Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can query for a group of events that match a specified query criteria to filter the events stored in an event log. The query filters events based on event properties. For example, you can query for all level 2 events in a certain event log that occurred in a certain time period, or you can query for all the events with an identifier equal to 105.
Example
Description
The following code example uses the System.Diagnostics.Eventing.Reader classes to query for all the level 2 events from the Application event log. The description, event ID, and the event publisher name are displayed for each event returned from the query. The code example shows how to query for events from an active event log, an external event log, and from a remote computer. Each method in this code example follows a series of steps to query for events.
- Create an instance of the EventLogQuery class by specifying a query string used to filter events, and the name or location of the event log to query. To query an external event log, specify the path to the log file (.evtx). For more information about how to find event log names, see the code example in How to: Configure and Read Event Log Properties or search for event logs in the Event Viewer tool. For more information about how to create an event query string, see Event Queries and Event XML. 
- (Optional) To query for events from a remote computer, set the Session property to an instance of the EventLogSession class and specify the remote computer name, domain, and the user name and password used to connect to the remote computer. 
- Create an instance of the EventLogReader class by specifying the EventLogQuery instance that was created in Step 1. 
- To get the query results, use the EventRecord instances returned from the ReadEvent method. Each returned instance holds event information for an event in the query results. For more information about reading the event information from an event instance, see How to: Access and Read Event Information. 
Code
Imports System
Imports System.Diagnostics.Eventing.Reader
Imports System.Security
Public Class EventQueryExample
    Public Overloads Shared Function Main( _
        ByVal args() As String) As Integer
        Dim ex As New EventQueryExample()
        ex.QueryActiveLog()
        ex.QueryExternalFile()
        ex.QueryRemoteComputer()
    End Function
    Public Sub QueryActiveLog()
        ' Query two different event logs using a structured query.
        Dim queryString As String = _
                "<QueryList>" & _
                "  <Query Id=""0"" Path=""Application"">" & _
                "    <Select Path=""Application"">" & _
                "        *[System[(Level <= 3) and" & _
                "        TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _
                "    </Select>" & _
                "    <Suppress Path=""Application"">" & _
                "        *[System[(Level = 2)]]" & _
                "    </Suppress>" & _
                "    <Select Path=""System"">" & _
                "        *[System[(Level=1  or Level=2 or Level=3) and" & _
                "        TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _
                "    </Select>" & _
                "  </Query>" & _
                "</QueryList>"
        Dim eventsQuery As New EventLogQuery("Application", PathType.LogName, queryString)
        Dim logReader As New EventLogReader(eventsQuery)
        ' Display query results.
        DisplayEventAndLogInformation(logReader)
    End Sub
    Public Sub QueryExternalFile()
        Dim queryString As String = "*[System/Level=2]" ' XPATH Query
        Dim eventLogLocation As String = "C:\MyEvents.evtx"
        Dim eventsQuery As New EventLogQuery(eventLogLocation, PathType.FilePath, queryString)
        Try
            Dim logReader As New EventLogReader(eventsQuery)
            ' Display query results.
            DisplayEventAndLogInformation(logReader)
        Catch e As EventLogNotFoundException
            Console.WriteLine("Could not find the external log to query! " & e.Message)
            Return
        End Try
    End Sub
    Public Sub QueryRemoteComputer()
        Dim queryString As String = "*[System/Level=2]"  ' XPATH Query
        Dim pw As SecureString = GetPassword()
        Dim session As EventLogSession = New EventLogSession( _
            "RemoteComputerName", _
            "Domain", _
            "Username", _
            pw, _
            SessionAuthentication.Default)
        pw.Dispose()
        ' Query the Application log on the remote computer.
        Dim query As EventLogQuery = New EventLogQuery( _
            "Application", PathType.LogName, queryString)
        query.Session = session
        Try
            Dim logReader As New EventLogReader(query)
            ' Display query results.
            DisplayEventAndLogInformation(logReader)
        Catch e As EventLogException
            Console.WriteLine("Could not query the remote computer! " & e.Message)
            Return
        End Try
    End Sub
    ' Displays the event query results (the event information and log
    ' information for all the events returned from the query).
    Private Sub DisplayEventAndLogInformation(ByVal logReader As EventLogReader)
        Dim eventInstance As EventRecord = logReader.ReadEvent()
        While Not eventInstance Is Nothing
            ' Display event info
            Console.WriteLine("-----------------------------------------------------")
            Console.WriteLine("Event ID: {0}", eventInstance.Id)
            Console.WriteLine("Publisher: {0}", eventInstance.ProviderName)
            Try
                Console.WriteLine("Description: {0}", eventInstance.FormatDescription())
            Catch e As EventLogException
                ' The event description contains parameters, and no parameters were 
                ' passed to the FormatDescription method, so an exception is thrown.
            End Try
            eventInstance = logReader.ReadEvent()
            ' Cast the EventRecord object as an EventLogRecord object to 
            ' access the EventLogRecord class properties.
