntry class: Property "Source": "Microsoft-Windows-User Profiles Service"
Using the EventLogReader class: Property "ProviderName": "Microsoft-Windows-User Profiles Service"
Using WMI: "SourceName": "Microsoft-Windows-User Profiles Service"
I need to be able to read the exact information displayed in the EventViewer, where can I get this information from?
Reading the EventLog message...
When reading the EventLog message using the EventLogEntry class I occasionally get the following string:
The description for Event ID "xxx" in Source "xxx" cannot be found
Again, this does not match the message displayed in the EventViewer... I have tried using the EventLogReader.FormatDescription() method and it gives me the right (the same as the EventViewer) message, BUT for some entries it simply returns null, while the EventLogEntry.Message contains the proper text.
What is the correct way to retrieve the message of the event to get the same message as the one displayed in the EventViewer?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是与日志交互的一个相当基本的技巧。如果您需要更深入地过滤该源,您可以在条目上编写 LINQ 查询。如此处所示。
至于该错误,一个常见的原因是没有正确访问相关盒子上的事件和/或注册表。由于您可以在 EventViewer 中看到有问题的数据,因此我怀疑很可能存在权限错误。
That is a fairly basic swag at interacting with the log. If you need deeper filtering that source, you can write a LINQ query on the Entries. As shown here.
As for the error, one common reason is not having the proper access to the events and/or registry on the box in question. Since you can see data in question in EventViewer, I am suspecting a permissions error is a good possibility.
事件查看器中“源”列中显示的“源”字符串似乎是缩写的。另外,当您尝试在 C# 中创建 EventLog 时,似乎只有日志类型很重要,例如“应用程序”、“系统”等。创建 EventLog 后,无论您指定的源是什么,它将包含该日志类型的所有条目。
为了获取基于“源”的事件,您需要迭代条目并仅过滤该“源”的条目。请记住,实际的源名称与您在事件查看器中看到的不同。例如,对于源“Winlogon”,实际源名称将为:“Microsoft-Windows-Winlogon”等。
It appears that the "Source" string shown in the "Source" column in the Event Viewer is abbreviated. Also it seems that when you try to create an EventLog in C# only the logtype matters e.g. "Application", "System" etc. Once you create an EventLog it will contain all the entries for that logtype regardless of what you specified a source.
In order to get an event based on "Source" you want to iterate over the entries and filter only the entries for that "Source". Just keep in mind that the actual source name is not the same as what you see in the Event Viewer. For example for Source "Winlogon" the actual source name would be: "Microsoft-Windows-Winlogon" and so on.