Esempio n. 1
1
        private void check_log(string name) {
            try {
                SecureString pwd = new SecureString();
                foreach ( char c in remote_passw_)
                    pwd.AppendChar(c);
                EventLogSession session = remote_machine_name_ != "" ? new EventLogSession(remote_machine_name_, remote_domain_, remote_username_, pwd, SessionAuthentication.Default) : null;
                pwd.Dispose();
                string query_string = "*";
                EventLogQuery query = new EventLogQuery(name, PathType.LogName, query_string);

                using (EventLogReader reader = new EventLogReader(query))
                    for (EventRecord rec = reader.ReadEvent(); rec != null; rec = reader.ReadEvent())
                        lock (this) 
                            --log_names_[name];

            } catch (Exception e) {
                logger.Error("error checking log " + name + " on " + remote_machine_name_ + " : " + e.Message);
            }

            // mark log as fully read
            lock (this) {
                log_names_[name] = -log_names_[name];
                if (log_names_[name] == 0)
                    // convention - 0 entries
                    log_names_[name] = int.MinValue;
            }
        }
Esempio n. 2
0
    protected void DatePicker1_DateChanged(object sender, EventArgs e)
    {
        EmployeeProfile emp = (EmployeeProfile)Session["EmployeeProfile"];
        SecureString pw = (SecureString)Session["SecureString"];
        DatePicker dp = (DatePicker)sender;
        DateTime now = DateTime.Now;
        DateTime endDate = now;
        DateTime startDate = dp.SelectedDate;

        string queryString = String.Format(AppConfig.EventQuery,
            startDate.ToUniversalTime().ToString("o"),
            endDate.ToUniversalTime().ToString("o"));

        // Query the Application log on the remote computer.
        EventLogQuery query = new EventLogQuery("System", PathType.LogName, queryString);
        if (AppConfig.RemoteQuery) {
            string passwd = emp.Password;
            query.Session = new EventLogSession(
                emp.Machine, // Remote Computer
                emp.Domain, // Domain
                emp.Name,   // Username
                pw,
                SessionAuthentication.Default);
        }
        EventLogReader logReader = new EventLogReader(query);
        Session["EventLogQuery"] = queryString;

        Generator testClass = new Generator(logReader);
        List<TimeEntry> table = testClass.DisplayEventAndLogInformation(logReader);
        Attendance1.Text = String.Format("Query: {0}", Session["EventLogQuery"]);
        GridView1.DataSource = table;
        GridView1.DataBind();

        TotalOT.Text = "Total Overtime: " + testClass.TotalOvertime;
    }
Esempio n. 3
0
    public void AddWatcher(string source, string log, int id)
    {
        if (source == log && log == null)
            {
                throw new ArgumentNullException("Either source or log must be set!");
            }

            // if legeacy
            if (System.Environment.OSVersion.Version.Major < 6)
            {
                string queryString = "Select * from __InstanceCreationEvent Where TargetInstance ISA 'Win32_NTLogEvent'";
                if (source != null)
                    queryString += " AND TargetInstance.Sourcename = '" + source + "'";
                if (log != null)
                    queryString += " AND TargetInstance.LogFile = '" + log + "'";
                queryString += " AND (TargetInstance.EventCode = " + id + ")";
                ManagementEventWatcher managementWatcher = new ManagementEventWatcher(new EventQuery(queryString));
                managementWatcher.Start();
                managementWatcher.EventArrived += EventRecordWritten;
                managementWatchers.Add(managementWatcher);
            }
            else
            {
                string queryString = "<QueryList><Query Id='0' Path='" + log + "'><Select Path='" + log + "'>*[System[Provider[@Name='" + source + "']]] and *[System[EventID=" + id + "]]</Select></Query></QueryList>";

                EventLogQuery query = new EventLogQuery(log, PathType.LogName, queryString);
                EventLogWatcher eventWatcher = new EventLogWatcher(query);
                eventWatcher.EventRecordWritten += EventRecordWritten;
                eventWatcher.Enabled = true;
                eventWatchers.Add(eventWatcher);
            }
    }
Esempio n. 4
0
        public override IResult Execute(IResult previousResults)
        {
            try
            {

                var result ="unknown issue";
                var query = new EventLogQuery("Application", PathType.LogName, Query);
                using (var reader = new EventLogReader(query))
                {
                    var nextEvent = reader.ReadEvent();
                    while (nextEvent != null)
                    {
                        result = GetDescriptionFromEntry(nextEvent.FormatDescription());
                        nextEvent = reader.ReadEvent();
                    }
                }

