CODEWITHSUNDEEP
c#eventlog-source
Rahul
Rahul

Reputation: 21

How to read events from a Application and Services windows event source using C#?

I am trying to read windows event logs for: "Microsoft-Windows-Sysmon/Operational" I tried:

string eventLogName = "Microsoft-Windows-Sysmon/Operational";

            EventLog eventLog = new EventLog();
            eventLog.Log = eventLogName;

            foreach (EventLogEntry log in eventLog.Entries)
            {
                Console.WriteLine("{0}\n", log.Message);
            }

However, I get:

System.InvalidOperationException: 'The event log 'Microsoft-Windows-Sysmon/Operational' on computer '.' does not exist.'*

I found a solution here It is using System.Diagnostics.Eventing.Reader namespace. However, I cannot seem to get this anywhere in my system or in the package manager.

Also, since many are claiming that the name of the log may be incorrect. Following is the screenshot of it: enter image description here

Upvotes: 0

Views: 1888

Answers (1)

Ross Bush
Ross Bush

Reputation: 15155

Are you sure you are using the correct naming semantics. This is the error you get if a log source has been created with that name on that machine. As alternative you can use System.Management and query directly.

Below is a function I have used in the past...NOTE : ServerLogEntry is an object from my application domain.

public List<ServerLogEntry> GetLastestServerLogEntries(int number)
{
    string logSource = this.GetEventLogSourceName();
    string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND SourceName='{0}'", logSource);

    List<ServerLogEntry> logs = new List<ServerLogEntry>();

    ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);

    foreach (ManagementObject mo in mos.Get().Take(number).ToList())
    {
        ServerLogEntry log = new ServerLogEntry();
        log.Category = Convert.ToInt32(mo["Category"]);
        log.CategoryString = SafeString(mo["CategoryString"]);
        log.ComputerName = SafeString(mo["ComputerName"]);
        log.EventCode = Convert.ToInt32(mo["EventCode"]);
        log.EventIdentifier = Convert.ToInt32(mo["EventIdentifier"]);
        log.EventType = Convert.ToInt32(mo["EventType"]);
        log.EventTypeName = this.ConvertLogEventType(log.EventType);
        log.LogFile = SafeString(mo["LogFile"]);
        log.Message = SafeString(mo["Message"]);
        log.RecordNumber = Convert.ToInt32(mo["RecordNumber"]);
        log.SourceName = SafeString(mo["SourceName"]);
        log.TimeGenerated = this.ConvertLogDateTime(SafeString(mo["TimeGenerated"]));
        log.TimeWritten = this.ConvertLogDateTime(SafeString(mo["TimeWritten"]));
        log.Type = SafeString(mo["Type"]);
        log.User = SafeString(mo["User"]);
        logs.Add(log);
    }
    return logs.OrderByDescending(p => p.TimeGenerated).ToList();
}

private string SafeString(object propertyValue)
{
    return (propertyValue != null) ? propertyValue.ToString() : "";
}

private string ConvertLogEventType(int eventType)
{
    switch (eventType)
    {
        case 1: return "Error";
        case 2: return "Warning";
        case 3: return "Information";    
        case 4: return "Security Audit Success";
        case 5: return "Security Audit Failure";
        default: return "Unknown";
    }        
}

private DateTime ConvertLogDateTime(string entryTimeGeneratedString)
{
    //TimeGenerated, for example: 20071107135007.000000-300
    //
    //                            yyyy mm dd hh mm ss.milisec 
    //                            0123 45 67 89 01 23
    // convert to new DateTime(yyyy,month,day,hour,minute,seconds)

    return new DateTime(Convert.ToInt32(entryTimeGeneratedString.Substring(0, 4)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(4, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(6, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(8, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(10, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(12, 2)));
}

Here is the native structure returned -->

/*class Win32_NTLogEvent
{
    uint16   Category;
    string   CategoryString;
    string   ComputerName;
    uint8    Data[];
    uint16   EventCode;
    uint32   EventIdentifier;
    uint8    EventType;
    string   InsertionStrings[];
    string   Logfile;
    string   Message;
    uint32   RecordNumber;
    string   SourceName;
    datetime TimeGenerated;
    datetime TimeWritten;
    string   Type;
    string   User;
};*/

Upvotes: 1

Related Questions