我如何使用C#解析事件日志消息或替换字符串的特定字段。即我需要解析"工作站名称"从ID为4624的安全事件日志中,示例日志在此处给出了下面的代码
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 0
Impersonation Level: -
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x4
Process Name:
Network Information:
Workstation Name: - some data
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
我认为替换字符串的顺序和计数对于具有相同事件id的每个事件都是相同的,但长度不相同。所以我如何将这个字符串解析成相应的对象/或提取一个特定的字段
答案 0 :(得分:3)
如果您需要提取“工作站名称”字段的值,最简单的方法之一就是使用正则表达式
string fieldName = "Workstation Name";
var expression = new Regex(string.Format(@"\s*{0}:\s*-\s*(.+)\r\n", fieldName));
Match match = expression.Match(fileText);
if (match.Success)
{
string workstationName = match.Groups[1];
...
}