如何從Java訪問Windows事件查看器日誌數據

Question

有什麼方法可以從java類訪問Windows事件日誌。有沒有人爲此編寫過任何API，並且有沒有辦法從遠程機器訪問數據？

的情況是：

我在遠程機器上運行的過程，從控制Java進程。 這個遠程進程記錄東西到事件日誌，我想在控制過程中看到。

在此先感謝。

Answer 1

在Java方面，您需要一個允許您進行本地調用的庫。 Sun提供JNI，但聽起來有點痛苦。還認爲：

• https://github.com/twall/jna/
• http://johannburkard.de/software/nativecall/
• http://www.jinvoke.com/

在Windows端，功能你就是OpenEventLog後。這應該允許您訪問遠程事件日誌。另見Querying for Event Information。

如果沒有健全的權利，我也發現了這個直接解析日誌文件（沒有辦法，我建議，但有趣的仍然）：

• http://msdn.microsoft.com/en-us/library/bb309026.aspx
• http://objectmix.com/java/75154-regarding-windows-event-log-file-parser-java.html

Answer 2

如果您想要從遠程計算機訪問真正的事件日誌，您必須找到一個實現EventLog Remoting Protocol Specification的庫。不幸的是，我還沒有在Java中找到任何這樣的庫。然而，JCIFS和JARAPAC項目已經奠定了實施該協議的大部分基礎。協議本身（如果我沒有弄錯的話）運行在DCE/RPC協議之上（由JARAPAC實現），它本身在SMB協議之上運行（由JCIFS實現）。

我已經使用JCIFS和JARAPAC來實現一些EventLog的表親協議，例如遠程註冊表訪問。我可能是盲目的，但是關於JARAPAC文檔似乎有點缺乏。如果你有興趣實施這個，我可以與你分享我在空閒時間學到的知識！

後來！

Answer 3

http://www.j-interop.org/是實現DCOM協議規範，而無需使用任何本地代碼一個開放源代碼的Java庫。 （即，您可以使用它從非Windows客戶端上運行的Java代碼訪問遠程Windows主機上的DCOM對象）。

Microsoft通過Windows Management Instrumentation（WMI）公開了大量的系統信息。 WMI可以通過DCOM遠程訪問，並且微軟網站上還有相關的主題文檔。碰巧，您可以通過這個可遠程訪問的界面訪問Windows Event Logs。

通過使用j-interop，您可以遠程創建WbemScripting.SWbemLocator WMI對象的實例，然後連接到遠程Windows主機上的Windows Management Instrumentation（WMI）服務。從那裏你可以提交一個query，每當寫入新的事件日誌條目時都會通知你。

請注意，這確實需要您在遠程Windows主機上正確啓用和配置DCOM，並且已在任何防火牆中設置了適當的例外。有關這方面的詳細信息可以在線搜索，也可以從上面的j-interop網站中查閱。

以下示例使用其NT域，主機名，用戶名和密碼連接到遠程主機，並且位於一個循環中，並在每個事件日誌條目按照由Windows記錄的方式進行轉儲時進行轉儲。用戶必須已被授予適當的遠程DCOM訪問權限，但不必是管理員。

import java.io.IOException; 
import java.util.logging.Level; 

import org.jinterop.dcom.common.JIException; 
import org.jinterop.dcom.common.JISystem; 
import org.jinterop.dcom.core.JIComServer; 
import org.jinterop.dcom.core.JIProgId; 
import org.jinterop.dcom.core.JISession; 
import org.jinterop.dcom.core.JIString; 
import org.jinterop.dcom.core.JIVariant; 
import org.jinterop.dcom.impls.JIObjectFactory; 
import org.jinterop.dcom.impls.automation.IJIDispatch; 

public class EventLogListener 
{ 

    private static final String WMI_DEFAULT_NAMESPACE = "ROOT\\CIMV2"; 


    private static JISession configAndConnectDCom(String domain, String user, String pass) throws Exception 
    { 
     JISystem.getLogger().setLevel(Level.OFF); 

     try 
     { 
      JISystem.setInBuiltLogHandler(false); 
     } 
     catch (IOException ignored) 
     { 
      ; 
     } 

     JISystem.setAutoRegisteration(true); 

     JISession dcomSession = JISession.createSession(domain, user, pass); 
     dcomSession.useSessionSecurity(true); 
     return dcomSession; 
    } 


    private static IJIDispatch getWmiLocator(String host, JISession dcomSession) throws Exception 
    { 
     JIComServer wbemLocatorComObj = new JIComServer(JIProgId.valueOf("WbemScripting.SWbemLocator"), host, dcomSession); 
     return (IJIDispatch) JIObjectFactory.narrowObject(wbemLocatorComObj.createInstance().queryInterface(IJIDispatch.IID)); 
    } 


    private static IJIDispatch toIDispatch(JIVariant comObjectAsVariant) throws JIException 
    { 
     return (IJIDispatch) JIObjectFactory.narrowObject(comObjectAsVariant.getObjectAsComObject()); 
    } 


    public static void main(String[] args) 
    { 

     if (args.length != 4) 
     { 
      System.out.println("Usage: " + EventLogListener.class.getSimpleName() + " domain host username password"); 
      return; 
     } 

