EventLogSession.ExportLogAndMessages query

Question

I need to save windows event logs in some file, now i am using:

var els = new EventLogSession();
els.ExportLogAndMessages("Application", PathType.LogName, "*", Path.Combine("c:\\Application.evtx"), false, CultureInfo.CurrentCulture);

this works fine but i want to get logs between DateTime range, i suspect that 3rd parameter in ExportLogAndMessages "query" may help me.

now how to write this "query", and if "query" doesn't help is there anyway to do that.

Answer 1

Here is an example of getting the event logs exported for say the past 8 hours:

int pastNHours = 8;
long timeDuration = pastNHours * 60 * 60 * 1000; // Hours to milli seconds.
string queryString = $"*[System/TimeCreated[timediff(@SystemTime) < {timeDuration}]]";
using (var evtLog = new EventLogSession()) {
evtLog.ExportLogAndMessages("Application", PathType.LogName, queryString, "D:\\TEMP\\App-test-export.evtx", false, CultureInfo.CurrentCulture);
}

You should be able to add an "and" condition and filter it further to get events between 2 time stamps.

I came to these pages 9.5 years after the last answer ! Perhaps there are people looking for these snippets ...

Answer 2

Both pages aren't very helpful as the query syntax isn't clear.

You can right-click any log in the Event Viewer and choose "Filter Current Log...", when you create a filter you'll see the underlying xml in the next tab. You can use it as your query.

Answer 3

These links can help you to form your query:

How to: Query for Events

Event Queries and Event XML

You should compose a query to get events in some date range only.

I think you can use: TimeCreated parameter in your query.