我可以成功地从事件日志中读取事件。但轮询所有事件的表现非常糟糕。我想知道是否有一个事件或者我可以订阅的东西来捕获日志条目"因为它们发生了"?
这可能吗?
EventLog log = new EventLog("Security");
var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == 4624).Select(x => new
{
x.MachineName,
x.Site,
x.Source,
x.UserName,
x.Message
}).ToList();
Console.WriteLine(entries[0].UserName);
答案 0 :(得分:1)
您可以使用EventLogWatcher来实现此目的。您可以订阅所需的日志过滤器并实现处理程序函数,以便在收到任何事件时执行。
public static void eventLogSubscription()
{
using (EventLog eventLog = new EventLog("Application"))
{
String path = Path.GetTempPath();
eventLog.Source = "Event Log Reader Application";
eventLog.WriteEvent(new EventInstance(1003, 0, EventLogEntryType.Information), new object[] { "The event log watcher has started" , path});
//eventLog.WriteEntry(arg.EventRecord.ToXml(), EventLogEntryType.Information, 1001, 1);
eventLog.Dispose();
}
EventLogWatcher watcher = null;
try
{
string eventQueryString = "*[System/EventID=4688]" +
"and " +
"*[EventData[Data[@Name = 'NewProcessName'] = 'C:\\Windows\\explorer.exe']] )" +
EventLogQuery eventQuery = new EventLogQuery(
"Security", PathType.LogName, eventQueryString);
watcher = new EventLogWatcher(eventQuery);
watcher.EventRecordWritten +=
new EventHandler<EventRecordWrittenEventArgs>(
handlerExplorerLaunch);
watcher.Enabled = true;
}
}
catch (EventLogReadingException e)
{
Console.WriteLine("Error reading the log: {0}", e.Message);
}
Console.ReadKey();
}
public static void handlerExplorerLaunch(object obj,
EventRecordWrittenEventArgs arg)
{ if (arg.EventRecord != null)
{
using (EventLog eventLog = new EventLog("Application"))
{
eventLog.Source = "Event Log Reader Application";
eventLog.WriteEvent(new EventInstance(1001, 0, EventLogEntryType.Information), new object[] {arg.EventRecord.FormatDescription() });
//eventLog.WriteEntry(arg.EventRecord.ToXml(), EventLogEntryType.Information, 1001, 1);
eventLog.Dispose();
}
}
else
{
Console.WriteLine("The event instance was null.");
}
}
答案 1 :(得分:0)
我发现这更可靠。
using System;
using System.Diagnostics.Eventing.Reader;
static void Main(string[] args)
{
if (args is null) throw new ArgumentNullException(nameof(args));
LoadEventLogs();
Console.ReadKey();
}
private static void LoadEventLogs()
{
EventLogSession session = new EventLogSession();
EventLogQuery query = new EventLogQuery("Security", PathType.LogName, "*[System/EventID=4688]")
{
TolerateQueryErrors = true,
Session = session
};
EventLogWatcher logWatcher = new EventLogWatcher(query);
logWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);
try
{
logWatcher.Enabled = true;
}
catch (EventLogException ex)
{
Console.WriteLine(ex.Message);
Console.ReadLine();
}
}
private static void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
var time = e.EventRecord.TimeCreated;
var id = e.EventRecord.Id;
var logname = e.EventRecord.LogName;
var level = e.EventRecord.Level;
var task = e.EventRecord.TaskDisplayName;
var opCode = e.EventRecord.OpcodeDisplayName;
var mname = e.EventRecord.MachineName;
Console.WriteLine($@"{time}, {id}, {logname}, {level}, {task}, {opCode}, {mname}");
}