WindowsDefenderDetail GetDetail(string queryString) { var query = new EventLogQuery("Microsoft-Windows-Windows Defender/Operational", PathType.LogName, queryString); using (var reader = new EventLogReader(query)) { EventRecord eventInstance = reader.ReadEvent(); try { while (eventInstance != null) { var instance = reader.ReadEvent(); if (instance == null) { break; } eventInstance = instance; } return(ParseData(eventInstance)); } finally { if (eventInstance != null) { eventInstance.Dispose(); } } } }
private void tabControl1_Selected(object sender, TabControlEventArgs e) { if (tabControl1.SelectedIndex == 1 && dataGridView1.Rows.Count == 0) { Cursor.Current = Cursors.WaitCursor; EventLogQuery elQuery = new EventLogQuery("Application", PathType.LogName, "*[System/Provider/@Name=\"Raccine\"]"); elQuery.ReverseDirection = true; using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery)) { List <EventRecord> eventList = new List <EventRecord>(); EventRecord eventInstance = elReader.ReadEvent(); try { while (eventInstance != null) { eventInstance = elReader.ReadEvent(); if (eventInstance != null) { if (eventInstance.TimeCreated != null) { TimeSpan ts = ((DateTime)eventInstance.TimeCreated - DateTime.Now); if (ts.TotalDays < 1) { eventList.Add(eventInstance); } else { break; } } } } } finally { if (eventInstance != null) { eventInstance.Dispose(); } } dataGridView1.Columns.Add("TimeCreated", "TimeCreated"); dataGridView1.Columns.Add("EventData", "EventData"); foreach (EventRecord evt in eventList) { int rowId = dataGridView1.Rows.Add(); // Grab the new row! DataGridViewRow row = dataGridView1.Rows[rowId]; // Add the data row.Cells["TimeCreated"].Value = evt.TimeCreated; row.Cells["EventData"].Value = evt.FormatDescription(); } } Cursor.Current = Cursors.Default; } }
private static void TestEventRead() { string LogName = "Application", SearchString = null, XPathQuery = null; int MaxEvents = 100; bool SearchUseRegExp = false; using (EventLogSession eventLogSession = new EventLogSession()) { EventLogQuery eventLogQuery = string.IsNullOrWhiteSpace(XPathQuery) ? new EventLogQuery(LogName, PathType.LogName) { Session = eventLogSession, TolerateQueryErrors = true, ReverseDirection = true } : new EventLogQuery(LogName, PathType.LogName, XPathQuery) { Session = eventLogSession, TolerateQueryErrors = true, ReverseDirection = true }; int eventReadCounter = MaxEvents; using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery)) { eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0); do { if (eventReadCounter <= 0) { break; } EventRecord eventData = eventLogReader.ReadEvent(); if (eventData == null) { break; } if (string.IsNullOrWhiteSpace(SearchString)) { Console.WriteLine($"{eventData.TimeCreated}: {eventData.FormatDescription()}, {eventData.KeywordsDisplayNames}"); eventReadCounter--; } else { if (Regex.IsMatch(eventData.FormatDescription(), SearchUseRegExp ? SearchString : Regex.Escape(SearchString), RegexOptions.IgnoreCase)) { Console.WriteLine($"{eventData.TimeCreated}: {eventData.FormatDescription()}"); eventReadCounter--; } } eventData.Dispose(); } while (true); } return; } }
static void Main(string[] args) { string[] queryString = new string[] { "*[System[(EventID=4624)] and EventData[Data[@Name=\"TargetUserName\"]=\"{0}\"]]", "*[System[(EventID=4624)] and EventData[Data[@Name=\"TargetDomainName\"]=\"{0}\"]]", "*[EventData[Data[@Name=\"IpAddress\"] and(Data=\"{0}\")]]" }; string search = args[1]; if (!Enum.IsDefined(typeof(Options), args[0])) { Console.WriteLine("Invalid Option: username, domain, ip"); return; } Console.WriteLine("Searching for '{0}'", search); int index = (int)Enum.Parse(typeof(Options), args[0]); string query = String.Format(queryString[index], search); Console.WriteLine("Querying: {0}", query); foreach (DomainController target in Domain.GetCurrentDomain().DomainControllers) { try { Console.WriteLine("Parsing {0} ({1}) logs", target.IPAddress, target.Name); EventLogSession els = new EventLogSession(target.Name); EventLogQuery logQuery = new EventLogQuery("Security", PathType.LogName, query); logQuery.Session = els; EventLogReader elr = new EventLogReader(logQuery); while (true) { EventRecord er = elr.ReadEvent(); if (er == null) { break; } Console.WriteLine(er.FormatDescription() + "\r\n-----------------------------------\r\n"); if (er != null) { er.Dispose(); } } } catch (Exception e) { Console.WriteLine("Error: {0}", e.Message); } } }
public static void DoWork() { EventLogQuery elQuery = new EventLogQuery("Application", PathType.LogName, "*[System/Provider/@Name=\"Raccine\"]"); elQuery.ReverseDirection = true; using (var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery)) { EventRecord eventInstance = null; try { eventInstance = elReader.ReadEvent(); if (eventInstance != null) { if (eventInstance.TimeCreated != null) { TimeSpan ts = ((DateTime)eventInstance.TimeCreated - DateTime.Now); if (ts.TotalDays < 2) // it should be recent { // if we already saw an event, don't show it again. wait for a new one. if ((WatcherThread.lastEventTimeGenerated == null) || WatcherThread.lastEventTimeGenerated != null && (((TimeSpan)(WatcherThread.lastEventTimeGenerated - (DateTime)eventInstance.TimeCreated)).TotalMinutes > 0)) { frmAlert frmAlertInstance = new frmAlert(eventInstance); //WatcherThread.lastEventTimeGenerated = eventInstance.TimeCreated; frmAlertInstance.ShowDialog(); } } } } } finally { if (eventInstance != null) { eventInstance.Dispose(); } } } }
