/// <summary> /// Reads log file located a given path and returns a list of the events /// </summary> /// <param name="pathToLog">String containing the file path to the log</param> /// <returns>List of events</returns> private List <LogEvent> ReadLogFromFile(string pathToLog) { List <LogEvent> logEntries = new List <LogEvent>(); using (var reader = new EventLogReader(pathToLog, PathType.FilePath)) { EventRecord record; while ((record = reader.ReadEvent()) != null) { try { //add the records as a logentry so that the description etc. gets loaded logEntries.Add(record); } finally { if (logEntries.Count == 0) { throw new FileNotFoundException("Unable to parse any events from the specified file."); } } } } return(logEntries); }
private void check_log(string name) { try { SecureString pwd = new SecureString(); foreach (char c in remote_passw_) { pwd.AppendChar(c); } EventLogSession session = remote_machine_name_ != "" ? new EventLogSession(remote_machine_name_, remote_domain_, remote_username_, pwd, SessionAuthentication.Default) : null; pwd.Dispose(); string query_string = "*"; EventLogQuery query = new EventLogQuery(name, PathType.LogName, query_string); using (EventLogReader reader = new EventLogReader(query)) for (EventRecord rec = reader.ReadEvent(); rec != null; rec = reader.ReadEvent()) { lock (this) --log_names_[name]; } } catch (Exception e) { logger.Error("error checking log " + name + " on " + remote_machine_name_ + " : " + e.Message); } // mark log as fully read lock (this) { log_names_[name] = -log_names_[name]; if (log_names_[name] == 0) { // convention - 0 entries log_names_[name] = int.MinValue; } } }
private static IEnumerable <EventLogRecord> ReadFile(string logFile, bool reduceReaderBatchSize = false) { long eventCount = 0; // for debugging using (var reader = new EventLogReader(logFile, PathType.FilePath)) { // There is an acceptable limit to the event size. // Per batch, by default, the reader reads 64 events. // If event size > acceptable limit, // the reader throws "Array bounds are invalid". // To fix this, the batch size needs to be reduced. // This could have some performance impact, but the // log is readable and not written off as corrupt. if (reduceReaderBatchSize) { reader.BatchSize = 1; } for (; ;) { if (!(reader.ReadEvent() is EventLogRecord record)) { yield break; } eventCount++; yield return(record); } } }
private void SetupWatcher() { string queryString = GetQueryString(); query = new EventLogQuery(null, PathType.LogName, queryString); reader = new EventLogReader(query); reader.BatchSize = 10; watcher = new EventLogWatcher(query); watcher.EventRecordWritten += EventRecordWritten; watcher.Enabled = true; if (!string.IsNullOrEmpty(config.WindSFTPLogFileName) && File.Exists(config.WindSFTPLogFileName) && File.Exists(config.WindSFTPUsersFileName)) { GetUsersFromFile(); file = new FileStream(config.WindSFTPLogFileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite); streamReader = new StreamReader(file); lastSize = file.Length; ProcessCurrentLogFile(); fileWatcher = new FileSystemWatcher { Path = Path.GetDirectoryName(config.WindSFTPLogFileName), Filter = Path.GetFileName(config.WindSFTPLogFileName), NotifyFilter = NotifyFilters.LastWrite | NotifyFilters.Size }; fileWatcher.Changed += FileWatcherOnChanged; fileWatcher.EnableRaisingEvents = true; } }
