WinBatch® Technical Support Forum

All Things WinBatch => WinBatch => Topic started by: Jeff on October 18, 2018, 10:36:03 AM

Title: Query Windows Event Log
Post by: Jeff on October 18, 2018, 10:36:03 AM
As a support staff member, I am constantly having to collect logs. One of the log sets that I have to collect is the windows event logs. I have been tinkering with the code in W17808 using .net.

All seems to be fine qhen I use the string below to get last 8 hours of events.

queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 28800000]]]</Select></Query></QueryList>`

My boss now wants to be able to capture the events from a few days ago. So I added a calander control to select a date. But I have to format it correctly in winbatch, so I was tinkering with the event viewer filter properties and created an XML query. It looks fine, but what I setup in the UI was to give me all the event for 10/17/2018. But it looks like it has incorperated a time zone offset.

`<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[@SystemTime&gt;='2018-10-17T05:00:00.000Z' and @SystemTime&lt;='2018-10-18T04:59:29.999Z']]]</Select></Query></QueryList>`

How can I code this to account for the off set? Is there an easier way to do this? Maybe WMI handles this?


Title: Re: Query Windows Event Log
Post by: td on October 18, 2018, 01:56:30 PM
It is unclear to me what exactly you are asking.  Do you need to adjust the user-supplied time to UTC so that the query returns the correct results for the requested time frame?  If so there are recent threads on this forum that show different ways to convert between UTC and local time.
Title: Re: Query Windows Event Log
Post by: stanl on October 19, 2018, 02:43:22 AM
Or use LogParser
Title: Re: Query Windows Event Log
Post by: Jeff on October 19, 2018, 06:39:48 AM
My original question was "What options are there available to to dump the event log, with a friendly search criteria date format?". I ended up reading the registry's 'ActiveTimeBias'.