                result = GetDescriptionFromEntry(result);
                SettingsManager.SetTemporarySettingString(SettingKey, result);
                return new NextResult();
            }
            catch (Exception e)
            {
                return new ExceptionOccurred(e);
            }
        }
Esempio n. 5
0
        /// <summary>
        /// Uploads new file to FTP
        /// </summary>
        public void FTPUpload()
        {
            try
            {
                //Setup ftp address setup
                FtpWebRequest request = (FtpWebRequest)WebRequest.Create(host);
                //FTP Login details
                request.Credentials = new NetworkCredential(username, password);
                //Use active connection
                request.UsePassive = false;
                //Set FTP method
                request.Method = WebRequestMethods.Ftp.UploadFile;

                //Get the log for windows backup
                EventLogQuery query = new EventLogQuery("Microsoft-Windows-Backup", PathType.LogName);
                //Newest first
                query.ReverseDirection = true;
                //Make reader from query
                EventLogReader reader = new EventLogReader(query);

                //Get FTP Stream and setup streamwriter for string
                Stream requestStream = request.GetRequestStream();
                StreamWriter streamWriter = new StreamWriter(requestStream, Encoding.ASCII);

                //Eventrecord holder
                EventRecord eventRecord;

                //Set culture info to en-us, error in eventrecord.formatdescription, that takes locale to format
                Thread.CurrentThread.CurrentCulture = tempCultureInfo;

                //Write root json
                streamWriter.WriteLine("<Logs>");
                //As long as there is events, write them out in xml format
                while ((eventRecord = reader.ReadEvent()) != null)
                {
                    streamWriter.Write("<LogEntry>");
                    streamWriter.Write("<Time>");
                    streamWriter.Write(eventRecord.TimeCreated);
                    streamWriter.Write("</Time>");
                    streamWriter.Write("<Message>");
                    streamWriter.Write(eventRecord.FormatDescription());
                    streamWriter.Write("</Message>");
                    streamWriter.WriteLine("</LogEntry>");
                }
                //End json root
                streamWriter.Write("</Logs>");

                //Reset locale back to normal
                Thread.CurrentThread.CurrentCulture = startCultureInfo;

                //Close streams and remove all used resources
                streamWriter.Close();
            }
            catch(Exception e)
            {
                //Most likely connection issue
                LogToFile("Exeption cought: " + e.Message);
                return;
            }
        }
Esempio n. 6
0
        public static IEnumerable<ApplicationError> GetByDateTimeDescending(int max = 0)
        {
            var query = @"<QueryList>
                              <Query Id=""0"" Path=""Application"">
                                <Select Path=""Application"">*[System[Provider[@Name='ASP.NET 2.0.50727.0' or @Name='ASP.NET 4.0.30319.0'] and (Level=2 or Level=3 or Level=4)]]</Select>
                              </Query>
                            </QueryList>";

            var elq = new EventLogQuery("Application", PathType.LogName, query) {ReverseDirection = true};
            using (var elr = new EventLogReader(elq))
            {
                var events = new List<EventRecord>();

                max = (max == 0) ? int.MaxValue : max;
                var i = 0;
                var entries = 0;

                for (var eventInstance = elr.ReadEvent(); null != eventInstance && entries < max; eventInstance = elr.ReadEvent(), i++)
                {
                    var parsedEvent = ParseEntry(eventInstance);
                    if (parsedEvent != null && parsedEvent.SiteIisId != 0)
                    {
                        entries++;
                        yield return parsedEvent;
                    }
                }
            }
        }
Esempio n. 7
0
 public object[] QueryActiveLog()
 {
     // TODO: Extend structured query to two different event logs.
     EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, Query);
     EventLogReader logReader = new EventLogReader(eventsQuery);
     return DisplayEventAndLogInformation(logReader);
 }
Esempio n. 8
0
        public LogPublisher(EventLog eventLog, Topic topic)
        {
            this.topic = topic;

