问题描述
我正在使用以下方法从Windows中的事件日志中获取信息:
I am getting the information from the event log in windows with this:
private void button1_Click(object sender, EventArgs e)
{
EventLog eventLog;
eventLog = new EventLog();
eventLog.Log = "Security";;
eventLog.Source = "Security-Auditing";
eventLog.MachineName = "SERVER";
var count = 0;
foreach (EventLogEntry log in eventLog.Entries.Cast<EventLogEntry>().Where(log => log.InstanceId == 4625))
{
Console.Write("eventLogEntry.Index: {0}{1}", log.Index, Environment.NewLine);
SaveRecord(log);
count++;
}
}
我试图捕获所有无效登录到服务器,然后在x次无效尝试之后添加一个条目.
I am trying to capture all of the invalid logins to my server and then add an entry after x amount of times of invalid attempts.
我正在遍历事件日志并毫无问题地获取信息,但是我怎么知道我停止读取的最后一条记录是什么?当日志获取更多信息时,我需要重新开始阅读,但需要一个起点.
I am looping through the event log and getting the information without issue but how do I know what the last record that I stopped reading at? When the log gets more information, I need to restart reading again but I need a starting point.
我当时以为可以在EventLogEntry上使用索引,但是找不到任何信息.我的机器上有6位数字.
I was thinking I could use the Index on the EventLogEntry but I cannot find any information on it. The ones I have on my machine as 6 digit numbers.
那有多可靠?我应该去别的东西吗?我应该在阅读日志后清除该日志吗?
How reliable is that? Should I be going off something else? Should I clear that log after I read it instead?
感谢您的输入!
========我要做什么========
======= WHAT I DID ========
在Apokal的帮助下,这是我所做的:
With Apokal's help, here is what I did:
/// <summary>
/// Returns all events in the windows event log that match the passed in criteria.
/// If nothing is passed in then it will return all events where the a user attemtped
/// to log into the the machine and gave an invalid username or password.
/// </summary>
/// <param name="eventLogMachineName">The machine where the event log is at.</param>
/// <param name="cutoffdatetime">Date and time of the cut off for the list.</param>
/// <param name="eventLogName">'Log Name' in the event log. This is the folder that the events reside in.</param>
/// <param name="eventLogSource">Event log 'Source'.</param>
/// <param name="instanceId">Filters to a specific 'Event Id' in the event log.</param>
/// <returns></returns>
public static IEnumerable<EventLogEntry> GetEventLogs(string eventLogMachineName,
DateTime cutoffdatetime,
string eventLogName = "Security",
string eventLogSource = "Security-Auditing",
int instanceId = 4625)
{
var eventLog = new EventLog {Log = eventLogName, Source = eventLogSource, MachineName = eventLogMachineName};
return from EventLogEntry log in eventLog.Entries
where log.InstanceId == instanceId &&
log.TimeGenerated > cutoffdatetime
select log;
}
我这样称呼它:
private void button1_Click(object sender, EventArgs e)
{
var lastcheckdatetime = Properties.Settings.Default.LastCheckDate;
if (lastcheckdatetime < (DateTime.Now.AddDays(-30)))
{
lastcheckdatetime = DateTime.Now.AddDays(-7);
}
var log = EventLogClass.GetEventLogs("TGSERVER", lastcheckdatetime);
Properties.Settings.Default.LastCheckDate = DateTime.Now;
Properties.Settings.Default.Save();
var count = 0;
foreach (EventLogEntry l in log)
{
Console.WriteLine("---------------------");
Console.Write("eventLogEntry.Index: {0}{1}", l.Index, Environment.NewLine);
Console.Write("eventLogEntry.TimeGenerated: {0}{1}", l.TimeGenerated, Environment.NewLine);
count++;
}
}
推荐答案
根据我的经验和很少的研究,Index
属性显示了从创建事件日志开始编写的事件索引.
From me experience and little research Index
property shows the index of event that was written beginning from the creation of event log.
但是您错过了几件事.
首先,您必须记住事件日志的大小有限.例如,假设安全性"日志只能容纳1000个条目(如果查看eventvwr.msc,则eventlog属性中显示的实际大小(以mb为单位)).因此,当事件日志已满时,有3种方法:
First, you have to remember that event logs have limited size. For example, imagine "Security" log can hold only 1000 entries (the actual size in mb shown in eventlog properties, if you look in eventvwr.msc). So when, event log is full there are 3 ways:
- 将新事件写在旧事件上.在这种情况下,记住最后读取的事件索引是不好的.因为该索引所指向的事件可以被简单地覆盖.
- 进行存档.在这种情况下,记住的索引现在可以指向存档中的事件,而不是指向事件日志的当前.evtx文件中的事件.
- 请勿编写新事件,请手动清除事件日志.我认为这并不有趣,因为您需要一个自动化的工具.
因此,可以将事件日志设置为存档并记住事件的最后索引.然后,当再次读取事件日志时,首先获取当前事件日志文件的最早记录:
So, one could set eventlog to be archived and remember the last index of event. Then when reading again eventlog, first get the oldest recored of current event log file:
EventLog log = new System.Diagnostics.EventLog("Security");
int oldestIndex = log.Entries[(int)eli.OldestRecordNumber].Index;
然后将oldestIndex
与您的lastReadedIndex
进行比较,如果lastReadedIndex < oldestIndex
,则您首先必须读取存档,而仅读取当前事件日志文件.
Then compare oldestIndex
with yours lastReadedIndex
and if lastReadedIndex < oldestIndex
you first have to read archives, and only than read the current event log file.
默认情况下,所有存档都存储在当前事件日志文件(.evtx)所在的目录中.使用 EventLogReader类,可以轻松读取存档一个>.尝试查看 EventRecord ,它是RecordId
属性,我认为它与EventLogEntry
类的Index
属性相同(目前无法检查).
All archives are stored by default in the same directory where the current event log file exists (.evtx). Archives can be easily readed by using EventLogReader class. Try to look at EventRecord and it's RecordId
property, I think it's the same as Index
property of the EventLogEntry
class (can't check at the moment).
另一种方法是记住事件编写的时间,并以它为搜索新事件的起点,以防万一Index
和RecordId
无法解决问题.
Another approach is to remember the time, when event was written, and use it as starting point for searching new events, in case Index
and RecordId
wouldn't help.
祝你好运!
这篇关于事件日志索引是唯一的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!