Admintech.jp のセミナー中に作ったコードをコマンドとして使えるように拡張しました

イベントログの内容を正規表現を使うことで
取り出したい内容をもったログだけを標準出力に吐きだせるようにしました

使い方としては、コマンド引数として /s:{イベントログのソース} "正規表現" を渡すと
指定したソース (Application や System) から正規表現にログの内容がマッチしたものを
まとめてCSVで出力するようになっています

また /n オプションを使うと、正規表現にマッチしなかったログだけを出力できます

using System;
using System.Collections.Generic;
using System.Text;
using System.Text.RegularExpressions;
using System.Diagnostics;

namespace EnvironmentManagement
{
    class Program
    {
        static int Main(string[] args)
        {
            Regex cmdHelp =
               new Regex("^/h", 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);
            Regex cmdPositive = 
               new Regex("^/p", 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);
            Regex cmdNegative = 
               new Regex("^/n", 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);
            Regex cmdQuit = 
               new Regex("^/q", 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);
            Regex cmdSource = 
               new Regex("^/s:\"?(?<source>.*)\"?", 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);

            bool quitMode = false;
            bool positiveMatch = true;
            string expression = String.Empty;
            string source = String.Empty;

            foreach (string param in args)
            {
                if (cmdHelp.IsMatch(param))
                {
                    ShowHelp();

                    return 0;
                }

                if (cmdPositive.IsMatch(param))
                {
                    positiveMatch = true;
                }
                else if (cmdNegative.IsMatch(param))
                {
                    positiveMatch = false;
                }
                else if (cmdQuit.IsMatch(param))
                {
                    quitMode = true;
                }
                else if (cmdSource.IsMatch(param))
                {
                    Match match = cmdSource.Match(param);

                    source = match.Groups["source"].Value;
                }
                else
                {
                    expression = param;
                }
            }

            if (!quitMode)
            {
                Console.WriteLine("EventLog Exporter with Regular Expressions");
                Console.WriteLine();
            }

            if (expression == string.Empty)
            {
                if (!quitMode) Console.Error.WriteLine("Please input regular expressions.");

                return 1;
            }
            else if (source == string.Empty)
            {
                if (!quitMode) Console.Error.WriteLine("Please input eventlog source name.");

                return 1;
            }

            try
            {
                ReadEventLogs(source, expression, positiveMatch);
            }
            catch (Exception e)
            {
                if (!quitMode)
                {
                    Console.Error.Write(e.Source);
                    Console.Error.Write(", ");
                    Console.Error.WriteLine(e.Message);
                }

                return 1;
            }

            return 0;
        }

        private static void ReadEventLogs(string source, string expression, bool positiveMatch)
        {
            EventLog logs = new EventLog(source);
            Regex regex = new Regex(expression, 
                 RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture | RegexOptions.IgnoreCase);

            OutputHeader();

            foreach (EventLogEntry entry in logs.Entries)
            {
                if (positiveMatch && regex.IsMatch(entry.Message))
                {
                    OutputLog(entry, source);
                }
                else if (!positiveMatch && !regex.IsMatch(entry.Message))
                {
                    OutputLog(entry, source);
                }
            }
        }

        private static void OutputHeader()
        {
            Console.Write("\"");
            Console.Write("Source");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("InstanceId");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("EntryType");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("Category");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("ApplicationSource");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("TimeGenerated");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("TimeWritten");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("MachineName");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("Username");
            Console.Write("\",");

            Console.Write("\"");
            Console.Write("Message");
            Console.Write("\"");

            Console.WriteLine();
        }

        private static void OutputLog(EventLogEntry entry, string source)
        {
            Console.Write("\"");
            Console.Write(source);
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.InstanceId.ToString());
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.EntryType.ToString());
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.Category);
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.Source);
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.TimeGenerated.ToString("s"));
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.TimeWritten.ToString("s"));
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.MachineName);
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.UserName);
            Console.Write("\",");

            Console.Write("\"");
            Console.Write(entry.Message.Replace("\"", "'"));
            Console.Write("\"");

            Console.WriteLine();
        }

        private static void ShowHelp()
        {
            Console.WriteLine("EventLog with regular expressions:");

            Console.WriteLine();

            Console.WriteLine(String.Format("{0} {1}", 
               System.IO.Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]), 
               "/h /p /n /q /s:{EventLogSource} \"{RegularExpression}\""));

            Console.WriteLine();
            Console.WriteLine();
            Console.WriteLine();

            Console.WriteLine("\t/h\tShow help.");
            Console.WriteLine("\t/p\tIf regular expressoin is match, to EventLog export.");
            Console.WriteLine("\t/p\tIf regular expression is not match, to EventLog export.");
            Console.WriteLine("\t/q\tQuit mode.");
            Console.WriteLine("\t/s:{EventLogSource}\n\t\tExporting EventLog source name.");
            Console.WriteLine("\t\"{RegularExpression}\"\n\t\tSearch keyword");

            Console.WriteLine();
        }
    }
}

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Comments

Comments are closed