            // Creates an EventLog watcher and subscribes to EventRecordWritten event
            var query = new EventLogQuery(eventLog.Log, PathType.LogName);
            watcher = new EventLogWatcher(query);
            watcher.EventRecordWritten += WatcherEventRecordWritten;
            watcher.Enabled = true;
        }
Esempio n. 9
0
 private static IEnumerable<EventLogRecord> LogRecordCollection(string filename, string xpathquery = "*")
 {
     var eventLogQuery = new EventLogQuery(filename, PathType.FilePath, xpathquery);
     using (var eventLogReader = new EventLogReader(eventLogQuery))
     {
         EventLogRecord eventLogRecord;
         while ((eventLogRecord = (EventLogRecord) eventLogReader.ReadEvent()) != null)
             yield return eventLogRecord;
     }
 }
Esempio n. 10
0
        private void compute_time()
        {
            date_now.Text = DateTime.Now.Date.Date.ToString();
            string query = "*[System/EventID=12]";
            EventLogQuery event_query = new EventLogQuery("System", PathType.LogName, query);
            try
            {
                EventLogReader reader = new EventLogReader(event_query);
                for (EventRecord eventdetail = reader.ReadEvent();
                     eventdetail != null;
                     eventdetail = reader.ReadEvent())
                {
                    DateTime log_created = eventdetail.TimeCreated.Value;
                    if (log_created.Date.ToString() == DateTime.Now.Date.ToString())
                    {
                        double logout_hour = 0.0;
                        double login_hour = log_created.TimeOfDay.TotalHours;
                        if (login_hour < minimum_login_hour)
                        {
                            logout_hour = minimum_login_hour + working_hours;
                        }
                        else if (login_hour > maximum_login_hour)
                        {
                            logout_hour = maximum_login_hour + working_hours;
                        }
                        else
                        {
                            logout_hour = login_hour + working_hours;
                        }
                        TimeSpan span = TimeSpan.FromHours(logout_hour);
                        login_time = eventdetail.TimeCreated.Value;
                        logout_time = DateTime.Today.Add(span);
                        login.Text = login_time.ToString("hh:mm tt");
                        logout.Text = logout_time.ToString("hh:mm tt");

                        double time_now = DateTime.Now.TimeOfDay.TotalHours;
                        double countdown_hour = logout_hour - time_now;
                        if (countdown_hour < 0)
                        {
                            countdown_hour = 0;
                        }
                        TimeSpan t = TimeSpan.FromHours(countdown_hour);
                        hours = t.Hours;
                        minutes = t.Minutes;
                        seconds = t.Seconds;
                    }
                }
            }
            catch (EventLogNotFoundException e)
            {
                Console.WriteLine("Error while readig event logs");
            }
        }
Esempio n. 11
0
        /// <param name="startDate">yyyy-MM-dd</param>
        /// <param name="endDate">yyyy-MM-dd</param>
        public DataTable EventLogGet(string siteId, string startDate, string endDate, int pageNumber, int pageSize, out int recordAmount, out int pageAmount)
        {
            recordAmount = 0;
            pageAmount = 0;

            Regex regex = new Regex(@"<Data Name='SiteID'>(\d+)</Data>", RegexOptions.Compiled);

            string path = "System";
            string query = "*[System/Provider/@EventSourceName='W3SVC']";

            EventLogQuery eventLogQuery = new EventLogQuery(path, PathType.LogName, query);
            EventLogReader eventLogReader = new EventLogReader(eventLogQuery);

            List<string> listLog = new List<string>();

            EventRecord eventInstance;
            while ((eventInstance = eventLogReader.ReadEvent()) != null)
            {
                string createDate = eventInstance.TimeCreated.Value.ToString("yyyy-MM-dd");

                if (string.Compare(createDate, startDate) >= 0 && string.Compare(createDate, endDate) <= 0)
                {
                    Match match = regex.Match(eventInstance.ToXml());
                    if (siteId == match.Groups[1].ToString())
                    {
                        listLog.Add(eventInstance.FormatDescription());
                    }
                }
            }

            DataTable dtLogPage = new DataTable();
            dtLogPage.Columns.Add("LogContent", typeof(string));

            if (listLog.Count == 0)
            {
                return dtLogPage;
            }

            recordAmount = listLog.Count;
            pageAmount = (int)Math.Ceiling(recordAmount * 1.0 / pageSize);
            List<string> listLogPage = Tools.GetPage(listLog, pageNumber, pageSize, pageAmount);

            DataRow newRow;
            foreach (string log in listLogPage)
            {
                newRow = dtLogPage.NewRow();
                newRow["LogContent"] = log;
                dtLogPage.Rows.Add(newRow);
            }

            return dtLogPage;
        }
Esempio n. 12
0
        private DataTable GetStartupShutdownLogs(int NoofEventstoGet)
        {

