注册
登录
安全审计
VB / C#通过查看EventData中的用户名从域控制器查询事件日志
返回
VB / C#通过查看EventData中的用户名从域控制器查询事件日志
作者:
溪林
发布时间:
2024-06-12 04:04:29 (1月前)
转自:
<div class =“excerpt”> 我试图拥有包含用户名的特定事件日志 <span class =“result-highlight”> 安全 </跨度> <span class =“result-highlight”> 审计 </跨度> 来自DC的故障,在PowerShell中,我可以通过以下方式轻松完成此操作: 变量将在何处-List -Property ID,TimeCreated,MachineName,Message 这将拉出4个事件日志 <span class =“result-highlight”> 安全 </跨度> <span class =“result-highlight”> 审计 </跨度> 我正在看DC的人的用户名失败,但是我无法 </DIV>
收藏
举报
2 条回复
0#
回复此人
扬尘
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 通过使用xpath查看自定义日志查询,我能够找到答案,我在C#中执行了以下操作,但同样可以在VB中应用, <BR/> Domaincontroller.text =您查找的域控制器: <BR/> Username.text =要查找的AD用户名 <BR/> Statustextbox =我将所有日志都转到文本框进行阅读,但您可以执行类似console.writeline的操作 </p> <pre> <code> private void LookupLogs_Click(object sender, EventArgs e) { Statustextbox.Clear(); string query = "<QueryList>" + " <Query Id=\"0\" Path=\"Security\">" + " <Select Path=\"Security\">" + " *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" + " </Select>" + " </Query>" + "</QueryList>"; EventLogSession session = new EventLogSession(DomainController.Text); EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query); evntquery.Session = session; try { EventLogReader logreader = new EventLogReader(evntquery); DisplayEventAndLogInformation(logreader); } catch (Exception ex) { MessageBox.Show("An exception occured: " + ex.Message); } } private void DisplayEventAndLogInformation(EventLogReader logReader) { for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent()) { Statustextbox.AppendText(Environment.NewLine + Environment.NewLine); Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine); Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine); Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine); try { Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine); } catch (EventLogException ex) { Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine); } EventLogRecord logRecord = (EventLogRecord)eventInstance; Statustextbox.AppendText(Environment.NewLine); Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine); } } </code> </pre> </DIV>
编辑
登录
后才能参与评论
