public static void ExtractLog(string query, string dirName, string fileName, string serverName, string domainName, string userName, string password)
{
string fileNameFullPath = string.Empty;
try
{
fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\");
//query = "*";
if (File.Exists(fileNameFullPath))
{
File.Delete(fileNameFullPath);
}
var secureString = new SecureString();
password.ToCharArray().ToList().ForEach(p => secureString.AppendChar(p));
using (var logSession = new EventLogSession(serverName, domainName, userName, secureString, SessionAuthentication.Default))
{
logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture);
logSession.Dispose();
}
}
catch (Exception ex)
{
throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false);
}
}
private void querySecHistoricLocalServerEvents()
{
Thread thloadSecH = new Thread(() =>
{
Thread.CurrentThread.Name = "thloadSecH";
TimeSpan span = DateTime.UtcNow.Subtract(DateTime.UtcNow.AddDays(-1));
string queryString = "<QueryList>" +
@"<Query Id = ""0"" Path = ""ForwardedEvents"">" +
@"<Select Path = ""ForwardedEvents""> *[System[(EventID=4740) and TimeCreated[timediff(@SystemTime) <= " + span.TotalMilliseconds + "]]]</Select>" +
@"</Query>" +
@"</QueryList>";
SecureString pw = new SecureString();
foreach (char c in frmMain.domainAccountData[2])
{
pw.AppendChar(c);
}
EventLogSession session = new EventLogSession("corp1042", frmMain.domainAccountData[0], frmMain.domainAccountData[1], pw, SessionAuthentication.Default);
pw.Dispose();
// Query the Application log on the remote computer.
EventLogQuery query = new EventLogQuery("ForwardedEvents", PathType.LogName, queryString);
query.Session = session;
try
{
EventLogReader logReader = new EventLogReader(query);
DisplayEventAndLogInformation(logReader);
}
catch (EventLogException ex)
{
Console.WriteLine("Could not query the remote computer! " + ex.Message);
return;
}
session.Dispose();
try
{
this.Invoke((MethodInvoker) delegate
{
pBoxProgressSecH.Visible = false;
});
}
catch { Thread.CurrentThread.Abort(); }
});
string nOFDays;
int nOFDaysInt;
nOFDays = txtBoxDays.Text;
if (int.TryParse(nOFDays, out nOFDaysInt))
{
pBoxProgressSecH.Visible = true;
thloadSecH.Start();
}
else
{
MessageBox.Show("Please enter only Numbers on field: Days", "Information!", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
}
public static void ExtractLog(string query, string dirName, string fileName)
{
string fileNameFullPath = string.Empty;
try
{
//query = "*[System[TimeCreated[@SystemTime >= '" + DateTime.Now.AddHours(-1).ToUniversalTime().ToString("o") + "']]]";
// "(Provider/@Name=\"AD FS 2.0 Auditing\") and " +
// "(TimeCreated/@SystemTime <= \"" + toDate.ToString("yyyy-MM-ddTHH:mm:ss") + "\") and " +
//"(TimeCreated/@SystemTime >= " + DateTime.Now.AddHours(-10).ToString("o") + ")" +
//"]]";
//" and (TimeCreated/@SystemTime <= " + toDate.Ticks + ")]]";
//" and TimeCreated[timediff(@SystemTime) <= 86400000]]]";
fileNameFullPath = (dirName + @"\" + fileName).Replace(@"\\", @"\");
//query = "*";
if (File.Exists(fileNameFullPath))
{
File.Delete(fileNameFullPath);
}
using (var logSession = new EventLogSession())
{
logSession.ExportLogAndMessages("Application", PathType.LogName, query, fileNameFullPath, true, CultureInfo.CurrentCulture);
logSession.Dispose();
}
}
catch (Exception ex)
{
throw new RMSAppException("ExtractLog failed. " + ex.Message, ex, false);
}
}
public static void Query <TEventLogRecordWrapper>
(
string path
, Func <EventLogRecord, TEventLogRecordWrapper> onFactoryProcessFunc
, string queryString = null
, Func <int, List <TEventLogRecordWrapper>, bool>
onPagedProcessFunc = null
, int pageSize = 100
, string machine = "."
, PathType pathType = PathType.LogName
, string domain = "."
, string user = null
, string password = null
, SessionAuthentication logOnType
= SessionAuthentication.Default
)
{
EventLogQuery query = null;
if (!IsNullOrEmptyOrWhiteSpace(queryString))
{
query = new EventLogQuery(path, pathType, queryString);
}
else
{
query = new EventLogQuery(path, pathType);
}
EventLogSession eventLogSession = null;
try
{
if
(
TryGetEventLogSession
(
machine
, domain
, user
, password
, out eventLogSession
, logOnType
)
)
{
query.Session = eventLogSession;
using (var reader = new EventLogReader(query))
{
EventRecord eventRecord = null;
int i = 1;
int page = 1;
List <TEventLogRecordWrapper> entries = null;
if (pageSize > 0)
{
entries = new List <TEventLogRecordWrapper>();
}
while (null != (eventRecord = reader.ReadEvent()))
{
if (pageSize >= 0)
{
var eventLogRecord = (EventLogRecord)eventRecord;
var entry = onFactoryProcessFunc(eventLogRecord);
entries.Add(entry);
if (i % pageSize == 0)
{
if (onPagedProcessFunc != null)
{
var r = onPagedProcessFunc
(
page
, entries
);
entries.Clear();
if (r)
{
break;
}
page++;
}
}
i++;
}
}
if (entries.Count > 0)
{
if (onPagedProcessFunc != null)
{
var r = onPagedProcessFunc(page, entries);
entries.Clear();
entries = null;
}
}
}
}
}
finally
{
if (eventLogSession != null)
{
eventLogSession.Dispose();
eventLogSession = null;
}
}
}