我想在整个Windows事件日志(例如应用程序)中查询由特定来源(例如MSSQL $ SQLEXPRESS)编写的事件。我已经编写了工作代码来搜索事件ID:
string xpathQuery = string.Format("*[System/EventID={0}]", intFilter);
EventLogQuery query = new EventLogQuery(eventLogName, PathType.LogName, xpathQuery);
EventLogReader reader = new EventLogReader(query);
for (EventRecord eventInstance = reader.ReadEvent(); null != eventInstance; eventInstance = reader.ReadEvent())
{
lisRecords.Add(eventInstance);
}
我必须如何更改xpathQuery,以便能够搜索4个eventlog-entry-sources?
更改查询字符串类似的内容(您可能想要创建文本资源并将此查询放入其中,以避免转义):
*[System[Provider[@Name='Microsoft-Windows-ADSI' or @Name='Outlook'] and (EventID=1 or EventID=2 or EventID=3)]]
以上等同于:
(EventID in (1,2,3)) and (Source in ('Microsoft-Windows-ADSI', 'Outlook'))