I'm trying to use the EventLogQuery class to query the eventlog. I followed the example shown on http://msdn.microsoft.com/en-us/library/bb671200%28v=vs.90%29.aspx#Y0.
I've searched Google a ton but can't find any queries with the @SystemTime not hard-coded in there.
Does anyone know the DateTime format I need to use for this? Everything I've tried so far has returned "Invalid Query" exceptions.
EventLogQuery uses an XML format to query the event log. You can find the schema for the query XML here.
The text of the Select element is an XPath expression evaluated against the XML serialization of events.
You can find the schema for the event XML here.
The TimeCreated element has an attribute SystemTime of type dateTime, so the format of this (in your query XML) is whatever an XPath processor can parse as a valid dateTime (see 3.2.7.1. Lexical representation for the specifics).
For example you can try a query like this:
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*[System[TimeCreated[@SystemTime = '2011-12-20T00:42:53.000000000Z']]]</Select>
</Query>
</QueryList>
Which parses and returns a value if you happen to have an event created exactly at the given date and time.
Also dateDiff is an extension function to the Filter XPath protocol, which takes one or two arguments of SYSTEMTIME type and returns a number, so just use a number in expression with this function (just like in your example).
P.S. You can use the Windows Event Viewer (%windir%\system32\eventvwr.msc) to enter and quickly evaluate event query XML by creating Custom Views (Windows Vista, 7 and 2008 only):
Here is another C# for initializing an EventLogQuery object that will load event entires for a specific date range
var startTime = DateTime.Now.AddDays(-1);
var endTime = DateTime.Now;
var query = string.Format("*[System[TimeCreated[@SystemTime >= '{0}']]] and *[System[TimeCreated[@SystemTime <= '{1}']]]",
startTime.ToUniversalTime().ToString("o"),
endTime.ToUniversalTime().ToString("o"));
var elq = new EventLogQuery("Applicaton", PathType.LogName, query);
Here's a C# example for initializing an EventLogQuery object that will only load event entries from the last day.
var yesterday = DateTime.UtcNow.AddDays(-1);
var yesterdayDtFormatStr = yesterday.ToString(
"yyyy-MM-ddTHH:mm:ss.fffffff00K",
CultureInfo.InvariantCulture
);
var query = string.Format(
"*[System/TimeCreated/@SystemTime >='{0}']",
yesterdayDtFormatStr
);
var elq = new EventLogQuery("Application", PathType.LogName, query);
Failed Login IP List in Last 2 Hour. EventID=4625 AND CreatedDate >= Last 2 Hour
var AfterTime = DateTime.Now.AddMinutes(-120);
string queryString =
"<QueryList>" +
" <Query Id='0' Path='Security'>" +
$" <Select Path='Security'>*[System[(EventID=4625) and TimeCreated[@SystemTime>='{AfterTime.ToString("o")}']]]</Select>" +
" </Query>" +
"</QueryList>";
var reader = new EventLogReader(new EventLogQuery("Security", PathType.LogName, queryString));
for (EventRecord eventDetail = reader.ReadEvent(); eventDetail != null; eventDetail = reader.ReadEvent())
{
if (eventDetail.Id == 4625 && eventDetail.TimeCreated >= AfterTime)// Extra security, check again
{
IPlist.Add(eventDetail.Properties[eventDetail.Properties.Count - 2].Value.ToString()); // Get IP Adress, Last Second Element Has IP Adress
}
}
var AttackerIP = IPlist.GroupBy(x => x).Select(x => x.Key).ToList();
There is an example here of the XML with a string version of the expected date format.
<TimeCreated SystemTime="2006-02-28T21:51:44.754Z" />
