一.EvtOpenLog
The EvtOpenLog function opens an exported or live event log and returns a handle that can be used to access the log. The returned handle can be used by subsequent calls to the EvtGetLogInfo function.
示例:
EVT_HANDLE log = NULL;
LPCWSTR logPath = L"SimpleOperationalChannel";
log = EvtOpenLog( NULL, logPath, EvtOpenChannelPath);
if(log == NULL)
{
wprintf(L"Error opening the log: 0x%x \n", GetLastError());
return 1;
}
二.EvtClose
The EvtClose function closes an open event object handle that was previously returned from a Windows Event Log function. Any handle that is returned by a Windows Event Log function must be closed using this function call when the user is finished with the handle. The handle that is passed into this function becomes invalid after this function is successfully called.
EVT_HANDLE log = NULL;
LPCWSTR logPath = L"SimpleOperationalChannel";
log = EvtOpenLog( NULL, logPath, EvtOpenChannelPath);
...
EvtClose(log);
三.EvtGetLogInfo
The EvtGetEventInfo function allows the caller to determine which clause in an event query or subscription filter selected a given event or to determine the channel or log that the event came from.
可查询的字段
typedef enum _EVT_LOG_PROPERTY_ID
{
EvtLogCreationTime = 0, // EvtVarTypeFileTime
EvtLogLastAccessTime, // EvtVarTypeFileTime
EvtLogLastWriteTime, // EvtVarTypeFileTime
EvtLogFileSize, // EvtVarTypeUInt64
EvtLogAttributes, // EvtVarTypeUInt32
EvtLogNumberOfLogRecords, // EvtVarTypeUInt64
EvtLogOldestRecordNumber, // EvtVarTypeUInt64
EvtLogFull, // EvtVarTypeBoolean
} EVT_LOG_PROPERTY_ID;
示例:
EVT_VARIANT* logProperty = (EVT_VARIANT*) malloc (sizeof (EVT_VARIANT));
DWORD bufferSize = sizeof(EVT_VARIANT);
if( !EvtGetLogInfo(log, EvtLogNumberOfLogRecords, bufferSize, logProperty, &bufferSize))
{
//...
}
if(logProperty->Type == EvtVarTypeNull)
{
wprintf(L"The value of the log number of events property is NULL.\n");
}
else
{
wprintf(L"The value of the log number of events property is: %I64u \n",
logProperty->UInt64Val);
}
四.日志操作维护
1.EvtClearLog
The EvtClearLog function clears all events from an active log and exports the events to a target log file.
示例:
if ( !EvtClearLog(NULL,
L"Application",
L"c:\\temp\\MyClearedEvents.log",
0 ))
return GetLastError();
注意点:目录必须存在
2.EvtExportLog
The EvtExportLog function exports selected events from a channel or from a log file to a target log file based on an event query.
if ( !EvtExportLog(NULL,
L"Application",
L"*",
L"c:\\MyExportedEvents.log",
EvtExportLogChannelPath ))
return GetLastError();
3.EvtArchiveExportedLog
The EvtArchiveExportedLog function archives localized information associated with the events in specified logs that have been created by either the EvtClearLog function or the EvtExportLog function.
示例:
if ( !EvtArchiveExportedLog(NULL,
L"c:\\MyExportedEvents.log",
MAKELCID( MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT ),
0 ))
return GetLastError();
存档的日志在此目录下:C:\Windows\System32\winevt\Logs