是否可以使用'light＆＃x27;是否可以为EventLogquery编写查询。

发布于 2025-02-03 08:55:41 字数 199 浏览 2 评论 0原文

我需要过滤并说例如packagefullname应该以'6'开头，如何使用某种模式过滤？

 string query = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName'] LIKE '6%']]";

原文

I need to filter and say for example PackageFullName should start with '6', how filter using some pattern?

 string query = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName'] LIKE '6%']]";

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

请爱~陌生人 2025-02-10 08:55:41

如评论中所述，Windows上的事件日志服务确实不是支持完整的XPath语法 - 它当然不支持诸如contains（）/ start-with（）/end-with（）。

相反，您需要获取所有事件，然后通过在您自己的代码中检查数据值来过滤它们。

要从事件数据部分中提取单个＆lt; data/＆gt;节点的值，请使用 getPropertyValues（）值，然后手动检查它：

string logName = "Microsoft-Windows-TerminalServices-Gateway";
string queryText = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName']]]";

// This is the query definition the reader will use to pre-filter event records
var query = new EventLogQuery(logName, PathType.LogName, queryText);
// This is a property selector that we'll be using to extract the event data afterwards
var packageNameSelector = new EventLogPropertySelector(new []{ "Event/EventData/Data[@Name='PackageFullName']" });

using (var reader = new EventLogReader(query))
{
    // Keep reading...
    EventLogRecord record;
    while((record = reader.ReadEvent() as EventLogRecord) is not null)
    {
        // Fetch the package name and inspect before moving ahead
        var propertyValues = record.GetPropertyValues(packageNameSelector);
        if(propertyValues.Count > 0 && propertyValues[0] is string pkgName && pkgName.StartsWith("6"))
        {
            // matching event, do what you need here 
        }
    }
}

As explained in the comments, the Event Log service on Windows does not support the full XPath grammar - and it certainly doesn't support substring-matching functions like contains()/starts-with()/ends-with().

Instead, you'll need to fetch all the events and then filter them by inspecting the data value in your own code.

To extract the individual <Data /> nodes' values from the event data section, use the GetPropertyValues() method with an appropriate EventLogPropertySelector to grab the string value, then manually inspect it:

string logName = "Microsoft-Windows-TerminalServices-Gateway";
string queryText = "*[System/EventID=400 ] and *[System/Opcode=2] and *[EventData[Data[@Name='PackageFullName']]]";

// This is the query definition the reader will use to pre-filter event records
var query = new EventLogQuery(logName, PathType.LogName, queryText);
// This is a property selector that we'll be using to extract the event data afterwards
var packageNameSelector = new EventLogPropertySelector(new []{ "Event/EventData/Data[@Name='PackageFullName']" });

using (var reader = new EventLogReader(query))
{
    // Keep reading...
    EventLogRecord record;
    while((record = reader.ReadEvent() as EventLogRecord) is not null)
    {
        // Fetch the package name and inspect before moving ahead
        var propertyValues = record.GetPropertyValues(packageNameSelector);
        if(propertyValues.Count > 0 && propertyValues[0] is string pkgName && pkgName.StartsWith("6"))
        {
            // matching event, do what you need here 
        }
    }
}

回复收藏 0 原文

~没有更多了~