            DataTable dtLogs = new DataTable("SystemLogs");
            dtLogs.Columns.Add("Message");
            dtLogs.Columns.Add("TimeGenerated");
            dtLogs.Columns.Add("ID");
            DataRow dr;
            try
            {
                string query = "*[System/EventID=6005 or System/EventID=6006]";
                EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, query);

                try
                {
                    EventLogReader logReader = new EventLogReader(eventsQuery);
                    int i = 1;
                    for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
                    {
                        dr = dtLogs.NewRow();
                        dr["Message"] = eventdetail.Id == 6005 ? "System Startup" : "System Shutdown";
                        dr["TimeGenerated"] = eventdetail.TimeCreated.ToString();
                        dr["ID"] = i++;
                        dtLogs.Rows.Add(dr);

                    }
                    if (dtLogs.Rows.Count > NoofEventstoGet)
                    {

                        DataView dview = dtLogs.DefaultView;
                        dview.RowFilter = "ID <=" + i + " AND ID >=" + (i - NoofEventstoGet);
                        dview.Sort = "ID Desc";
                        dtLogs = dview.ToTable();

                    }

                }
                catch (EventLogNotFoundException ex)
                {
                    LogManager.WriteLog("Error while reading the event logs" + ex.Message, LogManager.enumLogLevel.Error);
                }


            }
            catch (Exception ex)
            {
                LogManager.WriteLog("GetSystemLogs:" + ex.Message, LogManager.enumLogLevel.Error);
            }
            return dtLogs;
        }
Esempio n. 13
0
        public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark) {

            if (eventQuery == null)
                throw new ArgumentNullException("eventQuery");

            string logfile = null;
            if (eventQuery.ThePathType == PathType.FilePath)
                logfile = eventQuery.Path;

            this.cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50 );

            //explicit data
            this.eventQuery = eventQuery;

            //implicit
            this.batchSize = 64;
            this.eventsBuffer = new IntPtr[batchSize];

            //
            // compute the flag.
            //
            int flag = 0;

            if (this.eventQuery.ThePathType == PathType.LogName)
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
            else
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;

            if (this.eventQuery.ReverseDirection)
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryReverseDirection;

            if (this.eventQuery.TolerateQueryErrors)
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryTolerateQueryErrors;

            EventLogPermissionHolder.GetEventLogPermission().Demand();

            handle = NativeWrapper.EvtQuery(this.eventQuery.Session.Handle,
                this.eventQuery.Path, this.eventQuery.Query,
                flag);

            EventLogHandle bookmarkHandle = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);

            if (!bookmarkHandle.IsInvalid) {
                using (bookmarkHandle) {
                    NativeWrapper.EvtSeek(handle, 1, bookmarkHandle, 0, UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
                }
            }
        }
Esempio n. 14
0
        public static ApplicationError GetById(int eventLogId)
        {
            var query = string.Format(@"<QueryList>
                                            <Query Id=""0"" Path=""Application"">
                                            <Select Path=""Application"">*[System[(EventRecordID={0})]]</Select>
                                            </Query>
                                        </QueryList>", eventLogId);

            var elq = new EventLogQuery("Application", PathType.LogName, query);
            using (var elr = new EventLogReader(elq))
            {
                var eventInstance = elr.ReadEvent();
                return eventInstance == null
                    ? null
                    : ParseEntry(eventInstance);
            }
        }
Esempio n. 15
0
        public List<IEvent> ReadEventLogData()
        {
            List<IEvent> coll = new List<IEvent>();
            string queryString =
                "<QueryList>" +
                "  <Query Id='0' Path='Microsoft-Windows-Diagnostics-Performance/Operational'>" +
                "    <Select Path='Microsoft-Windows-Diagnostics-Performance/Operational'>*[System[(EventID=100)]]</Select>" +
                "  </Query>" +
                "</QueryList>";
            try
            {
                EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, queryString);
                EventLogReader logReader = new EventLogReader(eventsQuery);

                //create an array of strings for xpath enum.
                String[] xPathRefs = new String[4];
                xPathRefs[0] = "Event/EventData/Data[@Name='BootEndTime']";
                xPathRefs[1] = "Event/EventData/Data[@Name='BootTime']";
                xPathRefs[2] = "Event/EventData/Data[@Name='MainPathBootTime']";
                xPathRefs[3] = "Event/EventData/Data[@Name='BootPostBootTime']";
                IEnumerable<String> xPathEnum = xPathRefs;
                EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);

                for (EventRecord eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
                {
                    IList<object> logEventProps;
                    // Cast the EventRecord into an EventLogRecord to retrieve property values.
                    // This will fetch the event properties we requested through the
                    // context created by the EventLogPropertySelector
                    logEventProps = ((EventLogRecord)eventDetail).GetPropertyValues(logPropertyContext);
                    if (eventDetail.Id == 100)
                    {
                        int boot = Convert.ToInt32(logEventProps[1]);
                        int mainPath = Convert.ToInt32(logEventProps[2]);
                        int postBoot = Convert.ToInt32(logEventProps[3]);
                        DateTime date = (DateTime)logEventProps[0];
                        coll.Add(new StartupEvent(date, boot, mainPath, postBoot, (int)eventDetail.Level));
                    }
                }
            }
            catch (EventLogNotFoundException e)
            {
                Console.WriteLine("Error while reading the event logs");
            }
            return coll;
        }
Esempio n. 16
0
        public EventLogWatcher(EventLogQuery eventQuery, EventBookmark bookmark, bool readExistingEvents) {

            if (eventQuery == null)
                throw new ArgumentNullException("eventQuery");

            if (bookmark != null)
                readExistingEvents = false;

            //explicit data
            this.eventQuery = eventQuery;
            this.readExistingEvents = readExistingEvents;

            if (this.eventQuery.ReverseDirection)
                throw new InvalidOperationException();

            this.eventsBuffer = new IntPtr[64];
            this.cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, null, 50);
            this.bookmark = bookmark;
        }
Esempio n. 17
0
 public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
 {
     if (eventQuery == null)
     {
         throw new ArgumentNullException("eventQuery");
     }
     string logfile = null;
     if (eventQuery.ThePathType == PathType.FilePath)
     {
         logfile = eventQuery.Path;
     }
     this.cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50);
     this.eventQuery = eventQuery;
     this.batchSize = 0x40;
     this.eventsBuffer = new IntPtr[this.batchSize];
     int flags = 0;
     if (this.eventQuery.ThePathType == PathType.LogName)
     {
         flags |= 1;
     }
     else
     {
         flags |= 2;
     }
     if (this.eventQuery.ReverseDirection)
     {
         flags |= 0x200;
     }
     if (this.eventQuery.TolerateQueryErrors)
     {
         flags |= 0x1000;
     }
     EventLogPermissionHolder.GetEventLogPermission().Demand();
     this.handle = NativeWrapper.EvtQuery(this.eventQuery.Session.Handle, this.eventQuery.Path, this.eventQuery.Query, flags);
     EventLogHandle bookmarkHandleFromBookmark = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);
     if (!bookmarkHandleFromBookmark.IsInvalid)
     {
         using (bookmarkHandleFromBookmark)
         {
             NativeWrapper.EvtSeek(this.handle, 1L, bookmarkHandleFromBookmark, 0, Microsoft.Win32.UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
         }
     }
 }
Esempio n. 18
0
        public static int Main(string[] argv)
        {
            EventLogQuery evtQuery;
            EventLogReader evtReader;

            if (argv.Length < 1)
            {
                Console.Error.WriteLine("Event2Text version " + VERSION_MAJOR + "." + VERSION_MINOR);
                Console.Error.WriteLine("USAGE: evt2txt.exe infile");

                return ERROR_ARGUMENTS;
            }

            if (!File.Exists(argv[0]))
            {
                Console.Error.WriteLine("Input file not found: " + argv[0]);

                return ERROR_FILE_NOT_FOUND;
            }

            try
            {
                evtQuery = new EventLogQuery(argv[0], PathType.FilePath);
                evtReader = new EventLogReader(evtQuery);
            }
            catch (Exception e)
            {
                Console.Error.WriteLine("Input file specified is not a valid log file!");
                Console.Error.WriteLine(e);

                return ERROR_BAD_EVENT_FILE;
            }

            for (EventRecord record = evtReader.ReadEvent();
                null != record;
                record = evtReader.ReadEvent())
            {
                Console.WriteLine(record.ToXml());
            }

            return 0;
        }
Esempio n. 19
0
 public void ReadEvents(string query = "*[System/EventID=903]")
 {
     var eventsQuery = new EventLogQuery("Application", PathType.LogName, query);
     try
     {
         var logReader = new EventLogReader(eventsQuery);
         // This is a crazy f*****g for loop.  Took me a while to realize what was going on.
         for (EventRecord eventdetail = logReader.ReadEvent();
             eventdetail != null;
             eventdetail = logReader.ReadEvent())
         {
             // Read Event details
             eventdetail.ToXml();
         }
     }
     catch (EventLogNotFoundException e)
     {
         Console.WriteLine(Resources.EventViewerReader_Thing_Error_while_reading_the_event_logs);
     }
 }
Esempio n. 20
0
        public static IObservable<EventRecord> FromLog(string name)
        {
            var q = new EventLogQuery(name, PathType.LogName);
            var watcher = new EventLogWatcher(q);

