1

我浏览了所有相关主题,但没有找到答案。我正在运行 WMI 查询以检索应用程序日志中最旧事件的日期时间。不幸的是,下面的查询总是返回 0 值,但显然语法是正确的,因为没有返回错误消息。知道为什么会这样吗?实际上,c# 嵌入式解决方案下载了整个 Eventviewer,并且由于我连接到远程机器,因此性能非常糟糕。因此我选择了 WMI 查询

SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where Logfile ='" + logFileName + "' and RecordNumber = '1'");

using (ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, query, opt)) {
    foreach (ManagementObject mo in searcher.Get()) {
         DateTime firstEventTime;
         DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);
         // if the time of the first entry of the application log is older that the dayback to check date
         // set dayback to check to first app log entry date
         logbox.writetoLogFile(this.GetType().Name, "First event time is " + firstEventTime, LogLevel.Debug);
             if (firstEventTime > endDate) {
                 endDate = firstEventTime;
                 logbox.writetoLogTextbox("First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", Color.Black);
                 logbox.writetoLogFile(this.GetType().Name, "First eventviewer entry has date " + firstEventTime + ". Check log will stop at this date", LogLevel.Info);
             }
     }
}

不幸的是,我现在想通了。记录号没有被重置,因此事件 1 已经消失了很久。:( 知道如何收集这些信息吗?

谢谢,马可

4

1 回答 1

0

RecordNumber是唯一标识符,不一定与您使用的 LogFile 匹配,类似于主键,并且您为每台计算机获得不同的数字,msdn定义为RecordNumber

  • 标识 Windows NT 事件日志文件中的事件。这是特定于日志文件的,并与日志文件名一起用于唯一标识此类的实例。

因此,您应该做的是获取具有特定 LogFile 的所有事件,按 TimeGenerated 排序并获取旧事件并再次搜索旧事件的编号:即:

using System;
using System.Collections.Generic;
using System.Globalization;
using System.Linq;
using System.Management;

namespace WmiEventQuery
{
    class Program
    {
        static void Main(string[] args)
        {
            SelectQuery query = new SelectQuery("select * from Win32_NtLogEvent where LogFile = 'Application' ");
            //execute the query using WMI
            ManagementObjectSearcher searcher = new ManagementObjectSearcher(query);
            //loop through each log found
            List<EventDateTime> datetimesEvents = new List<EventDateTime>();
            foreach (ManagementObject mo in searcher.Get())
            {
                DateTime firstEventTime;
                DateTime.TryParseExact(mo["TimeGenerated"].ToString().Substring(0, 12), "yyyyMMddHHmm", null, DateTimeStyles.None, out firstEventTime);

                datetimesEvents.Add(new EventDateTime
                {
                    RecordNumber = Convert.ToInt32(mo["RecordNumber"]),
                    TimeGenerated = firstEventTime
                });
            }

            int olderRecordNumber = datetimesEvents.OrderBy(p => p.RecordNumber).FirstOrDefault().RecordNumber;

            SelectQuery queryUnique = new SelectQuery(
                System.String.Format("select * from Win32_NtLogEvent where RecordNumber = {0}", olderRecordNumber)
                );

            ManagementObjectSearcher searcherUnique = new ManagementObjectSearcher(queryUnique);

            foreach (ManagementObject mo in searcherUnique.Get())
            {
                //get the older event
                Console.WriteLine(mo["Message"]);
                Console.WriteLine(mo["RecordNumber"]);
            }

            Console.Read();

        }
    }

    public class EventDateTime
    {
        public DateTime TimeGenerated { get; set; }
        public int RecordNumber { get; set; }
    }

}
于 2012-01-31T16:53:23.973 回答