[英]Match EventLog and SearchResultEntry
我想获得所有广告更改,包括所有属性,更改者和更改机器。 没有api同时满足这两个条件,因此我将SearchResultEntry和EventLogRecord结合使用。
要获取“谁”和“哪里”,我注册一个EventLogWatcher
:
var query = new EventLogQuery("Security", PathType.LogName, "*");
var propertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetUserName']",
"Event/EventData/Data[@Name='TargetDomainName']",
"Event/EventData/Data[@Name='TargetSid']",
"Event/EventData/Data[@Name='SubjectUserName']",
"Event/EventData/Data[@Name='SubjectDomainName']",
"Event/EventData/Data[@Name='SubjectUserSid']",
"/Event/EventData/Data[@Name='AttributeLDAPDisplayName']",
"/Event/EventData/Data[@Name='AttributeValue']",
"/Event/EventData/Data[@Name='OperationType']",
"/Event/System/Computer"
});
using (var watcher = new EventLogWatcher(query))
{
watcher.EventRecordWritten +=
(object eventLogWatcher, EventRecordWrittenEventArgs eventArgs) =>
{
var eventLogRecord = eventArgs.EventRecord as EventLogRecord;
var props = eventLogRecord.GetPropertyValues(propertySelector);
// process entry
};
watcher.Enabled = true;
// block the thread like await Task.Delay(-1);
}
但这并不包括所有更改,请记住,属性将根据事件类型而变化。 要在发生更改时获取新对象的完整副本,可以向SearchRequest
注册回调:
SearchRequest request = new SearchRequest(dn,filter,scope,attributes);
request.Controls.Add(new DirectoryNotificationControl());
IAsyncResult result = _connection.BeginSendRequest(
request,
TimeSpan.FromDays(1),
PartialResultProcessing.ReturnPartialResultsAndNotifyCallback,
(res) =>
{
var r = _connection.GetPartialResults(res);
foreach (SearchResultEntry entry in r)
{
// process entry
}
},
request);
但是我该如何匹配这两个事件? SearchResultEntry仅包含具有属性的新对象,并且EventLogRecord包含许多信息,但没有一个与它们完全匹配。 假定两个工具都在同一域控制器上运行。 仅仅时间作为match属性是不够的。
您可以使用pull mush方法处理数百万个数据。您不需要从AD intead 5136中获取所有事件。事件本身具有AD中的所有更改。您可以从EventLogRecord
API中获取所有信息。以下是我的代码
public class EventLogMgmt{
public static void Main(string[] args)
{
Stirng logName = "Security";
String queryString = "<QueryList> <Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID = 5136)]]</Select></Query></QueryList>";
EventLogQuery subscriptionQuery = new EventLogQuery(logName, PathType.LogName, queryString);
watcher = new EventLogWatcher(subscriptionQuery, null, true); //EventLog watcher
watcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(EventLogEventRead);
watcher.Enabled = true;
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
EventRecord eventInstance = arg.EventRecord;
//String eventMessage = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
//String eventMessageXMLFmt = eventInstance.ToXml(); // Getting event information in xml format
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
IEnumerable<String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
}
}
}
以上API中提供了所有信息,如目标用户,呼叫者用户名,修改的属性等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.