I am getting the information from the event log in windows with this:
private void button1_Click(object sender, EventArgs e)
{
EventLog eventLog;
eventLog = new EventLog();
eventLog.Log = "Security";;
eventLog.Source = "Security-Auditing";
eventLog.MachineName = "SERVER";
var count = 0;
foreach (EventLogEntry log in eventLog.Entries.Cast<EventLogEntry>().Where(log => log.InstanceId == 4625))
{
Console.Write("eventLogEntry.Index: {0}{1}", log.Index, Environment.NewLine);
SaveRecord(log);
count++;
}
}
I am trying to capture all of the invalid logins to my server and then add an entry after x amount of times of invalid attempts.
I am looping through the event log and getting the information without issue but how do I know what the last record that I stopped reading at? When the log gets more information, I need to restart reading again but I need a starting point.
I was thinking I could use the Index on the EventLogEntry but I cannot find any information on it. The ones I have on my machine as 6 digit numbers.
How reliable is that? Should I be going off something else? Should I clear that log after I read it instead?
Thanks for your input!
======= WHAT I DID ========
With Apokal's help, here is what I did:
/// <summary>
/// Returns all events in the windows event log that match the passed in criteria.
/// If nothing is passed in then it will return all events where the a user attemtped
/// to log into the the machine and gave an invalid username or password.
/// </summary>
/// <param name="eventLogMachineName">The machine where the event log is at.</param>
/// <param name="cutoffdatetime">Date and time of the cut off for the list.</param>
/// <param name="eventLogName">'Log Name' in the event log. This is the folder that the events reside in.</param>
/// <param name="eventLogSource">Event log 'Source'.</param>
/// <param name="instanceId">Filters to a specific 'Event Id' in the event log.</param>
/// <returns></returns>
public static IEnumerable<EventLogEntry> GetEventLogs(string eventLogMachineName,
DateTime cutoffdatetime,
string eventLogName = "Security",
string eventLogSource = "Security-Auditing",
int instanceId = 4625)
{
var eventLog = new EventLog {Log = eventLogName, Source = eventLogSource, MachineName = eventLogMachineName};
return from EventLogEntry log in eventLog.Entries
where log.InstanceId == instanceId &&
log.TimeGenerated > cutoffdatetime
select log;
}
And I call it like this:
private void button1_Click(object sender, EventArgs e)
{
var lastcheckdatetime = Properties.Settings.Default.LastCheckDate;
if (lastcheckdatetime < (DateTime.Now.AddDays(-30)))
{
lastcheckdatetime = DateTime.Now.AddDays(-7);
}
var log = EventLogClass.GetEventLogs("TGSERVER", lastcheckdatetime);
Properties.Settings.Default.LastCheckDate = DateTime.Now;
Properties.Settings.Default.Save();
var count = 0;
foreach (EventLogEntry l in log)
{
Console.WriteLine("---------------------");
Console.Write("eventLogEntry.Index: {0}{1}", l.Index, Environment.NewLine);
Console.Write("eventLogEntry.TimeGenerated: {0}{1}", l.TimeGenerated, Environment.NewLine);
count++;
}
}
From me experience and little research
Index
property shows the index of event that was written beginning from the creation of event log.But there are several things that you missed.
First, you have to remember that event logs have limited size. For example, imagine "Security" log can hold only 1000 entries (the actual size in mb shown in eventlog properties, if you look in eventvwr.msc). So when, event log is full there are 3 ways:
So, one could set eventlog to be archived and remember the last index of event. Then when reading again eventlog, first get the oldest recored of current event log file:
Then compare
oldestIndex
with yourslastReadedIndex
and iflastReadedIndex < oldestIndex
you first have to read archives, and only than read the current event log file.All archives are stored by default in the same directory where the current event log file exists (.evtx). Archives can be easily readed by using EventLogReader class. Try to look at EventRecord and it's
RecordId
property, I think it's the same asIndex
property of theEventLogEntry
class (can't check at the moment).Another approach is to remember the time, when event was written, and use it as starting point for searching new events, in case
Index
andRecordId
wouldn't help.Good luck!