I would like to save the event log to a CSV file, both in Windows XP and Windows 7.
In Windows XP I can manually do it: I open the "Event viewer" (EVENTVWR or EVENTVWR.MSC on the command line), then for example I right click on the "Application" log, then I choose the contextual menu command "Save log file as" and "CSV (Comma delimited)(*.csv)" and I finally get the log saved on a file.
The file contains all the log information: it contains the full formatted message for every events.
If you simply launch the contextual menu command "Export list" you will instead get a mere list of event's "metadata" like Type, Date, Time, Source, Category, Event, User, Computer.
I browsed the available APIs in Windows XP, that is the Event Logging Functions (Windows), and I have found that:
BackupEventLog does not allow me to choose the format of the
backup file, i.e. it will save in a binary format that to me will be useless.ReadEventLog gives me just the metadata via the structure EVENTLOGRECORD and the instructions to get the full formatted message with a lot of work:
The event identifier together with source name and a language
identifier identify a string that describes the event in more detail.
The strings are used as replacement strings and are merged into the
message string to make a complete message. The message strings are
contained in a message file specified in the source entry in the
registry. To obtain the appropriate message string from the message
file, load the message file with the LoadLibrary function and use the
FormatMessage function.
Now, it is a lot of work: with the source go into the registry (where? I am afraid there are multiple possible places...) to find the resource file name, load the file with LoadLibrary and then format the message with FormatMessage.
Am I missing something? Is there any shortcut? Why don't Microsoft gives us a plain API to backup the log in CSV format? After all they already wrote the code inside eventvwr...
Now I am a bit discouraged and I did not browsed the Evt* APIs (Windows Event Log Functions (Windows)) available since Windows Vista.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