public EventLogReader GetEventLogReader(string path, string query) { // TODO: investigate https://docs.microsoft.com/en-us/previous-versions/windows/desktop/eventlogprov/win32-ntlogevent var eventsQuery = new EventLogQuery(path, PathType.LogName, query) { ReverseDirection = true }; if (!string.IsNullOrEmpty(ComputerName)) { //EventLogSession session = new EventLogSession( // ComputerName, // "Domain", // Domain // "Username", // Username // pw, // SessionAuthentication.Default); // TODO password specification! https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.-ctor?view=dotnet-plat-ext-3.1#System_Diagnostics_Eventing_Reader_EventLogSession__ctor_System_String_System_String_System_String_System_Security_SecureString_System_Diagnostics_Eventing_Reader_SessionAuthentication_ var session = new EventLogSession(ComputerName); eventsQuery.Session = session; } var logReader = new EventLogReader(eventsQuery); return(logReader); }
protected void Page_Load(object sender, EventArgs e) { EventLogReader logReader = (EventLogReader)Session["EventLogReader"]; EmployeeProfile emp = (EmployeeProfile)Session["EmployeeProfile"]; LoginStatus1.Visible = (null == Session["autologin"]); if (null == emp || !this.Page.User.Identity.IsAuthenticated || string.IsNullOrEmpty(emp.Name)) { FormsAuthentication.RedirectToLoginPage(); } else if (logReader != null) { try { Generator testClass = new Generator(logReader); List <TimeEntry> table = testClass.DisplayEventAndLogInformation(logReader); Attendance1.Text = String.Format("Query: {0}", Session["EventLogQuery"]); GridView1.DataSource = table; GridView1.DataBind(); Session["EventLogReader"] = null; TotalOT.Text = "Total Overtime: " + testClass.TotalOvertime; this.StartDate.Culture = System.Globalization.CultureInfo.GetCultureInfo("en-US"); this.StartDate.SelectedDate = (DateTime)Session["DateTime"]; //this.StartDate.SelectedDateChanged += new EventHandler(DatePicker1_DateChanged); } catch (EventLogException err) { Console.WriteLine("Could not query the remote computer! " + err.Message); FormsAuthentication.RedirectToLoginPage(); } } }
public static string QueryRemoteComputer(string username, string domain, string dc, string dauser, string dapass) { string queryString = "*[System[(EventID=4624)] and EventData[Data[@Name='TargetUserName']='******']]"; // XPATH Query SecureString pw = GetPassword(dapass); EventLogSession session = new EventLogSession( dc, // Remote Computer domain, // Domain dauser, // Username pw, SessionAuthentication.Default); pw.Dispose(); // Query the Application log on the remote computer. EventLogQuery query = new EventLogQuery("Security", PathType.LogName, queryString); query.Session = session; EventLogReader reader = new EventLogReader(query); EventRecord eventRecord; string result = String.Empty; while ((eventRecord = reader.ReadEvent()) != null) { result = eventRecord.FormatDescription(); } // Display event info return(result); }
private bool TryCreateEventLogReader() { try { var path = GetPath(); var query = new EventLogQuery(path, PathType.LogName, "*"); _reader = new EventLogReader(query); _loggedException = false; return(true); } catch (Exception e) { if (!_loggedException) { Log.ErrorFormat("Unable to create event log reader: {0}", e); _buffer.SetValue(LogFileProperties.EmptyReason, ErrorFlags.SourceCannotBeAccessed); _loggedException = true; } else { Log.DebugFormat("Unable to create event log reader: {0}", e); } return(false); } }