     String domain = args[ 0 ]; 
     String host = args[ 1 ]; 
     String user = args[ 2 ]; 
     String pass = args[ 3 ]; 

     JISession dcomSession = null; 

     try 
     { 
      // Connect to DCOM on the remote system, and create an instance of the WbemScripting.SWbemLocator object to talk to WMI. 
      dcomSession = configAndConnectDCom(domain, user, pass); 
      IJIDispatch wbemLocator = getWmiLocator(host, dcomSession); 

      // Invoke the "ConnectServer" method on the SWbemLocator object via it's IDispatch COM pointer. We will connect to 
      // the default ROOT\CIMV2 namespace. This will result in us having a reference to a "SWbemServices" object. 
      JIVariant results[] = 
        wbemLocator.callMethodA("ConnectServer", new Object[] { new JIString(host), new JIString(WMI_DEFAULT_NAMESPACE), 
          JIVariant.OPTIONAL_PARAM(), JIVariant.OPTIONAL_PARAM(), JIVariant.OPTIONAL_PARAM(), JIVariant.OPTIONAL_PARAM(), new Integer(0), 
          JIVariant.OPTIONAL_PARAM() }); 

      IJIDispatch wbemServices = toIDispatch(results[ 0 ]); 

      // Now that we have a SWbemServices DCOM object reference, we prepare a WMI Query Language (WQL) request to be informed whenever a 
      // new instance of the "Win32_NTLogEvent" WMI class is created on the remote host. This is submitted to the remote host via the 
      // "ExecNotificationQuery" method on SWbemServices. This gives us all events as they come in. Refer to WQL documentation to 
      // learn how to restrict the query if you want a narrower focus. 
      final String QUERY_FOR_ALL_LOG_EVENTS = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent'"; 
      final int RETURN_IMMEDIATE = 16; 
      final int FORWARD_ONLY = 32; 

      JIVariant[] eventSourceSet = 
        wbemServices.callMethodA("ExecNotificationQuery", new Object[] { new JIString(QUERY_FOR_ALL_LOG_EVENTS), new JIString("WQL"), 
          new JIVariant(new Integer(RETURN_IMMEDIATE + FORWARD_ONLY)) }); 
      IJIDispatch wbemEventSource = (IJIDispatch) JIObjectFactory.narrowObject((eventSourceSet[ 0 ]).getObjectAsComObject()); 

      // The result of the query is a SWbemEventSource object. This object exposes a method that we can call in a loop to retrieve the 
      // next Windows Event Log entry whenever it is created. This "NextEvent" operation will block until we are given an event. 
      // Note that you can specify timeouts, see the Microsoft documentation for more details. 
      while (true) 
      { 
       // this blocks until an event log entry appears. 
       JIVariant eventAsVariant = (JIVariant) (wbemEventSource.callMethodA("NextEvent", new Object[] { JIVariant.OPTIONAL_PARAM() }))[ 0 ]; 
       IJIDispatch wbemEvent = toIDispatch(eventAsVariant); 

       // WMI gives us events as SWbemObject instances (a base class of any WMI object). We know in our case we asked for a specific object 
       // type, so we will go ahead and invoke methods supported by that Win32_NTLogEvent class via the wbemEvent IDispatch pointer. 
       // In this case, we simply call the "GetObjectText_" method that returns us the entire object as a CIM formatted string. We could, 
       // however, ask the object for its property values via wbemEvent.get("PropertyName"). See the j-interop documentation and examples 
       // for how to query COM properties. 
       JIVariant objTextAsVariant = (JIVariant) (wbemEvent.callMethodA("GetObjectText_", new Object[] { new Integer(1) }))[ 0 ]; 
       String asText = objTextAsVariant.getObjectAsString().getString(); 
       System.out.println(asText); 
      } 
     } 
     catch (Exception e) 
     { 
      e.printStackTrace(); 
     } 
     finally 
     { 
      if (null != dcomSession) 
      { 
       try 
       { 
        JISession.destroySession(dcomSession); 
       } 
       catch (Exception ex) 
       { 
        ex.printStackTrace(); 
       } 
      } 
     } 
    } 

} 

〜

Answer 4

有100萬（及一個）選擇這裏;）

你可以看看SIGAR

http://cpansearch.perl.org/src/DOUGM/hyperic-sigar-1.6.3-src/docs/javadoc/org/hyperic/sigar/win32/EventLog.html

記住，雖然發牌....

或者你可以快速和骯髒，只是periodi卡利執行（並捕獲輸出） d：>的Cscript.exe C：\窗口\ system32 \ eventquery.vbs/v的

然後使用事件過濾PARAMS細化結果等... http://technet.microsoft.com/en-us/library/cc772995(WS.10).aspx

Answer 5

閱讀this article。

JNA 3.2.8具有從Windows事件日誌讀取和寫入的兩種方法。

您可以在log4jna中看到寫入示例。

這裏讀的例子：

EventLogIterator iter = new EventLogIterator("Application");   
while(iter.hasNext()) { 
    EventLogRecord record = iter.next(); 
    System.out.println(record.getRecordNumber() 
      + ": Event ID: " + record.getEventId() 
      + ", Event Type: " + record.getType() 
      + ", Event Source: " + record.getSource()); 
}