public DataSet QueryRemoteComputer(string querystring, Queryobj o)
{
string queryString = querystring; // XPATH Query
EventLogSession session = new EventLogSession(
o.IP,
o.domain,
o.username,
o.password,
SessionAuthentication.Default);
// Query the Application log on the remote computer.
EventLogQuery query = new EventLogQuery(o.logname, PathType.LogName, queryString);
query.Session = session;
try
{
EventLogReader logReader = new EventLogReader(query);
// Display event info
DisplayEventAndLogInformation(logReader);
}
catch (EventLogException e)
{
Console.WriteLine("Could not query the remote computer! " + e.Message);
}
return(data);
}
public void ClearLog(string logname, Queryobj o, string fname = "")
{
EventLogSession session = new EventLogSession(
o.IP,
o.domain,
o.username,
o.password,
SessionAuthentication.Default);
session.ClearLog(logname);
Alerts.alerts.Clear();
}
public Dash(Queryobj o)
{
InitializeComponent();
a = o;
DataColumnCollection columns = Alerts.alerts.Columns;
columns.Add("EventID");
columns.Add("Level");
columns.Add("Time").Unique = true;
columns.Add("Task");
columns.Add("Operation");
columns.Add("XML");
columns.Add("Threat-Type");
}
private void button1_Click(object sender, EventArgs e)
{
if (DomBox.Enabled == false)
{
DomBox.Text = null;
}
if ((UnameBox.Text == "" || PassBox.Text == "" || IPbox.Text == ""))
{
MessageBox.Show("Please enter the required information");
}
else
{
Queryobj a = new Queryobj(UnameBox.Text, PassBox.Text, IPbox.Text, DomBox.Text);
this.Hide();
Ping myPing = new Ping();
try
{
PingReply reply = myPing.Send(IPbox.Text, 1000);
if (reply.Status.ToString().Equals("Success"))
{
this.Hide();
try { new Dash(a).Show(); }
catch (Exception bee) { MessageBox.Show(bee.Message); }
}
else
{
MessageBox.Show("Remote Machine doesnt exist, or is not reachable. Please check, and try again");
}
}
catch (Exception)
{
MessageBox.Show("Invalid credentials. Please try again");
new Splash().Show();
}
}
}
public DataSet fullquery(Queryobj o)
{
DataSet ds1 = new DataSet();
DataSet ds2 = new DataSet();
DataSet ds3 = new DataSet();
Log l = new Log();
o.logname = "Microsoft-Windows-Sysmon/Operational";
ds1 = l.QueryRemoteComputer("*[System[(EventID=11)]]", o);
o.logname = "Security";
ds2 = l.QueryRemoteComputer("*[System[(EventID=4663) or (EventID=4660) or (EventID=4656) or (EventID=4690)]]", o);
ds1.Merge(ds2);
o.logname = "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational";
ds3 = l.QueryRemoteComputer("*[System[(EventID=21) or (EventID=24) or (EventID=23) or (EventID=25)]]", o);
ds1.Merge(ds3);
return(ds1);
}