public static bool DoesMountPointHaveBadBlocks(string mountPoint, out Exception ex, out string eventXML) { bool doesMountPointHaveBadBlocks = false; string evtXml = null; DateTime utcNow = DateTime.UtcNow; string queryString = string.Format("*[System[EventID=24588 or EventID=24593 or EventID=24594 or EventID=24595]][System[Provider[@Name='{0}']]][System[TimeCreated[@SystemTime >= '{2}']]][System[TimeCreated[@SystemTime <= '{3}']]][EventData[Data[@Name='Volume']='{1}']]", new object[] { "Microsoft-Windows-Bitlocker-Driver", mountPoint, DateTime.UtcNow.AddDays(-31.0).ToUniversalTime().ToString("o"), utcNow.ToUniversalTime().ToString("o") }); ex = Util.HandleExceptions(delegate { EventLogQuery eventQuery = new EventLogQuery("System", PathType.LogName, queryString); using (EventLogReader eventLogReader = new EventLogReader(eventQuery)) { EventRecord eventRecord; if ((eventRecord = eventLogReader.ReadEvent()) != null) { evtXml = eventRecord.ToXml(); doesMountPointHaveBadBlocks = true; } } }); eventXML = evtXml; return(doesMountPointHaveBadBlocks); }
public void ExceptionOnce() { if (PlatformDetection.IsWindows7 || // Null events in PowerShell log PlatformDetection.IsWindows10Version22000OrGreater || // Windows 11 and Windows Server 2022: PlatformDetection.IsWindows10Version20348OrGreater) // ActiveIssue("https://github.com/dotnet/runtime/issues/58829") { return; } var query = new EventLogQuery("Application", PathType.LogName, "*[System]") { ReverseDirection = true }; var eventLog = new EventLogReader(query, Helpers.GetBookmark("Application", PathType.LogName)); string levelDisplayName = null, opcodeDisplayName = null, taskDisplayName = null; using (eventLog) { using (var record = (EventLogRecord)eventLog.ReadEvent()) { ThrowsMaxOnce <EventLogNotFoundException>(() => levelDisplayName = record.LevelDisplayName); ThrowsMaxOnce <EventLogNotFoundException>(() => opcodeDisplayName = record.OpcodeDisplayName); ThrowsMaxOnce <EventLogNotFoundException>(() => taskDisplayName = record.TaskDisplayName); Assert.Equal(levelDisplayName, record.LevelDisplayName); Assert.Equal(opcodeDisplayName, record.OpcodeDisplayName); Assert.Equal(taskDisplayName, record.TaskDisplayName); } } }
/// <summary> /// This method will try to create the <see cref="EventLogReader"/>, however, if the reader can't be created for some reason, /// e.g. Service not available or LogName none-existing, it will delay the creation and poll the dependency /// </summary> protected async ValueTask <EventLogReader> CreateEventLogReader(EventBookmark bookmark, CancellationToken stopToken) { while (true) { try { var reader = new EventLogReader(new EventLogQuery(_logName, PathType.LogName, _query), _eventBookmark) { BatchSize = 128 }; return(reader); } catch (EventLogException ele) when(ele.Message.Contains("The handle is invalid", StringComparison.OrdinalIgnoreCase) || ele is EventLogNotFoundException) { _logger.LogWarning(ele, "Event log '{0}' cannot be read", _logName); } catch (Exception ex) { _logger.LogError(ex, $"Error reading event log '{_logName}' with query {_query}"); } await EnsureDependencyAvailable(stopToken); } }
WindowsDefenderDetail GetDetail(string queryString) { var query = new EventLogQuery("Microsoft-Windows-Windows Defender/Operational", PathType.LogName, queryString); using (var reader = new EventLogReader(query)) { EventRecord eventInstance = reader.ReadEvent(); try { while (eventInstance != null) { var instance = reader.ReadEvent(); if (instance == null) { break; } eventInstance = instance; } return(ParseData(eventInstance)); } finally { if (eventInstance != null) { eventInstance.Dispose(); } } } }
public void ReadLogs() { EventLogReader reader = new EventLogReader( "TestLogs", "xrouter"); var entries = reader.GetEntries( new DateTime(2011, 1, 1), new DateTime(2012, 1, 1), LogLevelFilters.Error | LogLevelFilters.Warning | LogLevelFilters.Info, int.MaxValue, 1); int total = entries.Count(); Console.WriteLine("Total: " + total); entries = reader.GetEntries( new DateTime(2011, 1, 1), new DateTime(2012, 1, 1), LogLevelFilters.Error, int.MaxValue, 1); int error = entries.Count(); Console.WriteLine("Error: " + total); entries = reader.GetEntries( new DateTime(2011, 1, 1), new DateTime(2012, 1, 1), LogLevelFilters.Warning, int.MaxValue, 1); int warning = entries.Count(); Console.WriteLine("Warning: " + total); entries = reader.GetEntries( new DateTime(2011, 1, 1), new DateTime(2012, 1, 1), LogLevelFilters.Info, int.MaxValue, 1); int info = entries.Count(); Console.WriteLine("Info: " + total); Assert.Equal(total, error + warning + info); }
