Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/csharp/323.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 如何使用c查询包含大量事件ID的Windows事件日志_C#_Windows_Events_Logging - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 如何使用c查询包含大量事件ID的Windows事件日志

C# 如何使用c查询包含大量事件ID的Windows事件日志

c# windows events logging

C# 如何使用c查询包含大量事件ID的Windows事件日志,c#,windows,events,logging,C#,Windows,Events,Logging,我正试图用一大组EventID查询事件日志,代码如下 List<string> eventIds = new List<string>() { "4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755", "4756", "475

我正试图用一大组EventID查询事件日志,代码如下

List<string> eventIds = new List<string>() { 

            "4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755",
            "4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781",

            "4934", "5136", "5137", "5138", "5139", "5141" 
        };            


        var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ", 
            maxEventRecordId,
            string.Join(" or ", eventIds.Select(x => string.Format("EventID={0}", x))));


    var elQuery = new EventLogQuery(LogSource, PathType.LogName, queryString );
    var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery);

    List<EventRecord> eventList = new List<EventRecord>();
    for (EventRecord eventInstance = elReader.ReadEvent();
        null != eventInstance; eventInstance = elReader.ReadEvent())
    {
        //Access event properties here:
        //eventInstance.LogName;
        //eventInstance.ProviderName;
        eventList.Add(eventInstance);
    }
当我限制queryString中EventID的数量时,我得到了结果。但是对于这个大型查询,我得到了一个查询错误异常。是否有其他方法将大型事件id集传递给事件查看器?请帮忙

我找到了一个替代方案。我没有查询大量事件,而是排除了不需要的事件ID,查询所有数据,然后从.NET迭代结果,只收集所需信息

    List<string> excludeEventIds = new List<string>() { 
                    /*Skip - Audit Logon Events*/
                    "4634", "4647", "4624", "4625", "4648", "4675", "4649", "4778", "4779", "4800", "4801", "4802", "4803", "5378", "5632", "5633",
                    /*Skip few - Audit direcory service access*/
                    "4935","4936","4932","4933"
                };


                var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ", 
                   maxEventRecordId,
                   string.Join(" or ", excludeEventIds.Select(x => string.Format("EventID !={0}", x))));

    EventLogQuery query = new EventLogQuery("Security", PathType.LogName, queryString);
在读取数据时,我们将只获取事件ID和进程的列表

List<string> eventIds = new List<string>() { 
                /*Audit account management*/
                "4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755",
                "4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781",
                /*Audit directory service access*/
                "4934", "5136", "5137", "5138", "5139", "5141" 
            }; 

for (EventRecord eventInstance = logReader.ReadEvent();
                null != eventInstance; eventInstance = logReader.ReadEvent())
            {


                if (!eventIds.ToArray().Contains(eventInstance.Id.ToString())) continue;
//Process our actual data here

}
希望这能帮助别人