C# 订阅Windows事件日志?
我正在从事一个项目,该项目需要经常检查Windows事件日志中的某些事件。我想知道-有没有办法为某些事件创建Windows事件日志订阅 那么,当事件发生时(例如,event id=00001),我可以在代码中得到通知吗 如果不能做到这一点,那么我将不得不继续搜索事件日志,这是没有效率的。当您使用C#时,我认为您应该使用Windows API订阅某些Windows事件。您可以通过使用EventLogWatcher或EventLog类来完成。您可以找到使用EventLog on创建Windows事件日志订阅的示例 如果您更喜欢EventLogWatcher,请参阅其有限的。下面是我的例子:C# 订阅Windows事件日志?,c#,event-log,event-viewer,C#,Event Log,Event Viewer,我正在从事一个项目,该项目需要经常检查Windows事件日志中的某些事件。我想知道-有没有办法为某些事件创建Windows事件日志订阅 那么,当事件发生时(例如,event id=00001),我可以在代码中得到通知吗 如果不能做到这一点,那么我将不得不继续搜索事件日志,这是没有效率的。当您使用C#时,我认为您应该使用Windows API订阅某些Windows事件。您可以通过使用EventLogWatcher或EventLog类来完成。您可以找到使用EventLog on创建Windows事件
public static void subscribe()
{
EventLogWatcher watcher = null;
try
{
EventLogQuery subscriptionQuery = new EventLogQuery(
"Security", PathType.LogName, "*[System/EventID=4624]");
watcher = new EventLogWatcher(subscriptionQuery);
// Make the watcher listen to the EventRecordWritten
// events. When this event happens, the callback method
// (EventLogEventRead) is called.
watcher.EventRecordWritten +=
new EventHandler<EventRecordWrittenEventArgs>(
EventLogEventRead);
// Activate the subscription
watcher.Enabled = true;
for (int i = 0; i < 5; i++)
{
// Wait for events to occur.
System.Threading.Thread.Sleep(10000);
}
}
catch (EventLogReadingException e)
{
Log("Error reading the log: {0}", e.Message);
}
finally
{
// Stop listening to events
watcher.Enabled = false;
if (watcher != null)
{
watcher.Dispose();
}
}
Console.ReadKey();
}
// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
// Place those strings in an IEnumberable object
IEnumerable<String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
Log("TargetUserName: ", logEventProps[2]);
Log("TargetDomainName: ", logEventProps[3]);
Log("---------------------------------------");
Log("Description: ", arg.EventRecord.FormatDescription());
}
else
{
Log("The event instance was null.");
}
}
publicstaticvoidsubscribe()
{
EventLogWatcher-watcher=null;
尝试
{
EventLogQuery subscriptionQuery=新建EventLogQuery(
“安全性”,PathType.LogName,“*[System/EventID=4624]”;
watcher=新的EventLogWatcher(subscriptionQuery);
//让观察者听事件记录
//当此事件发生时,回调方法
//(EventLogEventRead)被调用。
watcher.eventrecordwrited+=
新事件处理程序(
EventLogEventRead);
//激活订阅
watcher.Enabled=true;
对于(int i=0;i<5;i++)
{
//等待事件发生。
系统线程线程睡眠(10000);
}
}
捕获(EventLogReadingException e)
{
日志(“读取日志时出错:{0}”,e.Message);
}
最后
{
//停止收听事件
watcher.Enabled=false;
如果(观察者!=null)
{
watcher.Dispose();
}
}
Console.ReadKey();
}
//调用事件时执行的回调方法
//向订阅报告。
公共静态void EventLogEventRead(对象obj,
EventRecordWrittenEventTargets参数)
{
//确保读取事件时没有错误。
if(arg.EventRecord!=null)
{
//////
//本节创建要选择的XPath引用字符串列表
//要显示的属性
//在本例中,我们将提取用户、TimeCreated、EventID和EventRecordID
//////
//包含XPath引用的字符串数组
字符串[]xPathRefs=新字符串[9];
xPathRefs[0]=“事件/System/TimeCreated/@SystemTime”;
xPathRefs[1]=“事件/系统/计算机”;
xPathRefs[2]=“事件/事件数据/数据[@Name=\”目标用户名\“]”;
xPathRefs[3]=“事件/事件数据/数据[@Name=\“TargetDomainName\”]”;
//将这些字符串放在IEnumberable对象中
IEnumerable xPathEnum=xPathRefs;
//使用XPath引用创建属性选择上下文
EventLogPropertySelector logPropertyContext=新的EventLogPropertySelector(xPathEnum);
IList logEventProps=((EventLogRecord)arg.EventRecord).GetPropertyValue(logPropertyContext);
日志(“时间:,logEventProps[0]);
日志(“计算机:”,logEventProps[1]);
日志(“TargetUserName:”,logEventProps[2]);
日志(“TargetDomainName:”,logEventProps[3]);
日志(“-----------------------------------------”;
日志(“Description:,arg.EventRecord.FormatDescription());
}
其他的
{
日志(“事件实例为null”);
}
}
var query = $"*[System[(EventID=1942) and TimeCreated[timediff(@SystemTime) <= 604800000]]]";
var decoded = System.Web.HttpUtility.HtmlDecode(query);
var eventLogQuery = new EventLogQuery("Application", PathType.LogName, decoded);
var watcher = new EventLogWatcher(eventLogQuery, null, true);
var count = 0;
watcher.EventRecordWritten += (object sender, EventRecordWrittenEventArgs e) =>
{
count += 1;
Console.WriteLine($"Found {count} items for query");
};
watcher.Enabled = true;
for (var i = 0; i < 5; i++)
{
System.Threading.Thread.Sleep(10000);
}
var query=$”*[System[(EventID=1942)和TimeCreated[timediff(@SystemTime)=604800000]]”;
var decoded=System.Web.HttpUtility.HtmlDecode(查询);
var eventLogQuery=new eventLogQuery(“应用程序”,PathType.LogName,已解码);
var-watcher=neweventlogwatcher(eventLogQuery,null,true);
var计数=0;
watcher.eventRecordWrited+=(对象发送方,eventRecordWrittenEventTargets e)=>
{
计数+=1;
WriteLine($“为查询找到{count}项”);
};
watcher.Enabled=true;
对于(变量i=0;i<5;i++)
{
系统线程线程睡眠(10000);
}
WMI