訂閱 Windows 事件日志？

Question

我正在處理一個需要經常檢查某些事件的 Windows 事件日志的項目。 我想知道 - 有沒有辦法為某些事件創建對 Windows 事件日志的訂閱？

那么，當事件發生時（例如事件 id = 00001），我可以在代碼中收到通知嗎？

如果這不能完成，那么我將不得不繼續搜索事件日志，這效率不高。

Answer 1

當您使用 C# 時，我認為您應該使用 Windows API 來訂閱某些 Windows 事件。 您可以使用 EventLogWatcher 或 EventLog 類來實現。 您可以在MSDN上找到使用 EventLog 創建 Windows 事件日志訂閱的示例。

如果您更喜歡 EventLogWatcher，請參閱其有限文檔。 這是我的例子：

public static void subscribe()
{
    EventLogWatcher watcher = null;
    try
    {
        EventLogQuery subscriptionQuery = new EventLogQuery(
            "Security", PathType.LogName, "*[System/EventID=4624]");

        watcher = new EventLogWatcher(subscriptionQuery);

        // Make the watcher listen to the EventRecordWritten
        // events.  When this event happens, the callback method
        // (EventLogEventRead) is called.
        watcher.EventRecordWritten +=
            new EventHandler<EventRecordWrittenEventArgs>(
                EventLogEventRead);

        // Activate the subscription
        watcher.Enabled = true;

        for (int i = 0; i < 5; i++)
        {
            // Wait for events to occur. 
            System.Threading.Thread.Sleep(10000);
        }
    }
    catch (EventLogReadingException e)
    {
        Log("Error reading the log: {0}", e.Message);
    }
    finally
    {
        // Stop listening to events
        watcher.Enabled = false;

        if (watcher != null)
        {
            watcher.Dispose();
        }
    }
    Console.ReadKey();
}

// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead(object obj,
    EventRecordWrittenEventArgs arg)
{
    // Make sure there was no error reading the event.
    if (arg.EventRecord != null)
    {
        //////
        // This section creates a list of XPath reference strings to select
        // the properties that we want to display
        // In this example, we will extract the User, TimeCreated, EventID and EventRecordID
        //////
        // Array of strings containing XPath references
        String[] xPathRefs = new String[9];
        xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
        xPathRefs[1] = "Event/System/Computer";
        xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
        xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
        // Place those strings in an IEnumberable object
        IEnumerable<String> xPathEnum = xPathRefs;
        // Create the property selection context using the XPath reference
        EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);

        IList<object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
        Log("Time: ", logEventProps[0]);
        Log("Computer: ", logEventProps[1]);
        Log("TargetUserName: ", logEventProps[2]);
        Log("TargetDomainName: ", logEventProps[3]);
        Log("---------------------------------------");

        Log("Description: ", arg.EventRecord.FormatDescription());
    }
    else
    {
        Log("The event instance was null.");
    }
}

Answer 2

這是一個簡化的示例，它使用在 Windows 事件查看器的篩選器視圖上的XML選項卡中生成的查詢。 它加載查詢返回的初始記錄，然后監視任何未來的項目。

        var query = $"*[System[(EventID=1942) and TimeCreated[timediff(@SystemTime) <= 604800000]]]";
        var decoded = System.Web.HttpUtility.HtmlDecode(query);
        var eventLogQuery = new EventLogQuery("Application", PathType.LogName, decoded);
        var watcher = new EventLogWatcher(eventLogQuery, null, true);
        var count = 0;

        watcher.EventRecordWritten += (object sender, EventRecordWrittenEventArgs e) =>
        {
            count += 1;

            Console.WriteLine($"Found {count} items for query");
        };

        watcher.Enabled = true;

        for (var i = 0; i < 5; i++)
        { 
            System.Threading.Thread.Sleep(10000);
        }