有没有一种方法可以跨不同语言标准化 Windows 事件日志查询?
is there a way of standardizing Windows event log queries across different languages?
我有一些 C# 代码似乎可以很好地监视 Windows 事件 4624,并计划在 Windows 服务中使用它以在用户成功登录系统时提供通知.然而,该代码可能会在非英语计算机上使用,我假设我的代码不会在它们上达到预期的结果。我进行了一些搜索,但在我看来似乎没有一种简单的方法可以用多种语言监视此事件。 Here is on example, and here is another one我找到了。
也许最简单的解决方案是针对不同的语言系统使用不同版本的程序,或者内置可以检测语言并采取相应行动的逻辑,但这两种选择对我来说似乎都很笨拙。
是否有一些标准化的方法来收集我缺少的这些信息?
public static async Task subscribe4624()
{
await Task.Run(() =>
{
EventLogWatcher watcher4624 = null;
try
{
EventLogQuery subscriptionQuery4624 = new EventLogQuery(
"Security", PathType.LogName, "*[System/EventID=4624]");
watcher4624 = new EventLogWatcher(subscriptionQuery4624);
// Make the watcher listen to the EventRecordWritten
// events. When this event happens, the callback method
// (EventLogEventRead) is called.
watcher4624.EventRecordWritten +=
new EventHandler<EventRecordWrittenEventArgs>(
EventLogEventRead4624);
// Activate the subscription
watcher4624.Enabled = true;
for (; ; )
{
// Wait for events to occur.
System.Threading.Thread.Sleep(1000);
}
}
catch (EventLogReadingException e)
{
log.Info("Error reading the log: {0}" + e.Message);
}
finally
{
// Stop listening to events
watcher4624.Enabled = false;
if (watcher4624 != null)
{
watcher4624.Dispose();
}
}
});
}
// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead4624(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[5];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomain\"]";
xPathRefs[4] = "Event/EventData/Data[@Name=\"LogonType\"]";
// Place those strings in an IEnumerable object
IEnumerable<String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = null;
try
{
logPropertyContext = new EventLogPropertySelector(xPathEnum);
}
catch (Exception ex)
{
log.Info(ex.Message);
}
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
if (logEventProps[4].ToString() == "2")
{
log.Info("Time: " + logEventProps[0]);
log.Info("Computer: " + logEventProps[1]);
log.Info("TargetUserName: " + logEventProps[2]);
log.Info("TargetDomainName: " + logEventProps[3]);
log.Info("LogonType: " + logEventProps[4]);
log.Info("---------------------------------------");
//log.Info("Description: "+ arg.EventRecord.FormatDescription());
Console.WriteLine("Time: " + logEventProps[0]);
Console.WriteLine("Computer: " + logEventProps[1]);
Console.WriteLine("TargetUserName: " + logEventProps[2]);
Console.WriteLine("TargetDomainName: " + logEventProps[3]);
Console.WriteLine("LogonType: " + logEventProps[4]);
Console.WriteLine("---------------------------------------");
//Console.WriteLine("Description: " + arg.EventRecord.FormatDescription());
}
}
else
{
log.Info("The event instance was null.");
}
}
这是来自我的计算机(操作系统语言为德语)的消息 4621 的XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2022-02-14T12:10:32.8804196Z" />
<EventRecordID>706697</EventRecordID>
<Correlation ActivityID="{9d82cb76-0e04-0002-21cc-829d040ed801}" />
<Execution ProcessID="1180" ThreadID="58872" />
<Channel>Security</Channel>
<Computer>DESKTOP-Win10</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-WIN10$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT-AUTORITÄT</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x480</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
所以实体名称仍然是英文,但有些值不是。
我有一些 C# 代码似乎可以很好地监视 Windows 事件 4624,并计划在 Windows 服务中使用它以在用户成功登录系统时提供通知.然而,该代码可能会在非英语计算机上使用,我假设我的代码不会在它们上达到预期的结果。我进行了一些搜索,但在我看来似乎没有一种简单的方法可以用多种语言监视此事件。 Here is on example, and here is another one我找到了。
也许最简单的解决方案是针对不同的语言系统使用不同版本的程序,或者内置可以检测语言并采取相应行动的逻辑,但这两种选择对我来说似乎都很笨拙。
是否有一些标准化的方法来收集我缺少的这些信息?
public static async Task subscribe4624()
{
await Task.Run(() =>
{
EventLogWatcher watcher4624 = null;
try
{
EventLogQuery subscriptionQuery4624 = new EventLogQuery(
"Security", PathType.LogName, "*[System/EventID=4624]");
watcher4624 = new EventLogWatcher(subscriptionQuery4624);
// Make the watcher listen to the EventRecordWritten
// events. When this event happens, the callback method
// (EventLogEventRead) is called.
watcher4624.EventRecordWritten +=
new EventHandler<EventRecordWrittenEventArgs>(
EventLogEventRead4624);
// Activate the subscription
watcher4624.Enabled = true;
for (; ; )
{
// Wait for events to occur.
System.Threading.Thread.Sleep(1000);
}
}
catch (EventLogReadingException e)
{
log.Info("Error reading the log: {0}" + e.Message);
}
finally
{
// Stop listening to events
watcher4624.Enabled = false;
if (watcher4624 != null)
{
watcher4624.Dispose();
}
}
});
}
// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead4624(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[5];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomain\"]";
xPathRefs[4] = "Event/EventData/Data[@Name=\"LogonType\"]";
// Place those strings in an IEnumerable object
IEnumerable<String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = null;
try
{
logPropertyContext = new EventLogPropertySelector(xPathEnum);
}
catch (Exception ex)
{
log.Info(ex.Message);
}
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
if (logEventProps[4].ToString() == "2")
{
log.Info("Time: " + logEventProps[0]);
log.Info("Computer: " + logEventProps[1]);
log.Info("TargetUserName: " + logEventProps[2]);
log.Info("TargetDomainName: " + logEventProps[3]);
log.Info("LogonType: " + logEventProps[4]);
log.Info("---------------------------------------");
//log.Info("Description: "+ arg.EventRecord.FormatDescription());
Console.WriteLine("Time: " + logEventProps[0]);
Console.WriteLine("Computer: " + logEventProps[1]);
Console.WriteLine("TargetUserName: " + logEventProps[2]);
Console.WriteLine("TargetDomainName: " + logEventProps[3]);
Console.WriteLine("LogonType: " + logEventProps[4]);
Console.WriteLine("---------------------------------------");
//Console.WriteLine("Description: " + arg.EventRecord.FormatDescription());
}
}
else
{
log.Info("The event instance was null.");
}
}
这是来自我的计算机(操作系统语言为德语)的消息 4621 的XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2022-02-14T12:10:32.8804196Z" />
<EventRecordID>706697</EventRecordID>
<Correlation ActivityID="{9d82cb76-0e04-0002-21cc-829d040ed801}" />
<Execution ProcessID="1180" ThreadID="58872" />
<Channel>Security</Channel>
<Computer>DESKTOP-Win10</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-WIN10$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT-AUTORITÄT</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x480</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
所以实体名称仍然是英文,但有些值不是。