VB / C# 通过查看 EventData 中的用户名从域控制器查询事件日志
VB / C# Query Event Logs from Domain Controller by looking at username in EventData
我正在尝试获取特定的事件日志,其中包含来自 DC 的安全审计失败的用户名,在 powershell 中,我可以使用类似这样的方式轻松地做到这一点:
其中变量类似于:$DC = "MyDomainController" 和 $user = "jdoe"
Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='4503599627370496';Data=$user} -MaxEvents 4 | Format-List -Property ID, TimeCreated, MachineName, Message
这会从我正在查看的 DC 中提取 4 个安全审核失败的事件日志以及该人的用户名,但是我一直无法找到或重现此行为与 vb.net 中类似的行为,我最近几天一直在搜索页面,想出了很多文章,并提取了 DC 上的所有日志,但没有过滤掉,任何帮助或指导都会很棒,谢谢!
我能够通过使用 xpath 查看自定义日志查询找到这个问题的答案,我在 C# 中执行了以下操作,但同样可以应用于 VB、
Domaincontroller.text = 您要查找的域控制器:
Username.text = 要查找的 AD 用户名
Statustextbox = 我已将所有日志转到文本框进行阅读,但您可以做一些事情喜欢 console.writeline
private void LookupLogs_Click(object sender, EventArgs e)
{
Statustextbox.Clear();
string query = "<QueryList>" +
" <Query Id=\"0\" Path=\"Security\">" +
" <Select Path=\"Security\">" +
" *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" +
" </Select>" +
" </Query>" +
"</QueryList>";
EventLogSession session = new EventLogSession(DomainController.Text);
EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query);
evntquery.Session = session;
try
{
EventLogReader logreader = new EventLogReader(evntquery);
DisplayEventAndLogInformation(logreader);
}
catch (Exception ex)
{
MessageBox.Show("An exception occured: " + ex.Message);
}
}
private void DisplayEventAndLogInformation(EventLogReader logReader)
{
for (EventRecord eventInstance = logReader.ReadEvent();
null != eventInstance; eventInstance = logReader.ReadEvent())
{
Statustextbox.AppendText(Environment.NewLine + Environment.NewLine);
Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine);
Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine);
Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine);
try
{
Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine);
}
catch (EventLogException ex)
{
Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine);
}
EventLogRecord logRecord = (EventLogRecord)eventInstance;
Statustextbox.AppendText(Environment.NewLine);
Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine);
}
}
我正在尝试获取特定的事件日志,其中包含来自 DC 的安全审计失败的用户名,在 powershell 中,我可以使用类似这样的方式轻松地做到这一点:
其中变量类似于:$DC = "MyDomainController" 和 $user = "jdoe"
Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='4503599627370496';Data=$user} -MaxEvents 4 | Format-List -Property ID, TimeCreated, MachineName, Message
这会从我正在查看的 DC 中提取 4 个安全审核失败的事件日志以及该人的用户名,但是我一直无法找到或重现此行为与 vb.net 中类似的行为,我最近几天一直在搜索页面,想出了很多文章,并提取了 DC 上的所有日志,但没有过滤掉,任何帮助或指导都会很棒,谢谢!
我能够通过使用 xpath 查看自定义日志查询找到这个问题的答案,我在 C# 中执行了以下操作,但同样可以应用于 VB、
Domaincontroller.text = 您要查找的域控制器:
Username.text = 要查找的 AD 用户名
Statustextbox = 我已将所有日志转到文本框进行阅读,但您可以做一些事情喜欢 console.writeline
private void LookupLogs_Click(object sender, EventArgs e)
{
Statustextbox.Clear();
string query = "<QueryList>" +
" <Query Id=\"0\" Path=\"Security\">" +
" <Select Path=\"Security\">" +
" *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" +
" </Select>" +
" </Query>" +
"</QueryList>";
EventLogSession session = new EventLogSession(DomainController.Text);
EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query);
evntquery.Session = session;
try
{
EventLogReader logreader = new EventLogReader(evntquery);
DisplayEventAndLogInformation(logreader);
}
catch (Exception ex)
{
MessageBox.Show("An exception occured: " + ex.Message);
}
}
private void DisplayEventAndLogInformation(EventLogReader logReader)
{
for (EventRecord eventInstance = logReader.ReadEvent();
null != eventInstance; eventInstance = logReader.ReadEvent())
{
Statustextbox.AppendText(Environment.NewLine + Environment.NewLine);
Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine);
Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine);
Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine);
try
{
Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine);
}
catch (EventLogException ex)
{
Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine);
}
EventLogRecord logRecord = (EventLogRecord)eventInstance;
Statustextbox.AppendText(Environment.NewLine);
Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine);
}
}