Databases
StackOverflow2013
Postsdbo
POReliably get Latest Event Log Record with WQL
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POReliably get Latest Event Log Record with WQL
    text
    copied!<p>I have written an application which collects windows logs from linux, via the Zenoss wmi-client package. </p> <p>It uses WQL to query the Event log and parses the return. My problem is trying to find the latest entry in the log.</p> <p>I stumbled across <a href="http://blogs.technet.com/b/heyscriptingguy/archive/2005/01/04/how-can-i-return-only-the-last-record-written-to-an-event-log.aspxq" rel="nofollow">this</a> which tells me to use the NumberOfRecords column in a query such as this </p> <pre><code>Select NumberOfRecords from Win32_NTEventLogFile Where LogFileName = 'Application' </code></pre> <p>and use the return value from that as the highest log.</p> <p>My question is, I have heard that the Windows Event log is a circular buffer, that is it overwrites it's oldest logs with new ones as the log gets full. Will this have an impact on NumberOfRecords, as if that happens, the "RecordNumber" property of the events will continue to increase, however the actual Number of Records in the event log wouldn't change (as for every entry written, one is dropped).</p> <p>Can anyone shed some insight to how this actually works (whether NumberOfRecords is the highest RecordNumber, or the actual number of events in the log), and perhaps suggest a solution?</p> <p><strong>Update</strong></p> <p>So we know now that NumberOfRecords won't work on it's own because the Event Log is a ring buffer. The MS Solution is to get the Oldest record and add it to NumberOfRecords to get the actual latest record. </p> <p>This is possible through WinAPI, but I am calling remotely from Linux. Does anyone know how I might achieve this in my scenario?</p> <p>Thanks</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload