0

我正在尝试使用包含来自 DC 的安全审核失败的用户名的特定事件日志,在 powershell 中,我可以通过以下方式轻松执行此操作:

变量类似于: $DC = "MyDomainController" 和 $user = "jdoe"

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='4503599627370496';Data=$user} -MaxEvents 4 | Format-List -Property ID, TimeCreated, MachineName, Message

这将从我正在查看的 DC 中提取 4 个事件日志,这些事件日志是该人的用户名的安全审计失败,但是我无法在 vb.net 中找到或重现此行为,我一直在搜索最后的页面几天后,想出了很多写作,并在 DC 上提取了所有日志,但没有过滤,任何帮助或指导都会很棒,谢谢!

4

1 回答 1

0

我可以通过使用 xpath 查看自定义日志查询来找到答案,我在 C# 中执行了以下操作,但同样可以在 VB 中应用,
Domaincontroller.text = 您查找的域控制器:
Username.text = The用于查找
Statustextbox 的 AD 用户名 = 我将所有日志都转到文本框进行阅读,但您可以执行类似 console.writeline 的操作

private void LookupLogs_Click(object sender, EventArgs e)
    {
        Statustextbox.Clear();
        string query = "<QueryList>" +
                       "  <Query Id=\"0\" Path=\"Security\">" +
                       "    <Select Path=\"Security\">" +
                       "        *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" +
                       "    </Select>" +
                       "  </Query>" +
                       "</QueryList>";
        EventLogSession session = new EventLogSession(DomainController.Text);
        EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query);
        evntquery.Session = session;
        try
        {
            EventLogReader logreader = new EventLogReader(evntquery);
            DisplayEventAndLogInformation(logreader);
        }
        catch (Exception ex)
        {
            MessageBox.Show("An exception occured: " + ex.Message);
        }
    }

private void DisplayEventAndLogInformation(EventLogReader logReader)
    {
        for (EventRecord eventInstance = logReader.ReadEvent();
            null != eventInstance; eventInstance = logReader.ReadEvent())
        {
            Statustextbox.AppendText(Environment.NewLine + Environment.NewLine);
            Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine);
            Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine);
            Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine);

            try
            {
                Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine);
            }
            catch (EventLogException ex)
            {
                Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine);
            }
            EventLogRecord logRecord = (EventLogRecord)eventInstance;
            Statustextbox.AppendText(Environment.NewLine);
            Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine);
        }
    }
于 2016-05-11T13:27:28.920 回答