如何连接到 C# 程序中的特定嵌套事件日志?

How to connect to a specific nested event log in a C# program?

提问人:TWB503 提问时间:10/14/2023 更新时间:10/14/2023 访问量:59

问:

我正在编写一个 C# 程序,该程序会查看 Windows 事件日志中的远程桌面登录尝试,然后使用时间、IP 地址、用户名和域的 csv 报告登录。我可以通过事件 4625 上的“安全”日志成功读取失败的登录尝试,但我希望它能够读取成功的登录尝试,这些尝试在“应用程序和服务日志 -> Microsoft -> Windows -> terminalservices-remoteconnectionmanager -> Operational”下记录为事件 1149。我尝试转到事件查看器以获取“Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational”的名称,但它说找不到日志。这是我用来检查的函数:

using System.Diagnostics.Eventing.Reader;
(...)

private void CheckEventLog()
{
    if (exportPath == null)
    {
        // Program exports result as a CSV file, this shows an error if an export path is not specified
        DialogResult errorBox = MessageBox.Show("Please input an export path.", "Export error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        return;
    }
    if (compInput.Text == "")
    {
        // For connecting to another computers logs; commented out because not working
        // Normally this selects the executing computers name if nothing is inputted
        // comp = Convert.ToString(System.Environment.MachineName);
    }
    else
    {
        comp = Convert.ToString(System.Environment.MachineName); // Same as above, but moved here so it always runs while the net function is disabled
        // comp = compInput.ToString(); // This takes the computer name input from the box (if we were using that function)
        username = usrImp.ToString();
        password = pasImp.ToString();
        SecureString securePassword = new SecureString();
        // ^^ those 3 lines are also for if using net
        foreach (char c in password)
        {
            securePassword.AppendChar(c);
        }
        // Normally there would be a } here, but since net is disabled AND there's warning text in compInput, we need the whole function to operate in the else statement
        // Time to connect to the event log...
        EventLogSession session = new EventLogSession(
            comp, // On <- this computer (while net is disabled, on local computer)
            username, // With this username
            null, // On this domain (disabled)
            securePassword, // With this password
            SessionAuthentication.Default);
    }
    string FilePath = Convert.ToString(exportPath.Text);
    // Creating the header for the CSV output
    string csvHeader = "Date/Time,IP Address,Account Name,Account Domain";
    var csv = new StringBuilder();
    csv.AppendLine(csvHeader);
    // Check the event log, logChoice is the input of the log input TextBox (My two examples are 'Security' [working] and 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' [not working])
    EventLog eventLog = new EventLog(logChoice, comp);
    try
    {
        foreach (EventLogEntry entry in eventLog.Entries) // For each entry in the event log, check to see if the event number matches the one we're searching for 
        {
            if (entry.InstanceId.ToString() == eventChoice)
            {
                // Console lines commented out, ready for use when debugging
                // Console.WriteLine($"Event ID: {entry.InstanceId}");
                // Console.WriteLine($"Time: {entry.TimeGenerated}");
                DateTime Time = Convert.ToDateTime(entry.TimeGenerated);
                // Console.WriteLine(Time);
                // Console.WriteLine($"Message: {entry.Message}");
                string message = entry.Message;
                string ip = GetIP(message); // GetIP is a regex function to get extract an IP address from the event
                // Console.WriteLine(ip);
                string acc = GetAcc(message); // GetAcc is another regex function to get the account name attempting to log in 
                // Console.WriteLine(acc);
                string domain = GetDomain(message); // Same as other two but for domain
                // Console.WriteLine(domain);
                string csvOutput = Time + "," + ip + "," + acc + "," + domain; // Formats the time, ip, account, and domain into a CSV string
                Console.WriteLine(csvOutput);
                csv.AppendLine(csvOutput.ToString());
            }
        }
        eventLog.Close();
        File.WriteAllText(FilePath, csv.ToString()); // Write out the csv file
        csvOUT = csv.ToString();
    }
    // Error handling
    catch (IOException ex)
    {
        DialogResult result = MessageBox.Show($"Error: {ex.Message}", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
    }
    catch (InvalidOperationException IO)
    {
        DialogResult result = MessageBox.Show($"Error: {IO.Message}", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
    }
    return;
}

这恰恰是错误:A screenshot of my error

我尝试删除“/operational”,用斜杠替换破折号,反之亦然,添加“应用程序和服务”等。

提前致谢。:)

C# WinForms 事件日志 RDP

评论

0赞 Jimi 10/14/2023
该类仅对系统事件有用。您要求擅自闯入 ETW 领土:)它不能那样做。您需要 EventLogQuery 类(这是您在那里未使用的原因吗?另请参见如何:查询事件。这不是一件奇特的事情吗?-- 您可以直接使用 WMI(不完全是匹配的示例 - 不同的日志类 - 这里EventLogSession)
0赞 Jimi 10/14/2023
这里有一个非常相似的问题:使用 C# 访问应用程序和服务日志

答: 暂无答案

上一个:如何创建有效的 URL 以在 swift 中打开 RDP (Microsoft)

下一个:强制此过程在 Windows Server 2016 上运行