/// <summary> /// Test all entries in the event viewer that match config /// </summary> public void TestAllEntries() { int count = 0; try { TimeSpan timeout = TimeSpan.FromMilliseconds(20.0); string queryString = GetEventLogQueryString(null); EventLogQuery query = new EventLogQuery(null, PathType.LogName, queryString) { Session = new EventLogSession("localhost") }; EventLogReader reader = new EventLogReader(query); EventRecord record; while ((record = reader.ReadEvent(timeout)) != null) { if (++count % 100 == 0) { Console.Write("Count: {0} \r", count); } ProcessEventViewerXml(record.ToXml()); } service.RunCycle(); } catch (Exception ex) { Console.WriteLine("Error: {0}", ex.Message); } Console.WriteLine("Tested {0} entries ", count); }
/// <summary> /// Gets the timestamp from the last reboot prior to encryption /// of the first file from the Windows Event Log /// </summary> /// <param name="firstEncryptedFile"></param> /// <returns></returns> public static DateTime getLastReboot(DateTime firstEncryptedFile) { string eventID = "6005"; // “The event log service was started.” This is synonymous to system startup. string LogSource = "System"; string sQuery = $"*[System/EventID={eventID}]"; var elQuery = new EventLogQuery(LogSource, PathType.LogName, sQuery); var elReader = new EventLogReader(elQuery); DateTime lastReboot = default(DateTime); List <EventRecord> eventList = new List <EventRecord>(); for (EventRecord eventInstance = elReader.ReadEvent(); null != eventInstance; eventInstance = elReader.ReadEvent()) { DateTime thisReboot = (DateTime)eventInstance.TimeCreated; //Make sure we get timestamp of the last reboot prior to the ransomware attack if (lastReboot < thisReboot && thisReboot < firstEncryptedFile) { lastReboot = thisReboot; } } if (lastReboot == default(DateTime)) { Console.Write("[-] Unable to retrieve last boot time from Windows Event Log. This will severely impact password crack time."); } return(lastReboot); }
public void CanReadAndWriteMessages() { string messageDllPath = Path.Combine(Path.GetDirectoryName(typeof(EventLog).Assembly.Location), "System.Diagnostics.EventLog.Messages.dll"); EventSourceCreationData log = new EventSourceCreationData($"TestEventMessageSource {Guid.NewGuid()}", "Application") { MessageResourceFile = messageDllPath }; try { if (EventLog.SourceExists(log.Source)) { EventLog.DeleteEventSource(log.Source); } EventLog.CreateEventSource(log); string message = $"Hello {Guid.NewGuid()}"; Helpers.Retry(() => EventLog.WriteEntry(log.Source, message)); using (EventLogReader reader = new EventLogReader(new EventLogQuery("Application", PathType.LogName, $"*[System/Provider/@Name=\"{log.Source}\"]"))) { EventRecord evt = reader.ReadEvent(); string logMessage = evt.FormatDescription(); Assert.Equal(message, logMessage); } } finally { EventLog.DeleteEventSource(log.Source); } }
