Query a log for a specific event_id. Return the top number of records specified. Use the :py:func:`win_event.get_log_names ` to see a list of available logs on the system. .. Note:: You can use the Windows Event Viewer to create the
(log_name, query_text=None, records=20, latest=True, raw=False)
| 426 | |
| 427 | |
| 428 | def query(log_name, query_text=None, records=20, latest=True, raw=False): |
| 429 | """ |
| 430 | Query a log for a specific event_id. Return the top number of records |
| 431 | specified. Use the |
| 432 | :py:func:`win_event.get_log_names <salt.modules.win_event.get_log_names>` |
| 433 | to see a list of available logs on the system. |
| 434 | |
| 435 | .. Note:: |
| 436 | You can use the Windows Event Viewer to create the XPath query for the |
| 437 | ``query_text`` parameter. Click on ``Filter Current Log``, configure the |
| 438 | filter, then click on the XML tab. Copy the text between the two |
| 439 | ``<Select>`` tags. This will be the contents of the ``query_text`` |
| 440 | parameter. You will have to convert some codes. For example, ``>`` |
| 441 | becomes ``>``, ``<`` becomes ``<``. Additionally, you'll need to |
| 442 | put spaces between comparison operators. For example: ``this >= that``. |
| 443 | |
| 444 | Args: |
| 445 | |
| 446 | log_name (str): The name of the log to query |
| 447 | |
| 448 | query_text (:obj:`str`, optional): |
| 449 | The filter to apply to the log. |
| 450 | Default is ``None``. |
| 451 | |
| 452 | records (:obj:`int`, optional): |
| 453 | The number of records to return. |
| 454 | Default is 20 |
| 455 | |
| 456 | latest (:obj:`bool`, optional): |
| 457 | ``True`` will return the newest events. ``False`` will return the |
| 458 | oldest events. |
| 459 | Default is ``True``. |
| 460 | |
| 461 | raw (:obj:`bool`, optional): |
| 462 | ``True`` will return the raw xml results. ``False`` will return the |
| 463 | xml converted to a dictionary. |
| 464 | Default is ``False``. |
| 465 | |
| 466 | Returns: |
| 467 | list: A list of dict objects that contain information about the event |
| 468 | |
| 469 | CLI Example: |
| 470 | |
| 471 | .. code-block:: bash |
| 472 | |
| 473 | # Return the 20 most recent events from the Application log with an event ID of 22 |
| 474 | salt '*' win_event.query Application '*[System[(EventID=22)]]' |
| 475 | |
| 476 | # Return the 20 most recent events from the Application log with an event ID of 22 |
| 477 | # Return raw xml |
| 478 | salt '*' win_event.query Application '*[System[(EventID=22)]]' raw=True |
| 479 | |
| 480 | # Return the 20 oldest events from the Application log with an event ID of 22 |
| 481 | salt '*' win_event.query Application '*[System[(EventID=22)]]' latest=False |
| 482 | |
| 483 | # Return the 20 most recent Critical (1) events from the Application log in the last 12 hours |
| 484 | salt '*' win_event.query Application '*[System[(Level=1) and TimeCreated[timediff(@SystemTime) <= 43200000]]]' |
| 485 |
nothing calls this directly
no test coverage detected