解析事件日志条目的消息字段c#
Parsing of Message field of Event Log entry c#
我如何使用 C# 解析事件日志消息或替换字符串的特定字段。即我需要从 ID 为 4624 的安全事件日志中解析 "Workstation Name",示例日志在下面给出,在此处输入代码
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: - some data
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
我认为对于具有相同事件 ID 的每个事件,替换字符串的顺序和计数都是相同的,但长度不同。那么我如何将此字符串解析为相应的对象/或提取特定字段
如果您需要提取工作站名称字段的值,最简单的方法之一就是使用正则表达式
string fieldName = "Workstation Name";
var expression = new Regex(string.Format(@"\s*{0}:\s*-\s*(.+)\r\n", fieldName));
Match match = expression.Match(fileText);
if (match.Success)
{
string workstationName = match.Groups[1];
...
}
我如何使用 C# 解析事件日志消息或替换字符串的特定字段。即我需要从 ID 为 4624 的安全事件日志中解析 "Workstation Name",示例日志在下面给出,在此处输入代码
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: - some data
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
我认为对于具有相同事件 ID 的每个事件,替换字符串的顺序和计数都是相同的,但长度不同。那么我如何将此字符串解析为相应的对象/或提取特定字段
如果您需要提取工作站名称字段的值,最简单的方法之一就是使用正则表达式
string fieldName = "Workstation Name";
var expression = new Regex(string.Format(@"\s*{0}:\s*-\s*(.+)\r\n", fieldName));
Match match = expression.Match(fileText);
if (match.Success)
{
string workstationName = match.Groups[1];
...
}