event-log

问题 i can succesfully read events from event log. But polling all events has very bad performance. I wonder if there is an event or something that i can subscribe to catch log entries "as they happen"? Is this possible? EventLog log = new EventLog("Security"); var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4624).Select(x => new { x.MachineName, x.Site, x.Source, x.UserName, x.Message }).ToList(); Console.WriteLine(entries[0].UserName); 回答1: You can use EventLogWatcher

问题 I need to check if a user has write permissions for the event log. My solution right now is to write a test message in the log and delete it afterwards (so that the log does not get messed up, as the check for permissions is called often (every 3-5 Mins.) by some 'Healthcheck'-service: const string log = "MyApplicationLog"; const string source = "PermissionCheck"; EventLog evLog; try { if (!EventLog.SourceExists(source)) { EventLog.CreateEventSource(source, log); } evLog = new EventLog();

问题 I am currently running into a problem with an eventlog monitor I created a while ago. My application subscribes to the EntryWritten events of the EventLog. I noticed that if multiple events occurs at the same time (within the same second), only one of them raises the event which triggers my eventhandler. _eventLog = new System.Diagnostics.EventLog(_logName); _eventLog.EntryWritten += new EntryWrittenEventHandler(eventlog_EntryWritten); _eventLog.EnableRaisingEvents = true; Is it possible to

问题 I have scheduled two powershell scripts as tasks to run at 00:00. This morning I checked the event log and found that one of the scripts failed with the following exception: Failure. The error was: 'Failed to create log entry in: ‘C:\Users\SPSETU~1\AppData\Local\Temp\PowerShellLog.txt’. The error was: ‘The process cannot access the file 'C:\Users\SPsetupAdmin\AppData\Local\Temp\PowerShellLog.txt' because it is being used by another process.’.'. Can be the problem related to logs? Both the

问题 I need to export some events from Windows Event Log to XML on Windows Server 2008 R2. To achieve it I export these events to a file using EvtExportLog and then try to use EvtArchiveExportedLog to get localized descriptions for events. Here's the sample: EvtExportLog( 0, 0, query, logFileName, EvtExportLogChannelPath ); EvtArchiveExportedLog( 0, logFileName, 0, 0 ); EvtExportLog function succeeds and creates .evtx file but EvtArchiveExportedLog constantly fails with ERROR_DIRECTORY error code.

问题 I need to export some events from Windows Event Log to XML on Windows Server 2008 R2. To achieve it I export these events to a file using EvtExportLog and then try to use EvtArchiveExportedLog to get localized descriptions for events. Here's the sample: EvtExportLog( 0, 0, query, logFileName, EvtExportLogChannelPath ); EvtArchiveExportedLog( 0, logFileName, 0, 0 ); EvtExportLog function succeeds and creates .evtx file but EvtArchiveExportedLog constantly fails with ERROR_DIRECTORY error code.

问题 Would anyone be able to tell my why the selects below don't work? I don't get errors. They just return nothing. The xml below is the actual event log item converted to xml. I only changed a few values to ensure not private info would be in this post. $Str represents output from a single event log item. i.e. $event.ToXml() . $str = @" <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994

问题 Would anyone be able to tell my why the selects below don't work? I don't get errors. They just return nothing. The xml below is the actual event log item converted to xml. I only changed a few values to ensure not private info would be in this post. $Str represents output from a single event log item. i.e. $event.ToXml() . $str = @" <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994

问题 I want to query the Application Event Log on a remote machine and I resorted to using the EventLogReader rather than the EventLog because it takes way to long to find the events I need with the EventLog . However, even though it finds the events much faster with the EventLogReader , I can't figure out where the heck the info I need is on this object... especially the message. public static void Load() { string query = "*[System/Provider/@Name=\"SQLSERVERAGENT\"]"; EventLogQuery elq = new

问题 Which auditing settings should be enabled in order to see AD logged in user's ip address? 回答1: On any Domain Server, in the event log, you can find the information you ask for Here is the extraction of a user login Event "4624" and logout Event "4634" you can make a relation betwen the events by the data named TargetLogonId. The IP adress is in data named IpAdress. <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security