static void Main(string[] args) { var dirInfo = new DirectoryInfo(virtualPath); var fileList = dirInfo.GetFiles(); FileStream outputStream = null; StreamWriter outputWriter = null; try { outputStream = new FileStream("Events.xml", FileMode.Create, FileAccess.ReadWrite); outputWriter = new StreamWriter(outputStream); outputWriter.WriteLine("<?xml version=\"1.0\" encoding=\"UTF-8\"?>"); outputWriter.WriteLine("<Logs>"); foreach (var logFile in fileList) { EventLogQuery logQuery = null; EventLogReader logReader = null; EventRecord logRecord = null; List <string> xmlRecords = null; try { logQuery = new EventLogQuery(string.Format("{0}{1}", actualPath, logFile.Name), PathType.FilePath, queryString); logReader = new EventLogReader(logQuery); xmlRecords = new List <string>(); while ((logRecord = logReader.ReadEvent()) != null) { xmlRecords.Add(logRecord.ToXml()); } } catch (UnauthorizedAccessException ex) { Console.ForegroundColor = ConsoleColor.DarkRed; Console.Write(ex.GetType()); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(": {1}", ex.GetType(), ex.Message); Console.WriteLine(); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine("This program requires administrative rights in order to function.", ex.Message); Console.WriteLine("Please right click on the executable and select Run as Administrator.", ex.Message); Console.ForegroundColor = ConsoleColor.Gray; break; } catch (EventLogException ex) { Console.ForegroundColor = ConsoleColor.DarkRed; Console.Write(ex.GetType()); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(": {1}", ex.GetType(), ex.Message); Console.ForegroundColor = ConsoleColor.Gray; } finally { if (logRecord != null) { logRecord.Dispose(); logRecord = null; } if (logReader != null) { logReader.Dispose(); logReader = null; } if (xmlRecords.Any()) { outputWriter.WriteLine("\t<EventLog LogName=\"{0}\">", logFile.Name.Replace(logFile.Extension, string.Empty).Replace("%4", "/")); xmlRecords.ForEach(i => { outputWriter.WriteLine("\t\t{0}", i); outputWriter.Flush(); }); outputWriter.WriteLine("\t</EventLog>"); outputWriter.Flush(); } xmlRecords.Clear(); xmlRecords = null; } } outputWriter.WriteLine("</Logs>"); outputWriter.Flush(); } finally { if (outputStream != null) { outputStream.Flush(); outputStream.Close(); outputStream.Dispose(); outputStream = null; } } Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("This program has created a file called Events.xml, located within the same folder you ran this program from."); Console.WriteLine("You'll need to send me the xml file."); Console.WriteLine(); Console.ForegroundColor = ConsoleColor.Gray; Console.Write("Press any key to exit."); Console.Read(); }
protected override EventListDataItem[] GetOutputData(DataItemBase[] inputDataItems) { try { using (EventLogSession eventLogSession = new EventLogSession()) { EventLogQuery eventLogQuery = string.IsNullOrWhiteSpace(XPathQuery) ? new EventLogQuery(LogName, PathType.LogName) { Session = eventLogSession, TolerateQueryErrors = true, ReverseDirection = true } : new EventLogQuery(LogName, PathType.LogName, XPathQuery) { Session = eventLogSession, TolerateQueryErrors = true, ReverseDirection = true }; int returnedEventsCounter = MaxEvents; int searchedEventsCounter = MaxSearchEvents; List <EventInfo> eventList = new List <EventInfo>(MaxEvents); using (EventLogReader eventLogReader = new EventLogReader(eventLogQuery)) { eventLogReader.Seek(System.IO.SeekOrigin.Begin, 0); // from latest event to the past. ReverseDirection swaps End and Begin for seek method do { if (returnedEventsCounter <= 0 || searchedEventsCounter <= 0) { break; } EventRecord eventData = eventLogReader.ReadEvent(); searchedEventsCounter--; if (eventData == null) { break; } if (string.IsNullOrWhiteSpace(SearchString)) { eventList.Add(CreateEventInfo(eventData)); returnedEventsCounter--; } else { if (Regex.IsMatch(eventData.FormatDescription() ?? "", SearchUseRegExp ? SearchString : Regex.Escape(SearchString), RegexOptions.IgnoreCase)) { eventList.Add(CreateEventInfo(eventData)); returnedEventsCounter--; } } eventData.Dispose(); } while (true); } return(new EventListDataItem[] { new EventListDataItem(new EventList { Events = eventList, ErrorCode = 0, ErrorMessage = "" }) }); } } catch (Exception e) { ModuleErrorSignalReceiver(ModuleErrorSeverity.DataLoss, ModuleErrorCriticality.Continue, e, $"Failed to query local {LogName ?? "NULL"} event log using {XPathQuery ?? "NULL"} XPath query: {e.Message}"); return(new EventListDataItem[] { new EventListDataItem(new EventList { Events = new List <EventInfo>(), ErrorCode = e.HResult, ErrorMessage = $"Failed to query local {LogName} event log using {XPathQuery ?? "NULL"} XPath query: {e.Message}" }) }); } }