stackoom
  简体   繁体   中英

How do I read the IP address from a failed logon event in the event viewer using C#?

 原文  2012-03-07 19:41:25       c#/ .net/ windows

Question

I'm trying to read the data from an Audit Failure event generated by a failed logon attempt. I can get the events I need, but I can't figure out how to actually get the IP address from the event.

To clarify, I want see the event generated by a failed windows logon attempt from a user. Looks like this in XML view in event log 

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
        <EventID>4625</EventID> 
        ... 
    </System>
    <EventData>
        ...
        <Data Name="IpAddress">xxx.xxx.171.130</Data> 
        <Data Name="IpPort">50717</Data> 
    </EventData>
</Event>

3 answers

solution1
 0  2012-03-07 20:08:12

在ASP.NET中使用: 

Request.ServerVariables["REMOTE_ADDR"];

solution2
 0  2012-03-07 22:43:42

If you hid the actual ip address when posting by replacing the first two octets then just use xml or regex to read it in, but if it's exactly as you posted: 

<Data Name="IpAddress">xxx.xxx.171.130</Data>

Then no, you can't from the event log, though if you're lucky and are in a small network with only one segment then you could figure it out.

For example if you're in a small network, you know there's only one segment you can incorporate that into your program's logic, like in your example ...171.130 , if you know your network has an address in range 192.168.171.1-192.168.171.254 then you can be 100% certain that it came from 192.168.17.130 , on the other hand if you know there is some other network in the range of 172.21.171.1-172.21.171.254 then you won't know, unless you know for sure, that the other segments cannot talk to your computer, you can usually ask your network people to find this out.

See this for a reference for ip and subnet calculations http://www.subnet-calculator.com/subnet.php?net_class=C

solution3
 0 ACCPTED  2012-03-09 22:14:53

As ordag posted in the above question comment thread, the information I wanted was in the ReplacementStrings array.

Quote:

If you have the EventLogEntrys, the address should be a member of the ReplacementStrings array property.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to detect Windows Logon event using OnSessionChange in C# C#, how do i get an ip address, from a TcpClient? how to access local event log using local ip address in c# How to get List of all Providers in Event Viewer using C#? How to export Event Viewer logs to csv using C# How do I obtain the physical (MAC) address of an IP address using C#? get the latest windows Startup Login event data from event viewer using c#? How do I get server variables (or at least client IP address) in C# in Elmah's ErrorMail_Mailing event when HttpContext.Current is null? C# windows event viewer c# writing to the event viewer
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM