Maintaining Logged Events

  • [アーティクル]

Maintaining logged events involves clearing, exporting, and archiving previously logged events.

Clearing Logged Events

Clearing previously logged events from an event log deletes the logged events from their source log file and exports the cleared events to a specified target file (similar to using the EvtExportLog function). You must have both Read and Clear permission for an event log to clear the log.

The following C++ example shows how to clear all the events in the Application log. All of these events are also exported to the MyClearedEvents.log file.

if ( !EvtClearLog(NULL, 
    L"Application",
    L"c:\\temp\\MyClearedEvents.log", 
    0 ))
    return GetLastError();

Note  Unlike exporting logged events, the EvtClearLog function operates on a single log file that is specified by the ChannelPath parameter. The ChannelPath parameter can only contain one channel name.

Exporting Logged Events

When previously logged events are exported, they are copied from their original log files and stored in an external file. Essentially, the operation is the same as a query over an event log, except the result set is captured in the exported log file. This file may later be used in event log query operations. This functionality allows events from multiple active log files to be merged and exported into a target file.

The following C++ example shows how to export the events that are logged in the Windows Application log using the EvtExportLog function. These events are exported to the MyExportedEvents.log file.

if ( !EvtExportLog(NULL, 
    L"Application",
    L"*",
    L"c:\\temp\\MyExportedEvents.log", 
    EvtExportLogChannelPath ))
    return GetLastError();

Archiving Exported Events

Archiving an exported log file means rendering info (the event message) is added to an exported log file so that the file becomes self-contained.

The following C++ example shows how to call the EvtArchiveExportedLog function to export the contents of an event log into the c:\temp\MyExportedEvents.log file along with the rendering information for the en-US locale.

if ( !EvtArchiveExportedLog(NULL, 
    L"c:\\temp\\MyExportedEvents.log", 
    MAKELCID( MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US), SORT_DEFAULT ),
    0 ))
    return GetLastError();

Send comments about this topic to Microsoft

Build date: 5/7/2009