1. 首頁
  2. 問答
  3. 如何使用C#

如何使用C#

2017-03-03 73 views
0

我想查詢事件日誌中包含有大量具有EventIds與下面的代碼如何使用C#

List<string> eventIds = new List<string>() { 

      "4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755", 
      "4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781", 

      "4934", "5136", "5137", "5138", "5139", "5141" 
     };    


     var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ", 
      maxEventRecordId, 
      string.Join(" or ", eventIds.Select(x => string.Format("EventID={0}", x)))); 


    var elQuery = new EventLogQuery(LogSource, PathType.LogName, queryString); 
    var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery); 

    List<EventRecord> eventList = new List<EventRecord>(); 
    for (EventRecord eventInstance = elReader.ReadEvent(); 
     null != eventInstance; eventInstance = elReader.ReadEvent()) 
    { 
     //Access event properties here: 
     //eventInstance.LogName; 
     //eventInstance.ProviderName; 
     eventList.Add(eventInstance); 
    }

當我限制EventIds的數量從查詢字符串來查詢Windows事件日誌有一大套EventIds的我正在得到結果。但是對於這個大型查詢,我收到了一個查詢錯誤異常。是否有任何其他方法將大型事件ID集傳遞給事件查看器?請幫助

來源

2017-03-03 jineesh MG

回答

0

我找到了替代方案。我沒有查詢大量事件,而是排除了不需要的事件ID並查詢所有數據,然後從.NET中迭代結果來僅收集所需的信息。

List<string> excludeEventIds = new List<string>() { 
        /*Skip - Audit Logon Events*/ 
        "4634", "4647", "4624", "4625", "4648", "4675", "4649", "4778", "4779", "4800", "4801", "4802", "4803", "5378", "5632", "5633", 
        /*Skip few - Audit direcory service access*/ 
        "4935","4936","4932","4933" 
       }; 


       var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ", 
        maxEventRecordId, 
        string.Join(" or ", excludeEventIds.Select(x => string.Format("EventID !={0}", x)))); 

    EventLogQuery query = new EventLogQuery("Security", PathType.LogName, queryString);

在讀取數據時,我們只會列出事件ID和進程。

List<string> eventIds = new List<string>() { 
       /*Audit account management*/ 
       "4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755", 
       "4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781", 
       /*Audit directory service access*/ 
       "4934", "5136", "5137", "5138", "5139", "5141" 
      }; 

for (EventRecord eventInstance = logReader.ReadEvent(); 
       null != eventInstance; eventInstance = logReader.ReadEvent()) 
      { 


       if (!eventIds.ToArray().Contains(eventInstance.Id.ToString())) continue; 
//Process our actual data here 

}

希望這會幫助別人。

來源

2017-03-29 07:39:48

相關問題

 相關問題