通过使用xpath查看自定义日志查询,我能够找到答案,我在C#中执行了以下操作,但同样可以在VB中应用, Domaincontroller.text =您查找的域控制器: Username.text =要查找的AD用户名 Statustextbox =我将所有日志都转到文本框进行阅读,但您可以执行类似console.writeline的操作
private void LookupLogs_Click(object sender, EventArgs e) { Statustextbox.Clear(); string query = "<QueryList>" + " <Query Id=\"0\" Path=\"Security\">" + " <Select Path=\"Security\">" + " *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" + " </Select>" + " </Query>" + "</QueryList>"; EventLogSession session = new EventLogSession(DomainController.Text); EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query); evntquery.Session = session; try { EventLogReader logreader = new EventLogReader(evntquery); DisplayEventAndLogInformation(logreader); } catch (Exception ex) { MessageBox.Show("An exception occured: " + ex.Message); } } private void DisplayEventAndLogInformation(EventLogReader logReader) { for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent()) { Statustextbox.AppendText(Environment.NewLine + Environment.NewLine); Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine); Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine); Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine); try { Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine); } catch (EventLogException ex) { Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine); } EventLogRecord logRecord = (EventLogRecord)eventInstance; Statustextbox.AppendText(Environment.NewLine); Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine); } }