如何将.evtx事件日志转换为csv
如何将.evtx事件日志转换为csv
提问于 2012-09-10 17:19:37
我的windows服务需要将一个事件日志的内容保存到一个文件中。这是由EventLogSession.ClearLog完成的。但是,我不能强制它将事件日志直接保存到CSV。保存的格式为EVTX。
EventLogSession els = new EventLogSession();
//stel de filename samen door het appdata pad te combinen met een tempfile name
string tempData = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "templog.csv");
// Clears all the events and archives them to the .evtx file
els.ClearLog(eventLogName, tempData); // Backup File Path如何强制EventlogSession类直接保存为CSV,或者,如果这是不可能的话。如何将EVTX转换为CSV (使用C#或VB.net)
谢谢!
回答 4
Stack Overflow用户
回答已采纳
发布于 2013-08-20 16:14:47
事实证明,所有现有的解决方案都不能满足我的要求。我只是想要一个接受evtx作为输入并导出csv的工具。没有更多也没有更少。我自己做了一个,它工作得很好。它的名字叫EVTX2CSV
您可以在此处下载:http://essaver.net/evtxecsv或直接通过http://www.essaver.net/downloads/setupevtx2csv.exe下载
Stack Overflow用户
发布于 2013-05-02 05:03:39
使用Log Parser提供的API很容易做到这一点。
下载并安装Log Parser 2.2
添加对COM库"MS Utility 1.0类型库- LogParser接口集合“的引用。搜索Log大大缩小了列表的范围。
更改引用的属性,使其不嵌入Interop类型。如果你不这样做,你会得到这样的编译错误:互操作类型'MSUtil.COMCSVOutputContextClassClass‘不能被嵌入。请改用适用的接口。
LogParser帮助文件的内容对该应用编程接口有很好的参考,但我已经在代码中包含了我使用的部分。
using System;
using MSUtil;
namespace LogParserTest
{
using LogQuery = LogQueryClassClass;
using EventLogInput = COMEventLogInputContextClassClass;
using CSVOutput = COMCSVOutputContextClassClass;
using XMLOutput = COMXMLOutputContextClassClass;
class Program
{
static void Main(string[] args)
{
try
{
// Instantiate the LogQuery object
LogQuery oLogQuery = new LogQuery();
// Instantiate the Event Log Input Format object
EventLogInput eventInputFormat = new EventLogInput();
// When set to "FW", events are retrieved from the oldest to the
// newest. When set to "BW", events are retrieved from the newest
// to the oldest.
eventInputFormat.direction = "FW";
// Event text messages often span multiple lines. When this parameter
// is set to "ON", the EVT input format preserves readability of the
// messages by removing carriage-return, line-feed, and multiple space
// characters from the message text.
// When this parameter is set to "OFF", the EVT input format returns
// the original message text with no intervening post-processing.
eventInputFormat.formatMessage = true;
eventInputFormat.binaryFormat = "ASC";
eventInputFormat.stringsSep = ",";
CSVOutput csvOutputFormat = new CSVOutput();
// ON: always write the header;
// OFF: never write the header;
// AUTO: write the header only when not appending to an existing file.
csvOutputFormat.headers = "ON";
// Setting this parameter to "ON" causes the CSV output format to write
// a tab character after each comma field separator, in order to
// improve readability of the CSV output. Note that using tabs between
// field values might generate output that is not compatible with
// certain spreadsheet applications.
csvOutputFormat.tabs = false;
// ON: always enclose field values within double-quote characters;
// OFF: never enclose field values within double-quote characters;
// AUTO: enclose within double-quote characters only those field
// values that contain comma (,) characters.
csvOutputFormat.oDQuotes = "AUTO";
// This parameter specifies the date and/or time format to use when
// formatting values of the TIMESTAMP data type.
csvOutputFormat.oTsFormat = "yyyy-MM-dd";
// 0 is the system codepage, -1 is UNICODE.
csvOutputFormat.oCodepage = -1;
// 0: existing files are appended with the output;
// 1: existing files are overwritten with the output;
// 2: existing files are left intact, discarding the output.
csvOutputFormat.fileMode = 1;
/*
EventLog STRING Name of the Event Log or Event Log backup file
RecordNumber INTEGER Index of this event
TimeGenerated TIMESTAMP Event generated date/time (local time)
TimeWritten TIMESTAMP Event logged date/time (local time)
EventID INTEGER The ID of the event
EventType INTEGER The numeric type of the event
EventTypeName STRING The descriptive type of the event
EventCategory INTEGER The numeric category of the event
EventCategoryName STRING The descriptive category of the event
SourceName STRING The source that generated the event
Strings STRING The textual data
ComputerName STRING The name of the computer
SID STRING The Security Identifier associated with the event
Message STRING The full event message
Data STRING The binary data associated with the event
*/
string query = @"SELECT TOP 10 EventLog, RecordNumber, Message INTO "
// Enclose path in single ticks to handle spaces.
query += "'" + FullPathToCsv + "' FROM ";
// Name of application Log, System, Security, Application, CustomLogName
query += "System";
oLogQuery.ExecuteBatch(query, eventInputFormat, csvOutputFormat);
}
catch (System.Runtime.InteropServices.COMException ex)
{
Console.WriteLine("Unexpected error: " + ex.Message);
}
}
}
}Stack Overflow用户
发布于 2014-02-13 02:50:41
这个Powershell函数是我能找到的最高效的函数。不是C#代码,但我认为它可能有用。它接受一个文件名(evtx)或Powershell中文件名的变量数组,如下所示:
数组$filelist= "file1","file2","file3“
Function Convert-Logs3 {
[cmdletbinding()]
Param(
$filelist=$NULL
)
$filelist | foreach-object {
Get-WinEvent -Path "$PSItem"| Select RecordID,ID,TimeCreated, Message | export-csv - ``notypeinformation -path $(write "$PSItem.csv");
[System.gc]::collect();
}}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/12348679
复制相关文章
相似问题
腾讯云开发者