            return Observable.Create<EventRecord>(o =>
                {
                    watcher.EventRecordWritten +=
                        (sender, args) =>
                            {
                                if (args.EventException != null)
                                    o.OnError(args.EventException);
                                else
                                    o.OnNext(args.EventRecord);
                            };

                    watcher.Enabled = true;

                    return watcher;
                });
        }
Esempio n. 21
0
        public void QueryActiveLog()
        {
            string eventQueryFileName = @"D:\Alex\Github\ConsoleAppTests\q.txt";
            Console.WriteLine(File.Exists(eventQueryFileName) ? "File exists." : "File does not exist.");

            string queryString = File.ReadAllText(eventQueryFileName);
            Console.WriteLine(queryString);

         

            // Query two different event logs using a structured query.
            //string queryString =
            //    "<QueryList>" +
            //    "  <Query Id=\"0\" Path=\"Application\">" +
            //    "    <Select Path=\"Application\">" +
            //    "        *[System[(Level &lt;= 3) and" +
            //    "        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" +
            //    "    </Select>" +
            //    "    <Suppress Path=\"Application\">" +
            //    "        *[System[(Level = 2)]]" +
            //    "    </Suppress>" +
            //    "    <Select Path=\"System\">" +
            //    "        *[System[(Level=1  or Level=2 or Level=3) and" +
            //    "        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" +
            //    "    </Select>" +
            //    "  </Query>" +
            //    "</QueryList>";


            
          


            EventLogQuery eventsQuery = new EventLogQuery("Application", PathType.LogName, queryString);
            EventLogReader logReader = new EventLogReader(eventsQuery);

            // Display event info
            DisplayEventAndLogInformation(logReader);

        }
Esempio n. 22
0
        public void QueryActiveLog(string[] args)
        {
            try
            {
                // Query a specific event log using an XML structured query.
                // Note: You can create your own sample XML Structured queries by simply opening up Windows Event Viewer on a Windows Host running Windows Vista or Later and
                //       using the 'Create a Custom View...' option. When you use the 'Filter Custom View' option, the raw XML of your filtered choices will be available
                //       which you can then use in the 'queryString' variable below. Additional inforamtion can be found on Ned Pyle's blogpost below:
                //       http://blogs.technet.com/b/askds/archive/2011/09/27/3455548.aspx

                //string queryString = "*[System[Provider[@Name='VSS']] and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]";
                //string queryString = "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing']] and System/EventID=4672]";
                //string queryString = "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (EventID=4672) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]";

                string queryString = (
                " <QueryList>" +
                "  <Query Id='0' Path='" + args[0] + "'>" +
                "    <Select Path='" + args[0] + "'>*[System[Provider[@Name='" + args[1] + "'] and (EventID=" + args[2] + ") and TimeCreated[timediff(@SystemTime) &lt;=" + args[3] + "]]]</Select>" +
                "  </Query>" +
                " </QueryList>");

                EventLogQuery eventsQuery = new EventLogQuery(args[0], PathType.LogName, queryString);
                EventLogReader logReader  = new EventLogReader(eventsQuery);

                // Display event info
                DisplayEventLogInformation(logReader);

            }
            catch (Exception Error)
            {
                if (Error is IndexOutOfRangeException)
                {
                    Console.WriteLine("The [Log_Name], [Event_ID] and [Provider_Name] Variables must ALL be present!");
                    Environment.Exit(3);
                }
            }
        }
Esempio n. 23
0
        static void Main(string[] args)
        {
            if (args.Length != 2)
            {
                Console.WriteLine("Usage: GetEventLog activityId machines");
                Console.WriteLine("Example: GetEventLog \"0724A8D0-D873-4CB3-8762-C9A70084DD98\" \"server1.company.com,server2.company.com\"");
                return;
            }

            string activityId = args[0];
            string machineNames = args[1];
            
            string adfsAdminLogName = "AD FS 2.0/Admin";

            string[] machineNamesArray = machineNames.Split(new char[1] { ',' });
            foreach (string machineName in machineNamesArray)
            {
                Console.WriteLine();
                Console.WriteLine("--------------------------------------------------------------------------------");
                Console.WriteLine("Getting AD FS event logs with correlation activity ID " + activityId + " from " + machineName);

