71851

is the event log index unique

Question:

I am getting the information from the event log in windows with this:

private void button1_Click(object sender, EventArgs e) { EventLog eventLog; eventLog = new EventLog(); eventLog.Log = "Security";; eventLog.Source = "Security-Auditing"; eventLog.MachineName = "SERVER"; var count = 0; foreach (EventLogEntry log in eventLog.Entries.Cast<EventLogEntry>().Where(log => log.InstanceId == 4625)) { Console.Write("eventLogEntry.Index: {0}{1}", log.Index, Environment.NewLine); SaveRecord(log); count++; } }

I am trying to capture all of the invalid logins to my server and then add an entry after x amount of times of invalid attempts.

I am looping through the event log and getting the information without issue but how do I know what the last record that I stopped reading at? When the log gets more information, I need to restart reading again but I need a starting point.

I was thinking I could use the Index on the EventLogEntry but I cannot find any information on it. The ones I have on my machine as 6 digit numbers.

How reliable is that? Should I be going off something else? Should I clear that log after I read it instead?

Thanks for your input!

======= WHAT I DID ========

With Apokal's help, here is what I did:

/// <summary> /// Returns all events in the windows event log that match the passed in criteria. /// If nothing is passed in then it will return all events where the a user attemtped /// to log into the the machine and gave an invalid username or password. /// </summary> /// <param name="eventLogMachineName">The machine where the event log is at.</param> /// <param name="cutoffdatetime">Date and time of the cut off for the list.</param> /// <param name="eventLogName">'Log Name' in the event log. This is the folder that the events reside in.</param> /// <param name="eventLogSource">Event log 'Source'.</param> /// <param name="instanceId">Filters to a specific 'Event Id' in the event log.</param> /// <returns></returns> public static IEnumerable<EventLogEntry> GetEventLogs(string eventLogMachineName, DateTime cutoffdatetime, string eventLogName = "Security", string eventLogSource = "Security-Auditing", int instanceId = 4625) { var eventLog = new EventLog {Log = eventLogName, Source = eventLogSource, MachineName = eventLogMachineName}; return from EventLogEntry log in eventLog.Entries where log.InstanceId == instanceId && log.TimeGenerated > cutoffdatetime select log; }

And I call it like this:

private void button1_Click(object sender, EventArgs e) { var lastcheckdatetime = Properties.Settings.Default.LastCheckDate; if (lastcheckdatetime < (DateTime.Now.AddDays(-30))) { lastcheckdatetime = DateTime.Now.AddDays(-7); } var log = EventLogClass.GetEventLogs("TGSERVER", lastcheckdatetime); Properties.Settings.Default.LastCheckDate = DateTime.Now; Properties.Settings.Default.Save(); var count = 0; foreach (EventLogEntry l in log) { Console.WriteLine("---------------------"); Console.Write("eventLogEntry.Index: {0}{1}", l.Index, Environment.NewLine); Console.Write("eventLogEntry.TimeGenerated: {0}{1}", l.TimeGenerated, Environment.NewLine); count++; } }

Answer1:

From me experience and little research Index property shows the index of event that was written beginning from the creation of event log.

But there are several things that you missed.

First, you have to remember that event logs have limited size. For example, imagine "Security" log can hold only 1000 entries (the actual size in mb shown in eventlog properties, if you look in eventvwr.msc). So when, event log is full there are 3 ways:

<ol><li>Write new events over old ones. In this case, remembering the last readed event index is not good. because the event pointed by that index could be simply overwritten.</li> <li>Make an archive. In this case, remembered index can now point event that is in archive, not in current .evtx file of the eventlog</li> <li>Do not write new events, manualy clear event log. I don't think this is interesting, because you want an automated tool.</li> </ol>

So, one could set eventlog to be archived and remember the last index of event. Then when reading again eventlog, first get the oldest recored of current event log file:

EventLog log = new System.Diagnostics.EventLog("Security"); int oldestIndex = log.Entries[(int)eli.OldestRecordNumber].Index;

Then compare oldestIndex with yours lastReadedIndex and if lastReadedIndex < oldestIndex you first have to read archives, and only than read the current event log file.

All archives are stored by default in the same directory where the current event log file exists (.evtx). Archives can be easily readed by using <a href="http://msdn.microsoft.com/en-us/library/system.diagnostics.eventing.reader.eventlogreader.aspx" rel="nofollow">EventLogReader class</a>. Try to look at <a href="http://msdn.microsoft.com/en-us/library/system.diagnostics.eventing.reader.eventrecord.aspx" rel="nofollow">EventRecord</a> and it's RecordId property, I think it's the same as Index property of the EventLogEntry class (can't check at the moment).

Another approach is to remember the time, when event was written, and use it as starting point for searching new events, in case Index and RecordId wouldn't help.

Good luck!

Recommend

  • how to sort the field in the mongo document which is inside array
  • Swift: Validate Username Input
  • Nhibernate QueryOver Orderby
  • Oracle: Using CTE with update clause
  • ELMAH: Can you set it up to email errors only remotely?
  • Tinymce strips attributes on submit
  • R h2o.glm - issue with max_active_predictors
  • A class implementing two different IObservables?
  • select function not working in 3.5.4 version of d3.js
  • Cut the background to expose the layer below
  • Can someone please explain to me in the most layman terms how to use EventArgs?
  • How to assign byte[] as a pointer in C#
  • Calling Worksheet functions from vba in foreign language versions of Excel
  • Assign variable to the value in HTML
  • how to display data from 1st point on words on y axis for line chart in d3.js
  • Do I need to reset a Perl hash index?
  • Why Encoding.ASCII != ASCIIEncoding.Default in C#?
  • How to use carriage return with multiple line?
  • Row Count Is Returning the incorrect number using RaptureXML
  • Java Scanner input dilemma. Automatically inputs without allowing user to type
  • Is calc() supported in html email?
  • DirectX11 ClearRenderTargetViewback with transparent buffer?
  • javascript inside java/jsp code
  • WinForms: two way TextBox problem
  • Fill an image in a square container while keeping aspect ratio
  • Perl system calls when running as another user using sudo
  • what is the difference between the asp.net mvc application and asp.net web application
  • Rearranging Cells in UITableView Bug & Saving Changes
  • Matrix multiplication with MKL
  • Windows forms listbox.selecteditem displaying “System.Data.DataRowView” instead of actual value
  • InvalidAuthenticityToken between subdomains when logging in with Rails app
  • SQL merge duplicate rows and join values that are different
  • LevelDB C iterator
  • Can't mass-assign protected attributes when import data from csv file
  • Django query for large number of relationships
  • Why is Django giving me: 'first_name' is an invalid keyword argument for this function?
  • Reading document lines to the user (python)
  • Binding checkboxes to object values in AngularJs
  • How can I use `wmic` in a Windows PE script?
  • How to push additional view controllers onto NavigationController but keep the TabBar?