public static DataTable SearchEventLogsForLockouts(string[] DomainControllers, DateTime LastScan) { DataTable table = new DataTable(); //Build a table to house the results table.Columns.Add("Date", typeof(DateTime)); table.Columns.Add("User"); table.Columns.Add("Machine"); table.Columns.Add("DC"); foreach (string dc in DomainControllers) { EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, "*[System/EventID=4740]"); //Create an eventlog query to find 4740 events in the security log EventLogSession session = new EventLogSession(dc); //Create an eventlog session on the target machine eventsQuery.Session = session; //Invoke the session try { EventLogReader logReader = new EventLogReader(eventsQuery); //start the eventlog reader for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) //foreach the results of the reader { if (eventdetail.TimeCreated > LastScan) //find entries newer than the date specified { table.Rows.Add(eventdetail.TimeCreated, eventdetail.Properties[0].Value, eventdetail.Properties[1].Value, eventdetail.MachineName); //add the specific columns to the table } } } catch { } } return(table); //return the table }
/// <summary> /// Displays the event information and log information on the console for /// all the events returned from a query. /// </summary> private static void DisplayEventAndLogInformation(EventLogReader logReader) { for (EventRecord eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent()) { if (eventInstance.Id == 14151) { Console.WriteLine("-----------------------------------------------------"); Console.WriteLine("Event ID: {0}", eventInstance.Id); Console.WriteLine("Publisher: {0}", eventInstance.ProviderName); } try { Console.WriteLine("Description: {0}", eventInstance.FormatDescription()); } catch (EventLogException e) { Console.WriteLine(e.Message); // The event description contains parameters, and no parameters were // passed to the FormatDescription method, so an exception is thrown. } // Cast the EventRecord object as an EventLogRecord object to // access the EventLogRecord class properties EventLogRecord logRecord = (EventLogRecord)eventInstance; Console.WriteLine("Container Event Log: {0}", logRecord.ContainerLog); } }
public void CancelReading() { using (var eventLog = new EventLogReader("Application")) { eventLog.CancelReading(); } }
public void BatchSize_OtherCtor() { using (var eventLog = new EventLogReader("Application", PathType.LogName)) { Assert.Equal(64, eventLog.BatchSize); } }
private static bool remote_event_log_exists(string log, string remote_machine_name, string remote_domain_name, string remote_user_name, string remote_password_name) { try { SecureString pwd = new SecureString(); foreach (char c in remote_password_name) { pwd.AppendChar(c); } EventLogSession session = remote_machine_name.Trim() != "" ? new EventLogSession(remote_machine_name, remote_domain_name, remote_user_name, pwd, SessionAuthentication.Default) : null; pwd.Dispose(); EventLogQuery query = new EventLogQuery(log, PathType.LogName); if (session != null) { query.Session = session; } EventLogReader reader = new EventLogReader(query); if (reader.ReadEvent(TimeSpan.FromMilliseconds(500)) != null) { return(true); } } catch (Exception e) { logger.Error("can't login " + e.Message); } return(false); }
private bool TryCreateEventLogReader() { try { var path = GetPath(); var query = new EventLogQuery(path, PathType.LogName, "*"); _reader = new EventLogReader(query); _loggedException = false; return(true); } catch (Exception e) { if (!_loggedException) { Log.ErrorFormat("Unable to create event log reader: {0}", e); // TODO: Set error _buffer.SetValue(Core.Properties.EmptyReason, null); _loggedException = true; } else { Log.DebugFormat("Unable to create event log reader: {0}", e); } return(false); } }