                string query = "*[System/Correlation/@ActivityID=\"{" + activityId + "}\"]";
                EventLogQuery eventLogQuery = new EventLogQuery(adfsAdminLogName, PathType.LogName, query);
                eventLogQuery.Session = new EventLogSession(machineName);
                EventLogReader eventLogReader = new EventLogReader(eventLogQuery);

                for (EventRecord eventRecord = eventLogReader.ReadEvent(); eventRecord != null; eventRecord = eventLogReader.ReadEvent())
                {
                    //Console.WriteLine("eventRecord.ActivityId=" + eventRecord.ActivityId);
                    Console.WriteLine();
                    Console.WriteLine("--------------------------------------------------------------------------------");
                    Console.WriteLine("Event ID: " + eventRecord.Id);
                    Console.WriteLine("Logged: " + eventRecord.TimeCreated);
                    Console.WriteLine(eventRecord.FormatDescription());
                }
            }
        }
Esempio n. 24
0
 public EventLogReader(EventLogQuery eventQuery)
 {
     throw new NotImplementedException();
 }
Esempio n. 25
0
 public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
 {
     throw new NotImplementedException();
 }
Esempio n. 26
0
 public EventLogReader(EventLogQuery eventQuery)
     : this(eventQuery, null)
 {
 }
Esempio n. 27
0
        public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
        {
            if (eventQuery == null)
            {
                throw new ArgumentNullException("eventQuery");
            }

            string logfile = null;

            if (eventQuery.ThePathType == PathType.FilePath)
            {
                logfile = eventQuery.Path;
            }

            _cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50);

            // explicit data
            _eventQuery = eventQuery;

            // implicit
            _batchSize    = 64;
            _eventsBuffer = new IntPtr[_batchSize];

            //
            // compute the flag.
            //
            int flag = 0;

            if (_eventQuery.ThePathType == PathType.LogName)
            {
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
            }
            else
            {
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
            }

            if (_eventQuery.ReverseDirection)
            {
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryReverseDirection;
            }

            if (_eventQuery.TolerateQueryErrors)
            {
                flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryTolerateQueryErrors;
            }

            _handle = NativeWrapper.EvtQuery(_eventQuery.Session.Handle,
                                             _eventQuery.Path, _eventQuery.Query,
                                             flag);

            EventLogHandle bookmarkHandle = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);

            if (!bookmarkHandle.IsInvalid)
            {
                using (bookmarkHandle)
                {
                    NativeWrapper.EvtSeek(_handle, 1, bookmarkHandle, 0, UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
                }
            }
        }
Esempio n. 28
0
 public EventLogWatcher(EventLogQuery eventQuery, EventBookmark bookmark)
     : this(eventQuery, bookmark, false)
 {
 }
Esempio n. 29
0
 public EventLogWatcher(EventLogQuery eventQuery)
     : this(eventQuery, null, false)
 {
 }
Esempio n. 30
0
        public static IEnumerable<ApplicationError> GetBySite(int siteIisId, StatsRange range)
        {
            Int64 msLookback = 0;

            switch (range)
            {
                case StatsRange.LastMonth:
                    msLookback = 2592000000;
                    break;
                case StatsRange.LastWeek:
                    msLookback = 604800000;
                    break;
                case StatsRange.Last24Hours:
                    msLookback = 86400000;
                    break;
            }

            var query = string.Format(@"<QueryList>
                              <Query Id=""0"" Path=""Application"">
                                <Select Path=""Application"">*[System[Provider[@Name='ASP.NET 2.0.50727.0' or @Name='ASP.NET 4.0.30319.0'] and (Level=2 or Level=3){0}]]</Select>
                              </Query>
                            </QueryList>", (msLookback == 0) ? null : "and TimeCreated[timediff(@SystemTime) &lt;= " + msLookback + "]");

            var elq = new EventLogQuery("Application", PathType.LogName, query) { ReverseDirection = true};

            using (var elr = new EventLogReader(elq))
            {
                var events = new List<EventRecord>();
                for (var eventInstance = elr.ReadEvent(); null != eventInstance; eventInstance = elr.ReadEvent())
                {
                    if (eventInstance.Properties.Count() > 9 && eventInstance.Properties[8].Value.ToString().StartsWith("/LM/W3SVC/" + siteIisId + "/"))
                        events.Add(eventInstance);
                }
                return events.Select(ParseEntry);
            }
        }
Esempio n. 31
0
        private static bool remote_event_log_exists(string log, string remote_machine_name, string remote_domain_name, string remote_user_name, string remote_password_name) {
            try {
                SecureString pwd = new SecureString();
                foreach (char c in remote_password_name)
                    pwd.AppendChar(c);
                EventLogSession session = remote_machine_name.Trim() != ""
                    ? new EventLogSession(remote_machine_name, remote_domain_name, remote_user_name, pwd, SessionAuthentication.Default)
                    : null;
                pwd.Dispose();
                EventLogQuery query = new EventLogQuery(log, PathType.LogName);
                if (session != null)
                    query.Session = session;

