[英]How to query Windows Eventlog with a large set of EventIds using c#
我正在尝试使用以下代码查询带有大量EventId的事件日志
List<string> eventIds = new List<string>() {
"4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755",
"4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781",
"4934", "5136", "5137", "5138", "5139", "5141"
};
var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ",
maxEventRecordId,
string.Join(" or ", eventIds.Select(x => string.Format("EventID={0}", x))));
var elQuery = new EventLogQuery(LogSource, PathType.LogName, queryString );
var elReader = new System.Diagnostics.Eventing.Reader.EventLogReader(elQuery);
List<EventRecord> eventList = new List<EventRecord>();
for (EventRecord eventInstance = elReader.ReadEvent();
null != eventInstance; eventInstance = elReader.ReadEvent())
{
//Access event properties here:
//eventInstance.LogName;
//eventInstance.ProviderName;
eventList.Add(eventInstance);
}
当我限制来自queryString的EventId的数量时,我得到了结果。 但是对于这个大查询,我得到了一个查询错误异常。 还有其他方法可以将大型事件ID集传递给事件查看器吗? 请帮忙
我为此找到了替代方案。 我没有查询大量事件,而是排除了不需要的事件ID,而是查询所有数据,然后从.NET迭代结果以仅收集所需的信息。
List<string> excludeEventIds = new List<string>() {
/*Skip - Audit Logon Events*/
"4634", "4647", "4624", "4625", "4648", "4675", "4649", "4778", "4779", "4800", "4801", "4802", "4803", "5378", "5632", "5633",
/*Skip few - Audit direcory service access*/
"4935","4936","4932","4933"
};
var queryString = string.Format(@"*[System[EventRecordID > {0}]] and *[System[({1})]] ",
maxEventRecordId,
string.Join(" or ", excludeEventIds.Select(x => string.Format("EventID !={0}", x))));
EventLogQuery query = new EventLogQuery("Security", PathType.LogName, queryString);
在读取数据时,我们只会获取事件ID和进程的列表。
List<string> eventIds = new List<string>() {
/*Audit account management*/
"4741", "4742", "4743", "4739", "4727", "4728", "4729", "4730", "4731", "4732", "4733", "4734", "4735", "4737", "4754", "4755",
"4756", "4757", "4758", "4720", "4722", "4723", "4724", "4725", "4726", "4738", "4740", "4765", "4766", "4767", "4780", "4781",
/*Audit directory service access*/
"4934", "5136", "5137", "5138", "5139", "5141"
};
for (EventRecord eventInstance = logReader.ReadEvent();
null != eventInstance; eventInstance = logReader.ReadEvent())
{
if (!eventIds.ToArray().Contains(eventInstance.Id.ToString())) continue;
//Process our actual data here
}
希望这会帮助到别人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.