            Dim logRecord As EventLogRecord = CType(eventInstance, EventLogRecord)
            Console.WriteLine("Container Event Log: {0}", logRecord.ContainerLog)
        End While
    End Sub
    ' Read a password from the console into a SecureString
    ' <returns>Password stored in a secure string</returns>
    Public Function GetPassword() As SecureString
        Dim password As New SecureString()
        Console.WriteLine("Enter password: ")
        ' get the first character of the password
        Dim nextKey As ConsoleKeyInfo = Console.ReadKey(True)
        While nextKey.Key <> ConsoleKey.Enter
            If nextKey.Key = ConsoleKey.Backspace Then
                If password.Length > 0 Then
                    password.RemoveAt(password.Length - 1)
                    ' erase the last * as well
                    Console.Write(nextKey.KeyChar)
                    Console.Write(" ")
                    Console.Write(nextKey.KeyChar)
                End If
            Else
                password.AppendChar(nextKey.KeyChar)
                Console.Write("*")
            End If
            nextKey = Console.ReadKey(True)
        End While
        Console.WriteLine()
        ' lock the password down
        password.MakeReadOnly()
        Return password
    End Function
End Class
using System;
using System.Diagnostics.Eventing.Reader;
using System.Security;
namespace EventQuery
{
    class EventQueryExample
    {
        static void Main(string[] args)
        {
            EventQueryExample ex = new EventQueryExample();
            ex.QueryActiveLog();
            ex.QueryExternalFile();
            ex.QueryRemoteComputer();
        }
        public void QueryActiveLog()
        {
            // Query two different event logs using a structured query.
            string queryString =
                "<QueryList>" +
                "  <Query Id=\"0\" Path=\"Application\">" +
                "    <Select Path=\"Application\">" +
                "        *[System[(Level <= 3) and" +
                "        TimeCreated[timediff(@SystemTime) <= 86400000]]]" +
                "    </Select>" +
                "    <Suppress Path=\"Application\">" +
                "        *[System[(Level = 2)]]" +
                "    </Suppress>" +
                "    <Select Path=\"System\">" +
                "        *[System[(Level=1  or Level=2 or Level=3) and" +
                "        TimeCreated[timediff(@SystemTime) <= 86400000]]]" +
                "    </Select>" +
                "  </Query>" +
                "</QueryList>"; 
            EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, queryString);
            EventLogReader logReader = new EventLogReader(eventsQuery);
            // Display event info
            DisplayEventAndLogInformation(logReader);
        }
        public void QueryExternalFile()
        {
            string queryString = "*[System/Level=2]"; // XPATH Query
            string eventLogLocation = @"C:\MyEvents.evtx";
            EventLogQuery eventsQuery = new EventLogQuery(eventLogLocation, PathType.FilePath, queryString);
            try
            {
                EventLogReader logReader = new EventLogReader(eventsQuery);
                // Display event info
                DisplayEventAndLogInformation(logReader);
            }
            catch (EventLogNotFoundException e)
            {
                Console.WriteLine("Could not find the external log to query! " + e.Message);
                return;
            }
        }
        public void QueryRemoteComputer()
        {
            string queryString = "*[System/Level=2]"; // XPATH Query
            SecureString pw = GetPassword();
            EventLogSession session = new EventLogSession(
                "RemoteComputerName",                               // Remote Computer
                "Domain",                                  // Domain
                "Username",                                // Username
                pw,
                SessionAuthentication.Default);
            pw.Dispose();
            // Query the Application log on the remote computer.
            EventLogQuery query = new EventLogQuery("Application", PathType.LogName, queryString);
            query.Session = session;
            try
            {
                EventLogReader logReader = new EventLogReader(query);
                // Display event info
                DisplayEventAndLogInformation(logReader);
            }
            catch (EventLogException e)
            {
                Console.WriteLine("Could not query the remote computer! " + e.Message);
                return;
            }
        }
        /// <summary>
        /// Displays the event information and log information on the console for 
        /// all the events returned from a query.
        /// </summary>
        private void DisplayEventAndLogInformation(EventLogReader logReader)
        {
            for (EventRecord eventInstance = logReader.ReadEvent();
                null != eventInstance; eventInstance = logReader.ReadEvent())
            {
                Console.WriteLine("-----------------------------------------------------");
                Console.WriteLine("Event ID: {0}", eventInstance.Id);
                Console.WriteLine("Publisher: {0}", eventInstance.ProviderName);
                
                try
                {
                    Console.WriteLine("Description: {0}", eventInstance.FormatDescription());
                }
                catch (EventLogException)
                {
                    // The event description contains parameters, and no parameters were 
                    // passed to the FormatDescription method, so an exception is thrown.
                }
                // Cast the EventRecord object as an EventLogRecord object to 
                // access the EventLogRecord class properties
                EventLogRecord logRecord = (EventLogRecord)eventInstance;
                Console.WriteLine("Container Event Log: {0}", logRecord.ContainerLog);
            }
        }
        /// <summary>
        /// Read a password from the console into a SecureString
        /// </summary>
        /// <returns>Password stored in a secure string</returns>
        public static SecureString GetPassword()
        {
            SecureString password = new SecureString();
            Console.WriteLine("Enter password: ");
            // get the first character of the password
            ConsoleKeyInfo nextKey = Console.ReadKey(true);
            while (nextKey.Key != ConsoleKey.Enter)
            {
                if (nextKey.Key == ConsoleKey.Backspace)
                {
                    if (password.Length > 0)
                    {
                        password.RemoveAt(password.Length - 1);
                        // erase the last * as well
                        Console.Write(nextKey.KeyChar);
                        Console.Write(" ");
                        Console.Write(nextKey.KeyChar);
                    }
                }
                else
                {
                    password.AppendChar(nextKey.KeyChar);
                    Console.Write("*");
                }
                nextKey = Console.ReadKey(true);
            }
            Console.WriteLine();
            // lock the password down
            password.MakeReadOnly();
            return password;
        }
    }
}
Compiling the Code
This code example requires references to the System.dll, System.Security.dll, and System.Core.dll files.
See Also
Concepts
Event Log Scenarios
How to: Subscribe to Events in an Event Log
Send comments about this topic to Microsoft.
Copyright © 2007 by Microsoft Corporation. All rights reserved.