                EventLogReader reader = new EventLogReader(query);
                if (reader.ReadEvent(TimeSpan.FromMilliseconds(500)) != null)
                    return true;
            } catch(Exception e) {
                logger.Error("can't login " + e.Message);
            }
            return false;
        }
Esempio n. 32
0
 private static IEnumerable<EventRecord> GetEventRecords(string logName)
 {
     var query = new EventLogQuery(logName, PathType.LogName) { ReverseDirection = true };
     using (var reader = new EventLogReader(query))
         for (var eventInstance = reader.ReadEvent(); eventInstance != null; eventInstance = reader.ReadEvent())
             yield return eventInstance;
 }
Esempio n. 33
0
 public EventLogWatcher(EventLogQuery eventQuery, EventBookmark bookmark, bool readExistingEvents)
 {
     throw new NotImplementedException();
 }
Esempio n. 34
0
        private List<EventSummary> GetEvents(string query)
        {
            int numberOfEvents = 0;
            List<EventSummary> eventSummaries = new List<EventSummary>(100);
            EventSummary eventSummary;
            
            EventLogQuery logQuery = new EventLogQuery(eventFilters.log.ToString(), PathType.LogName, query);
            logQuery.Session = new EventLogSession(eventFilters.MachineName);
            EventLogReader logReader = new EventLogReader(logQuery);

            if (eventFilters.maxRecords < 100)
            {
                eventFilters.maxRecords = 100;
            }
            // For each event returned from the query
            for (EventRecord eventInstance = logReader.ReadEvent();
                    eventInstance != null;
                    eventInstance = logReader.ReadEvent())
            {

                try
                {
                    // Cast the EventRecord into an EventLogRecord to retrieve property values.

                    eventSummary = new EventSummary();
                    eventSummary.EventID = eventInstance.Id;
                    eventSummary.EventRecordID = eventInstance.RecordId;
                    eventSummary.Description = eventInstance.FormatDescription();
                    eventSummary.LevelDisplayName = ((LogLevel)eventInstance.Level).ToString();
                    eventSummary.LogLevel = eventInstance.Level;
                    eventSummary.ProviderName = eventInstance.ProviderName;
                    eventSummary.TimeCreated = eventInstance.TimeCreated;

                    eventSummaries.Add(eventSummary);
                    if (++numberOfEvents == eventFilters.maxRecords)
                    {
                        break;
                    }

                }
                catch (Exception e)
                {
                    Debug.Print("Couldn't render event!");
                    Debug.Print(string.Format("Exception: Event {0} may not have an XML representation \n\n", ++numberOfEvents));
                    Debug.Print(e.Message);
                }


            }
            return eventSummaries;
        }
Esempio n. 35
0
 public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
 {
     Contract.Requires(eventQuery.Session != null);
 }
Esempio n. 36
0
 public EventLogReader(EventLogQuery eventQuery)
 {
     Contract.Requires(eventQuery.Session != null);
 }
Esempio n. 37
0
 public EventLogWatcher(EventLogQuery eventQuery, EventBookmark bookmark)
     : this(eventQuery, bookmark, false) {
 }
Esempio n. 38
0
 public EventLogWatcher(EventLogQuery eventQuery)
     : this(eventQuery, null, false) {
 }
Esempio n. 39
0
 public EventLogWatcher(EventLogQuery eventQuery !!, EventBookmark bookmark, bool readExistingEvents)
Esempio n. 40
-1
        public void QueryExternalFile()
        {
            string queryString = "*[System/Level=2]"; // XPATH Query
            string eventLogLocation = @"C:\MyEvents.evtx";

            EventLogQuery eventsQuery = new EventLogQuery(eventLogLocation, PathType.FilePath, queryString);

            try
            {
                EventLogReader logReader = new EventLogReader(eventsQuery);

                // Display event info
                DisplayEventAndLogInformation(logReader);
            }
            catch (EventLogNotFoundException e)
            {
                Console.WriteLine("Could not find the external log to query! " + e.Message);
                return;
            }
        }