static void Main(string[] args) { if (args.Length == 0) { return; } string dataDirectoryPath = args[0]; Console.WriteLine($"{DateTime.Now}: Инициализация чтения логов \"{dataDirectoryPath}\"..."); using (EventLogReader reader = EventLogReader.CreateReader(dataDirectoryPath)) { reader.AfterReadEvent += Reader_AfterReadEvent; reader.AfterReadFile += Reader_AfterReadFile; reader.BeforeReadEvent += Reader_BeforeReadEvent; reader.BeforeReadFile += Reader_BeforeReadFile; reader.OnErrorEvent += Reader_OnErrorEvent; Console.WriteLine($"{DateTime.Now}: Всего событий к обработке: ({reader.Count()})..."); Console.WriteLine(); Console.WriteLine(); while (reader.Read()) { // reader.CurrentRow - данные текущего события _eventNumber += 1; } } Console.WriteLine($"{DateTime.Now}: Для выхода нажмите любую клавишу..."); Console.ReadKey(); }
/// <summary> ///Executes the log command /// </summary> /// <param string[]="args"></param> /// <param out bool="result"></param> /// <return the log ></return> public string Execute(string[] args, out bool result) { EventLog[] eventLogs = EventLog.GetEventLogs(); EventLogQuery query = new EventLogQuery("ImageServiceLog", PathType.LogName, "*"); EventLogReader reader = new EventLogReader(query); EventRecord eventRecord; IList <string> logs = new List <string>(); string output = ""; int i = 0; while ((eventRecord = reader.ReadEvent()) != null) { logs.Add(eventRecord.Id + "," + eventRecord.FormatDescription() + "*"); } for (int j = logs.Count - 1; j > 0; j--) { if (logs.ElementAt(j).Contains("SERVICE_RUNNING")) { output += logs[j]; break; } output += logs[j]; } result = true; return(output); }
public void TestRenderedXmlFormatRawRecordEnvelope() { using (var eventReader = new EventLogReader("Application", PathType.LogName)) { EventLog.WriteEntry(LogSource, "Test message", EventLogEntryType.Information, 0); EventRecord eventRecord = null; do { System.Threading.Thread.Sleep(100); eventRecord = eventReader.ReadEvent(); } while (eventRecord == null); var envelop = new RawEventRecordEnvelope(eventRecord, true, 0); var renderedXml = envelop.GetMessage("RenderedXml"); var xml = XElement.Parse(renderedXml); var renderingInfo = xml.Element(xml.Name.Namespace + "RenderingInfo"); Assert.NotNull(renderingInfo); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Message")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Level")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Task")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Opcode")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Channel")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Provider")); Assert.NotNull(renderingInfo.Element(xml.Name.Namespace + "Keywords")); } }
public void TestRawEventRecordEnvelope_GivenJsonFormat_FallsBackToEventRecordEnvelopeBehavior() { using (var eventReader = new EventLogReader("Application", PathType.LogName)) { EventLog.WriteEntry(LogSource, "Test message", EventLogEntryType.Information, 0); EventRecord eventRecord = null; do { System.Threading.Thread.Sleep(100); eventRecord = eventReader.ReadEvent(); } while (eventRecord == null); var envelope = new RawEventRecordEnvelope(eventRecord, true, 0); var jsonStr = envelope.GetMessage("json"); var jsonObj = JObject.Parse(jsonStr); Assert.NotNull(jsonObj); Assert.NotNull(jsonObj["EventId"]); Assert.NotNull(jsonObj["LevelDisplayName"]); Assert.NotNull(jsonObj["LogName"]); Assert.NotNull(jsonObj["MachineName"]); Assert.NotNull(jsonObj["ProviderName"]); Assert.NotNull(jsonObj["TimeCreated"]); Assert.NotNull(jsonObj["Description"]); Assert.NotNull(jsonObj["Index"]); Assert.NotNull(jsonObj["UserName"]); Assert.NotNull(jsonObj["Keywords"]); } }
