Re: Is there a way to query Security Event Log with Filter in C#?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

The odd thing is that it works when I change the logfile = 'Application'.
Wieht Security it retrievs 0 entry. Why is that so? I did verify that I
have over 55k of entries in Security log in Event Viewer.


--
Thanks.


"Pucca" wrote:

Thanks Peter. I tried it in my code but it's just exiting when it eaches the
statement mos.get(). Can you see what's wrong here? Also, where can I look
up syntax format and the properties names for the Security log? Thanks.

private void GetLog()
{
//string SomeDateTime = "20060101000000.000000+000";
//string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE
Logfile = 'Security' AND TimeGenerated > '{0}'", SomeDateTime);
string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE
Logfile = 'Security'");

object o;
string name;
try
{
ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);
foreach (ManagementObject mo in mos.Get())
{
foreach (PropertyData pd in mo.Properties)
{
o = mo[pd.Name];
if (o != null)
{

//Console.WriteLine(String.Format("{0}: {1}", pd.Name,
mo[pd.Name].ToString()));
}
}
}
mos.Dispose();
}
catch (Exception e)
{
MessageBox.Show(e.Message);
}


}
--
Thanks.


"Petar Repac" wrote:

Hi !

You can try WMI query for this.
Example that filters event log by LogFile and TimeGenerated.

using System;
using System.Collections.Generic;
using System.Text;
using System.Management;

namespace QueryEventLog {

class Program {
static void Main(string[] args) {
string SomeDateTime = "20070101000000.000000+000";
string Query = String.Format("SELECT * FROM Win32_NTLogEvent
WHERE Logfile = 'Application' AND TimeGenerated > '{0}'", SomeDateTime);
ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);
object o;

foreach (ManagementObject mo in mos.Get()) {

Console.WriteLine("///////////////////////////////////////////////////////////////////////////");
foreach (PropertyData pd in mo.Properties) {
o = mo[pd.Name];
if (o != null) {
Console.WriteLine(String.Format("{0}: {1}", pd.Name,
mo[pd.Name].ToString()));
}
}
}

Console.ReadLine();
}
}
}

Hope it helps.

Petar Repac



Pucca wrote:
Thank you Jani. I'm already using the eventLog class and processing each log
entry and filtering them in my C# code (vs2005, .net2.0) and then place the
filtered / qualified rows in to a dataset table.

The problem is this is taking a long time. It's taking 45 secornds just to
read about 45k of entries(I get the entrycollection then use a logentry
varible to read each one). Are there anyway to improve this?

.

Relevant Pages

  • [NT] Phusion Webserver File Viewing, DoS and Arbitrary Code Execution Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Phusion Webserver Server is an Webserver ... execute arbitrary commands. ... foreach $line { ...
    (Securiteam)
  • Re: File::Grep
    ... If you print out the returned hash ... foreach my $log (@logfile) { ... File::Grep has a bug: it's documentation needs to specify that a list of hash references is returned. ...
    (comp.lang.perl.misc)
  • Re: File::Grep
    ... I'm trying to get the match string from fgrep with the following code: ... the returned array elements are designed as filehandle-like ... foreach my $log (@logfile) { ...
    (comp.lang.perl.misc)
  • Re: something works 1 place but not another
    ... This line of code works as I want it to in the first instance: ... foreach { ... due to those same security ... Just google for things like "php security" and ...
    (comp.lang.php)
  • Re: query string passing woes........ help... please....
    ... sooooooooo much, everything works now!!!! ... now on to security measures.... ... foreach ($injections as $injection) ...
    (alt.php)