一.EvtOpenLog

The EvtOpenLog function opens an exported or live event log and returns a handle that can be used to access the log. The returned handle can be used by subsequent calls to the EvtGetLogInfo function.

示例:

EVT_HANDLE log = NULL;      LPCWSTR logPath = L"SimpleOperationalChannel";log = EvtOpenLog( NULL, logPath, EvtOpenChannelPath);if(log == NULL){    wprintf(L"Error opening the log: 0x%x \n", GetLastError());    return 1;}

二.EvtClose

The EvtClose function closes an open event object handle that was previously returned from a Windows Event Log function. Any handle that is returned by a Windows Event Log function must be closed using this function call when the user is finished with the handle. The handle that is passed into this function becomes invalid after this function is successfully called.

EVT_HANDLE log = NULL;      LPCWSTR logPath = L"SimpleOperationalChannel";log = EvtOpenLog( NULL, logPath, EvtOpenChannelPath);...EvtClose(log);

三.EvtGetLogInfo

The EvtGetEventInfo function allows the caller to determine which clause in an event query or subscription filter selected a given event or to determine the channel or log that the event came from.

可查询的字段

typedef enum _EVT_LOG_PROPERTY_ID{    EvtLogCreationTime = 0,             // EvtVarTypeFileTime    EvtLogLastAccessTime,               // EvtVarTypeFileTime    EvtLogLastWriteTime,                // EvtVarTypeFileTime    EvtLogFileSize,                     // EvtVarTypeUInt64    EvtLogAttributes,                   // EvtVarTypeUInt32    EvtLogNumberOfLogRecords,           // EvtVarTypeUInt64    EvtLogOldestRecordNumber,           // EvtVarTypeUInt64    EvtLogFull,                         // EvtVarTypeBoolean} EVT_LOG_PROPERTY_ID;

示例:

EVT_VARIANT* logProperty = (EVT_VARIANT*) malloc (sizeof (EVT_VARIANT));DWORD bufferSize = sizeof(EVT_VARIANT);if( !EvtGetLogInfo(log, EvtLogNumberOfLogRecords, bufferSize, logProperty, &bufferSize)){       //...}if(logProperty->Type == EvtVarTypeNull){    wprintf(L"The value of the log number of events property is NULL.\n");}else{    wprintf(L"The value of the log number of events property is: %I64u \n",         logProperty->UInt64Val);}

四.日志操作维护

1.EvtClearLog

The EvtClearLog function clears all events from an active log and exports the events to a target log file.

示例:

if ( !EvtClearLog(NULL,     L"Application",    L"c:\\temp\\MyClearedEvents.log",     0 ))    return GetLastError();

注意点:目录必须存在

2.EvtExportLog

The EvtExportLog function exports selected events from a channel or from a log file to a target log file based on an event query.

if ( !EvtExportLog(NULL,     L"Application",    L"*",    L"c:\\MyExportedEvents.log",     EvtExportLogChannelPath ))    return GetLastError();

3.EvtArchiveExportedLog

The EvtArchiveExportedLog function archives localized information associated with the events in specified logs that have been created by either the EvtClearLog function or the EvtExportLog function.

示例:

if ( !EvtArchiveExportedLog(NULL,     L"c:\\MyExportedEvents.log",     MAKELCID( MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT ),    0 ))    return GetLastError();

存档的日志在此目录下:C:\Windows\System32\winevt\Logs