static CheckInfo checkTimeModification() { EventRecord entry; string logPath = @"C:\Windows\System32\winevt\Logs\Security.evtx"; EventLogReader logReader = new EventLogReader(logPath, PathType.FilePath); DateTime pcStartTime = startTime(); while ((entry = logReader.ReadEvent()) != null) { if (entry.Id != 4616) { continue; } if (entry.TimeCreated <= pcStartTime) { continue; } IList <EventProperty> properties = entry.Properties; DateTime previousTime = DateTime.Parse(properties[4].Value.ToString()); DateTime newTime = DateTime.Parse(properties[5].Value.ToString()); if (Math.Abs((previousTime - newTime).TotalMinutes) > 5) { return(new CheckInfo(true, previousTime, newTime, entry.TimeCreated, entry.RecordId)); } } return(new CheckInfo(false)); }
private void querySecHistoricLocalServerEvents() { Thread thloadSecH = new Thread(() => { Thread.CurrentThread.Name = "thloadSecH"; TimeSpan span = DateTime.UtcNow.Subtract(DateTime.UtcNow.AddDays(-1)); string queryString = "<QueryList>" + @"<Query Id = ""0"" Path = ""ForwardedEvents"">" + @"<Select Path = ""ForwardedEvents""> *[System[(EventID=4740) and TimeCreated[timediff(@SystemTime) <= " + span.TotalMilliseconds + "]]]</Select>" + @"</Query>" + @"</QueryList>"; SecureString pw = new SecureString(); foreach (char c in frmMain.domainAccountData[2]) { pw.AppendChar(c); } EventLogSession session = new EventLogSession("corp1042", frmMain.domainAccountData[0], frmMain.domainAccountData[1], pw, SessionAuthentication.Default); pw.Dispose(); // Query the Application log on the remote computer. EventLogQuery query = new EventLogQuery("ForwardedEvents", PathType.LogName, queryString); query.Session = session; try { EventLogReader logReader = new EventLogReader(query); DisplayEventAndLogInformation(logReader); } catch (EventLogException ex) { Console.WriteLine("Could not query the remote computer! " + ex.Message); return; } session.Dispose(); try { this.Invoke((MethodInvoker) delegate { pBoxProgressSecH.Visible = false; }); } catch { Thread.CurrentThread.Abort(); } }); string nOFDays; int nOFDaysInt; nOFDays = txtBoxDays.Text; if (int.TryParse(nOFDays, out nOFDaysInt)) { pBoxProgressSecH.Visible = true; thloadSecH.Start(); } else { MessageBox.Show("Please enter only Numbers on field: Days", "Information!", MessageBoxButtons.OK, MessageBoxIcon.Information); } }
public void ExceptionOnce() { if (PlatformDetection.IsWindows7) // Null events in PowerShell log { return; } var query = new EventLogQuery("Application", PathType.LogName, "*[System]") { ReverseDirection = true }; var eventLog = new EventLogReader(query, Helpers.GetBookmark("Application", PathType.LogName)); string levelDisplayName = null, opcodeDisplayName = null, taskDisplayName = null; using (eventLog) { using (var record = (EventLogRecord)eventLog.ReadEvent()) { ThrowsMaxOnce <EventLogNotFoundException>(() => levelDisplayName = record.LevelDisplayName); ThrowsMaxOnce <EventLogNotFoundException>(() => opcodeDisplayName = record.OpcodeDisplayName); ThrowsMaxOnce <EventLogNotFoundException>(() => taskDisplayName = record.TaskDisplayName); Assert.Equal(levelDisplayName, record.LevelDisplayName); Assert.Equal(opcodeDisplayName, record.OpcodeDisplayName); Assert.Equal(taskDisplayName, record.TaskDisplayName); } } }
/// <summary> /// Pulls out the PowerShell events from the event log /// </summary> /// <returns>PSEventEntry object with the latest event properties</returns> private PSEventEntry getPSEvent() { // event id 40962 and 4104 string logType = "Microsoft-Windows-PowerShell/Operational"; string query = $"*[System[(EventID='4104' or EventID='40962') and TimeCreated[timediff(@SystemTime) <= {timespan}]]]"; var elQuery = new EventLogQuery(logType, PathType.LogName, query); var elReader = new EventLogReader(elQuery); for (EventRecord eventInstance = elReader.ReadEvent(); eventInstance != null; eventInstance = elReader.ReadEvent()) { // add