Author Topic: Query Windows Event Log  (Read 111 times)

Jeff

  • Newbie
  • *
  • Posts: 32
Query Windows Event Log
« on: October 18, 2018, 10:36:03 am »
As a support staff member, I am constantly having to collect logs. One of the log sets that I have to collect is the windows event logs. I have been tinkering with the code in W17808 using .net.

All seems to be fine qhen I use the string below to get last 8 hours of events.

queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) &lt;= 28800000]]]</Select></Query></QueryList>`

My boss now wants to be able to capture the events from a few days ago. So I added a calander control to select a date. But I have to format it correctly in winbatch, so I was tinkering with the event viewer filter properties and created an XML query. It looks fine, but what I setup in the UI was to give me all the event for 10/17/2018. But it looks like it has incorperated a time zone offset.

`<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[@SystemTime&gt;='2018-10-17T05:00:00.000Z' and @SystemTime&lt;='2018-10-18T04:59:29.999Z']]]</Select></Query></QueryList>`

How can I code this to account for the off set? Is there an easier way to do this? Maybe WMI handles this?


Jeff

td

  • Tech Support
  • *****
  • Posts: 2618
    • WinBatch
Re: Query Windows Event Log
« Reply #1 on: October 18, 2018, 01:56:30 pm »
It is unclear to me what exactly you are asking.  Do you need to adjust the user-supplied time to UTC so that the query returns the correct results for the requested time frame?  If so there are recent threads on this forum that show different ways to convert between UTC and local time.
"Success is a lousy teacher. It seduces smart people into thinking they can't lose."
  - Bill Gates


stanl

  • Pundit
  • *****
  • Posts: 796
Re: Query Windows Event Log
« Reply #2 on: October 19, 2018, 02:43:22 am »
Or use LogParser

Jeff

  • Newbie
  • *
  • Posts: 32
Re: Query Windows Event Log
« Reply #3 on: October 19, 2018, 06:39:48 am »
My original question was "What options are there available to to dump the event log, with a friendly search criteria date format?". I ended up reading the registry's 'ActiveTimeBias'.

Jeff