As a support staff member, I am constantly having to collect logs. One of the log sets that I have to collect is the windows event logs. I have been tinkering with the code in W17808 using .net.
All seems to be fine qhen I use the string below to get last 8 hours of events.
queryString = `<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[timediff(@SystemTime) <= 28800000]]]</Select></Query></QueryList>`
My boss now wants to be able to capture the events from a few days ago. So I added a calander control to select a date. But I have to format it correctly in winbatch, so I was tinkering with the event viewer filter properties and created an XML query. It looks fine, but what I setup in the UI was to give me all the event for 10/17/2018. But it looks like it has incorperated a time zone offset.
`<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[TimeCreated[@SystemTime>='2018-10-17T05:00:00.000Z' and @SystemTime<='2018-10-18T04:59:29.999Z']]]</Select></Query></QueryList>`
How can I code this to account for the off set? Is there an easier way to do this? Maybe WMI handles this?
It is unclear to me what exactly you are asking. Do you need to adjust the user-supplied time to UTC so that the query returns the correct results for the requested time frame? If so there are recent threads on this forum that show different ways to convert between UTC and local time.
Or use LogParser
My original question was "What options are there available to to dump the event log, with a friendly search criteria date format?". I ended up reading the registry's 'ActiveTimeBias'.