Query Windows Event Log

Started by Jeff, October 18, 2018, 10:36:03 AM

Previous topic - Next topic

Jeff

As a support staff member, I am constantly having to collect logs. One of the log sets that I have to collect is the windows event logs. I have been tinkering with the code in W17808 using .net.

All seems to be fine qhen I use the string below to get last 8 hours of events.

queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 28800000]]]</Select></Query></QueryList>`

My boss now wants to be able to capture the events from a few days ago. So I added a calander control to select a date. But I have to format it correctly in winbatch, so I was tinkering with the event viewer filter properties and created an XML query. It looks fine, but what I setup in the UI was to give me all the event for 10/17/2018. But it looks like it has incorperated a time zone offset.

`<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[@SystemTime&gt;='2018-10-17T05:00:00.000Z' and @SystemTime&lt;='2018-10-18T04:59:29.999Z']]]</Select></Query></QueryList>`

How can I code this to account for the off set? Is there an easier way to do this? Maybe WMI handles this?


Jeff

td

It is unclear to me what exactly you are asking.  Do you need to adjust the user-supplied time to UTC so that the query returns the correct results for the requested time frame?  If so there are recent threads on this forum that show different ways to convert between UTC and local time.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl


Jeff

My original question was "What options are there available to to dump the event log, with a friendly search criteria date format?". I ended up reading the registry's 'ActiveTimeBias'.

Jeff