0

I'm trying to read a stored .evtx with the EventLog Class from System.Diagnostics. but it doesn't work.

Isn't it possible to read a stored evtx file with EventLog Class or where is the problem?

Below is My Code

string source = @"S:\test.evtx";

                    EventLog eventLog = new EventLog();
                    eventLog.Source = source;

                    foreach (EventLogEntry log in eventLog.Entries)
                    {
                        Console.WriteLine("{0}\n", log.Message);
                    }
flaeckli
  • 100
  • 1
  • 9

1 Answers1

1

The Source Property of the EventLog refers to the Application Sources in the Event Viewer and not necessarily the source file that you exported.

enter image description here

You need to supply the Source property with a name of an application, not a file name.

UPDATE: If you insist on reading from an evtx, then the EventLogReader class must be the solution.

//EVENT LOG READER
        string source = @"C:\testev.evtx";

        using (var reader = new EventLogReader(source, PathType.FilePath))
        {
            EventRecord record;
            while ((record = reader.ReadEvent()) != null)
            {
                using (record)
                {
                    Console.WriteLine("{0} {1}: {2}", record.TimeCreated, record.LevelDisplayName, record.FormatDescription());
                }
            }
        }

//EVENT LOG
        EventLog eventLog = new EventLog();
        eventLog.Source = "ESENT"; //name of an application

        foreach (EventLogEntry log in eventLog.Entries)
        {
            Console.WriteLine("{0}\n", log.Message);
        }

enter image description here

enter image description here

Joseph
  • 502
  • 4
  • 15
  • Thank you for your reply. But how can I add a source, because the evtx file lies on a network share ? – flaeckli Apr 16 '18 at 08:41
  • I am not sure why do you need to read from an evtx. But if you need to read from an Event Viewer of the other computer, you need to supply the MachineName property. – Joseph Apr 16 '18 at 08:43
  • I don't know if you tested it or not, but I already found this way in the following thread https://stackoverflow.com/questions/30809133/read-event-log-file-from-path?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa But the problem is, that record.FormatDescription() returns Null every time.. – flaeckli Apr 16 '18 at 09:07
  • FormatDescription gets the event message in the current locale. You may want to counter check if the events in your evtx file has events message by importing it in your local Event Viewer – Joseph Apr 16 '18 at 09:45