data to the object entry.username = new SecurityIdentifier(eventInstance.UserId.Value).Translate(typeof(NTAccount)).ToString(); entry.datetime = (DateTime)eventInstance.TimeCreated; entry.processID = (int)eventInstance.ProcessId; if (eventInstance.TaskDisplayName.ToLower().Contains("block") || eventInstance.TaskDisplayName.ToLower().Contains("suspicious")) { entry.malware = true; } if (eventInstance.TaskDisplayName.ToLower().Contains("execute")) { entry.runcount = entry.runcount + 1; } if (eventInstance.TaskDisplayName.ToLower().Contains("console startup")) { entry.opencommand = true; } } return(entry); }
private void ParseLogs(List <string> eventLogNames) { foreach (string eventLogName in eventLogNames) { using (StreamWriter outputFile = new StreamWriter(this.outputFilename, true)) using (EventLogReader reader = new EventLogReader(eventLogName, PathType.FilePath)) { EventRecord record; while ((record = reader.ReadEvent()) != null) { using (record) { if (record.Id == 4624) { XmlDocument xmlRecord = new XmlDocument(); xmlRecord.LoadXml(record.ToXml()); string targetUserName = xmlRecord.ChildNodes[0].ChildNodes[1].ChildNodes[5].InnerText; if (targetUserName == usernameToFind) { outputFile.WriteLine("{0},{1},{2}", record.TimeCreated, targetUserName, xmlRecord.ChildNodes[0].ChildNodes[1].ChildNodes[18].InnerText); } } } } } File.Delete(eventLogName); } }
/// <summary> /// Starts the reporter server in a new thread. /// </summary> public void Start() { // init log readers this.eventLogReader = new EventLogReader(this.storagesInfo.LogsDirectory, this.serviceName); this.traceLogReader = new TraceLogReader(this.storagesInfo.LogsDirectory, this.serviceName); this.worker = new Thread(Run); this.worker.Start(); }
/// <summary> /// Starts the console server in a new thread. /// </summary> public void Start() { // init DB storage this.storage = new PersistentStorage(this.storagesInfo.DbConnectionString); // init log readers this.eventLogReader = new EventLogReader(this.storagesInfo.LogsDirectory, this.serviceName); this.traceLogReader = new TraceLogReader(this.storagesInfo.LogsDirectory, this.serviceName); ObjectConfigurator.Configurator.CustomItemTypes.Add(new TokenSelectionConfigurationItemType()); ObjectConfigurator.Configurator.CustomItemTypes.Add(new XRouter.Common.Xrm.XrmUriConfigurationItemType()); ObjectConfigurator.Configurator.CustomItemTypes.Add(new UriConfigurationItemType()); UpdatePluginsInApplicationConfiguration(); // create WCF service on a new thread Exception exception = null; Thread wcfHostThread = new Thread(delegate(object data) { try { this.wcfHost = new ServiceHost(this, new Uri(this.uri)); // set binding (WebService - SOAP/HTTP) WSHttpBinding binding = new WSHttpBinding(); binding.MaxReceivedMessageSize = int.MaxValue; binding.ReaderQuotas = new XmlDictionaryReaderQuotas() { MaxBytesPerRead = int.MaxValue, MaxArrayLength = int.MaxValue, MaxStringContentLength = int.MaxValue }; // set endpoint this.wcfHost.AddServiceEndpoint(typeof(IConsoleServer), binding, "ConsoleServer"); // set metadata behavior ServiceMetadataBehavior smb = new ServiceMetadataBehavior(); smb.HttpGetEnabled = true; smb.HttpGetUrl = new Uri(this.metadataUri); this.wcfHost.Description.Behaviors.Add(smb); foreach (var b in this.wcfHost.Description.Behaviors) { if (b is System.ServiceModel.Description.ServiceDebugBehavior) { var sdb = (System.ServiceModel.Description.ServiceDebugBehavior)b; sdb.IncludeExceptionDetailInFaults = true; } } // open connection this.wcfHost.Open(); } catch (Exception e) { exception = e; } }); wcfHostThread.Start(); wcfHostThread.Join(); if (exception != null) { throw exception; } }