C# 匹配事件日志和SearchResultEntry
我想得到所有的广告变化,包括所有属性,谁做了变化,在哪台机器上。没有api同时满足这两个条件,因此我使用and的组合 要获取“who”和“where”,我注册了一个C# 匹配事件日志和SearchResultEntry,c#,.net,active-directory,C#,.net,Active Directory,我想得到所有的广告变化,包括所有属性,谁做了变化,在哪台机器上。没有api同时满足这两个条件,因此我使用and的组合 要获取“who”和“where”,我注册了一个EventLogWatcher: var query = new EventLogQuery("Security", PathType.LogName, "*"); var propertySelector = new EventLogPropertySelector(new[] {
EventLogWatcher var query = new EventLogQuery("Security", PathType.LogName, "*");
var propertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetUserName']",
"Event/EventData/Data[@Name='TargetDomainName']",
"Event/EventData/Data[@Name='TargetSid']",
"Event/EventData/Data[@Name='SubjectUserName']",
"Event/EventData/Data[@Name='SubjectDomainName']",
"Event/EventData/Data[@Name='SubjectUserSid']",
"/Event/EventData/Data[@Name='AttributeLDAPDisplayName']",
"/Event/EventData/Data[@Name='AttributeValue']",
"/Event/EventData/Data[@Name='OperationType']",
"/Event/System/Computer"
});
using (var watcher = new EventLogWatcher(query))
{
watcher.EventRecordWritten +=
(object eventLogWatcher, EventRecordWrittenEventArgs eventArgs) =>
{
var eventLogRecord = eventArgs.EventRecord as EventLogRecord;
var props = eventLogRecord.GetPropertyValues(propertySelector);
// process entry
};
watcher.Enabled = true;
// block the thread like await Task.Delay(-1);
}
SearchRequestSearchRequest request = new SearchRequest(dn,filter,scope,attributes);
request.Controls.Add(new DirectoryNotificationControl());
IAsyncResult result = _connection.BeginSendRequest(
request,
TimeSpan.FromDays(1),
PartialResultProcessing.ReturnPartialResultsAndNotifyCallback,
(res) =>
{
var r = _connection.GetPartialResults(res);
foreach (SearchResultEntry entry in r)
{
// process entry
}
},
request);
但是我如何匹配这两个事件呢?只包含一个具有属性和许多信息的新对象,但没有一个对象能够精确匹配这些属性和信息。假设这两个工具在同一个域控制器上运行。仅使用match属性的时间是不够的。您可以使用pull mush方法处理数百万数据。您不需要从AD intead 5136获取所有事件。事件本身具有AD中的所有更改。您可以从
EventLogRecord public class EventLogMgmt{
public static void Main(string[] args)
{
Stirng logName = "Security";
String queryString = "<QueryList> <Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID = 5136)]]</Select></Query></QueryList>";
EventLogQuery subscriptionQuery = new EventLogQuery(logName, PathType.LogName, queryString);
watcher = new EventLogWatcher(subscriptionQuery, null, true); //EventLog watcher
watcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(EventLogEventRead);
watcher.Enabled = true;
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
EventRecord eventInstance = arg.EventRecord;
//String eventMessage = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
//String eventMessageXMLFmt = eventInstance.ToXml(); // Getting event information in xml format
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
IEnumerable<String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
}
}
}
公共类事件日志管理{
公共静态void Main(字符串[]args)
{
Stirng logName=“安全”;
字符串queryString=“*[System[(EventID=5136)]”;
EventLogQuery subscriptionQuery=新的EventLogQuery(logName,PathType.logName,queryString);
watcher=neweventlogwatcher(subscriptionQuery,null,true);//EventLogWatcher
watcher.eventrecordwrited+=新的事件处理程序(EventLogEventRead);
watcher.Enabled=true;
}
public void EventLogEventRead(对象obj、eventRecordWrittenEventTargets arg)
{
if(arg.EventRecord!=null)
{
EventRecord eventInstance=arg.EventRecord;
//String eventMessage=eventInstance.FormatDescription();//您可以从FormatDescription API本身获取事件信息。
//字符串eventMessageXMLFmt=eventInstance.ToXml();//获取xml格式的事件信息
字符串[]xPathRefs=新字符串[9];
xPathRefs[0]=“事件/System/TimeCreated/@SystemTime”;
xPathRefs[1]=“事件/系统/计算机”;
xPathRefs[2]=“事件/事件数据/数据[@Name=\”目标用户名\“]”;
IEnumerable xPathEnum=xPathRefs;
EventLogPropertySelector logPropertyContext=新的EventLogPropertySelector(xPathEnum);
IList logEventProps=((EventLogRecord)arg.EventRecord).GetPropertyValue(logPropertyContext);
日志(“时间:,logEventProps[0]);
日志(“计算机:”,logEventProps[1]);
}
}
}
上述API中提供的所有信息,如目标用户、调用方用户名、修改的属性等。您可以使用pull mush方法处理数百万数据。您不需要从AD intead 5136获取所有事件。事件本身具有AD中的所有更改。您可以从
EventLogRecord public class EventLogMgmt{
public static void Main(string[] args)
{
Stirng logName = "Security";
String queryString = "<QueryList> <Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID = 5136)]]</Select></Query></QueryList>";
EventLogQuery subscriptionQuery = new EventLogQuery(logName, PathType.LogName, queryString);
watcher = new EventLogWatcher(subscriptionQuery, null, true); //EventLog watcher
watcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(EventLogEventRead);
watcher.Enabled = true;
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
EventRecord eventInstance = arg.EventRecord;
//String eventMessage = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
//String eventMessageXMLFmt = eventInstance.ToXml(); // Getting event information in xml format
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
IEnumerable<String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
}
}
}
公共类事件日志管理{
公共静态void Main(字符串[]args)
{
Stirng logName=“安全”;
字符串queryString=“*[System[(EventID=5136)]”;
EventLogQuery subscriptionQuery=新的EventLogQuery(logName,PathType.logName,queryString);
watcher=neweventlogwatcher(subscriptionQuery,null,true);//EventLogWatcher
watcher.eventrecordwrited+=新的事件处理程序(EventLogEventRead);
watcher.Enabled=true;
}
public void EventLogEventRead(对象obj、eventRecordWrittenEventTargets arg)
{
if(arg.EventRecord!=null)
{
EventRecord eventInstance=arg.EventRecord;
//String eventMessage=eventInstance.FormatDescription();//您可以从FormatDescription API本身获取事件信息。
//字符串eventMessageXMLFmt=eventInstance.ToXml();//获取xml格式的事件信息
字符串[]xPathRefs=新字符串[9];
xPathRefs[0]=“事件/System/TimeCreated/@SystemTime”;
xPathRefs[1]=“事件/系统/计算机”;
xPathRefs[2]=“事件/事件数据/数据[@Name=\”目标用户名\“]”;
IEnumerable xPathEnum=xPathRefs;
EventLogPropertySelector logPropertyContext=新的EventLogPropertySelector(xPathEnum);
IList logEventProps=((EventLogRecord)arg.EventRecord).GetPropertyValue(logPropertyContext);
日志(“时间:,logEventProps[0]);
日志(“计算机:”,logEventProps[1]);
}
}
}
上述API中提供的所有信息,如目标用户、调用方用户名、修改的属性等。ad sux,很抱歉,作为一名开发产品的人员,我可以说这是一个非常复杂的解决方案。必须进行大量的研究和开发才能使其正常工作,并且您将面临许多困难,例如站点复制、删除对象等。此外,如果您只做一次更改,目录通知就可以完美地工作。试着用一个脚本创建10000个用户,看看会得到什么样的通知。实现这一点的最简单方法不是将更改与事件匹配,而是从事件生成更改。从Windows Server 2008开始,有一个称为目录服务更改的特殊审核类别。看见启用它并从域中的所有DC收集事件非常感谢您。我应该使用EventLogWatcher拉取还是接收推送消息?我使用以下规则:处理大量数据时拉取,否则推送。在您的情况下,可能会有数百万个事件,所以应该使用pull方法dad sux,很抱歉,作为一个开发产品的人,我可以告诉您,这是一个非常复杂的解决方案。为了实现这一目标,必须进行大量的研究和开发