c# - 如何将 .evtx 事件日志转换为 csv

Question

我的 Windows 服务需要将一个事件日志的内容保存到一个文件中。这是由 EventLogSession.ClearLog 完成的。但是，我不能强制它直接将事件日志保存到 CSV。保存格式为EVTX。

            EventLogSession els = new EventLogSession();

            //stel de filename samen door het appdata pad te combinen met een tempfile name
            string tempData = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "templog.csv");
            // Clears all the events and archives them to the .evtx file

            els.ClearLog(eventLogName, tempData); //  Backup File Path

我如何强制 EventlogSession 类直接保存到 CSV，或者，如果那是不可能的。如何将 EVTX 转换为 CSV(使用 C# 或 VB.net)

谢谢!

Answer 1

使用 Log Parser 提供的 API 可以很容易地做到这一点。

下载并安装 Log Parser 2.2

添加对 COM 库“MS Utility 1.0 类型库 - LogParser 接口(interface)集合”的引用。搜索 Log 可显着缩小列表范围。

更改引用的属性，使其不嵌入互操作类型。 如果你不这样做，你会得到这样的编译错误: 无法嵌入互操作类型“MSUtil.COMCSVOutputContextClassClass”。请改用适用的界面。

LogParser 帮助文件的内容对 API 有很好的引用，但我已经包含了我在代码中使用的部分。

using System;
using MSUtil;

namespace LogParserTest
{
 using LogQuery = LogQueryClassClass;
 using EventLogInput = COMEventLogInputContextClassClass;
 using CSVOutput = COMCSVOutputContextClassClass;
 using XMLOutput = COMXMLOutputContextClassClass;

 class Program
 {
  static void Main(string[] args)
  {
   try
   {
    // Instantiate the LogQuery object
    LogQuery oLogQuery = new LogQuery();

    // Instantiate the Event Log Input Format object
    EventLogInput eventInputFormat = new EventLogInput();

    // When set to "FW", events are retrieved from the oldest to the 
    // newest. When set to "BW", events are retrieved from the newest 
    // to the oldest.
    eventInputFormat.direction = "FW"; 

    // Event text messages often span multiple lines. When this parameter
    // is set to "ON", the EVT input format preserves readability of the 
    // messages by removing carriage-return, line-feed, and multiple space
    // characters from the message text.
    // When this parameter is set to "OFF", the EVT input format returns
    // the original message text with no intervening post-processing. 
    eventInputFormat.formatMessage = true;

    eventInputFormat.binaryFormat = "ASC";
    eventInputFormat.stringsSep = ",";

    CSVOutput csvOutputFormat = new CSVOutput();

    // ON: always write the header; 
    // OFF: never write the header; 
    // AUTO: write the header only when not appending to an existing file. 
    csvOutputFormat.headers = "ON"; 

    // Setting this parameter to "ON" causes the CSV output format to write
    // a tab character after each comma field separator, in order to 
    // improve readability of the CSV output. Note that using tabs between
    // field values might generate output that is not compatible with 
    // certain spreadsheet applications. 
    csvOutputFormat.tabs = false;

    // ON: always enclose field values within double-quote characters; 
    // OFF: never enclose field values within double-quote characters; 
    // AUTO: enclose within double-quote characters only those field 
    //    values that contain comma (,) characters. 
    csvOutputFormat.oDQuotes = "AUTO";

    // This parameter specifies the date and/or time format to use when
    // formatting values of the TIMESTAMP data type.
    csvOutputFormat.oTsFormat = "yyyy-MM-dd";

    // 0 is the system codepage, -1 is UNICODE. 
    csvOutputFormat.oCodepage = -1;

    // 0: existing files are appended with the output; 
    // 1: existing files are overwritten with the output; 
    // 2: existing files are left intact, discarding the output. 
    csvOutputFormat.fileMode = 1;

    /*
    EventLog     STRING  Name of the Event Log or Event Log backup file 
    RecordNumber   INTEGER  Index of this event
    TimeGenerated   TIMESTAMP Event generated date/time (local time) 
    TimeWritten    TIMESTAMP Event logged date/time (local time) 
    EventID      INTEGER  The ID of the event 
    EventType     INTEGER  The numeric type of the event 
    EventTypeName   STRING  The descriptive type of the event 
    EventCategory   INTEGER  The numeric category of the event 
    EventCategoryName STRING  The descriptive category of the event 
    SourceName    STRING  The source that generated the event 
    Strings      STRING  The textual data
    ComputerName   STRING  The name of the computer  
    SID        STRING  The Security Identifier associated with the event 
    Message      STRING  The full event message 
    Data       STRING  The binary data associated with the event 
    */

    string query = @"SELECT TOP 10 EventLog, RecordNumber, Message INTO "
    // Enclose path in single ticks to handle spaces.
    query += "'" + FullPathToCsv + "' FROM "; 
    // Name of application Log, System, Security, Application, CustomLogName
    query += "System";     
    oLogQuery.ExecuteBatch(query, eventInputFormat, csvOutputFormat);
   }
   catch (System.Runtime.InteropServices.COMException ex)
   {
    Console.WriteLine("Unexpected error: " + ex.Message);
   }
  }
 }
}