如何使用C#从应用程序和服务窗口事件源读取事件？

Question

我正在尝试读取windows事件日志：“/Operational”，我试过：

string eventLogName = "Microsoft-Windows-Sysmon/Operational";

            EventLog eventLog = new EventLog();
            eventLog.Log = eventLogName;

            foreach (EventLogEntry log in eventLog.Entries)
            {
                Console.WriteLine("{0}\n", log.Message);
            }

然而，我得到：

System.InvalidOperationException：“事件日志”微软-Windows/Operational‘on’。不存在。*

我找到了一个解决方案here，它正在使用System.Diagnostics.Eventing.Reader命名空间。但是，在我的系统或包管理器中，我似乎无法做到这一点。

此外，由于许多人声称日志的名称可能不正确。以下是它的截图：

​

Answer 1

是否确实使用了正确的命名语义。如果在该机器上创建了具有该名称的日志源，则会出现此错误。作为替代，您可以直接use System.Management和查询。

下面是我在past...NOTE中使用的函数：ServerLogEntry是来自我的应用程序域的对象。

public List<ServerLogEntry> GetLastestServerLogEntries(int number)
{
    string logSource = this.GetEventLogSourceName();
    string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND SourceName='{0}'", logSource);

    List<ServerLogEntry> logs = new List<ServerLogEntry>();

    ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);

    foreach (ManagementObject mo in mos.Get().Take(number).ToList())
    {
        ServerLogEntry log = new ServerLogEntry();
        log.Category = Convert.ToInt32(mo["Category"]);
        log.CategoryString = SafeString(mo["CategoryString"]);
        log.ComputerName = SafeString(mo["ComputerName"]);
        log.EventCode = Convert.ToInt32(mo["EventCode"]);
        log.EventIdentifier = Convert.ToInt32(mo["EventIdentifier"]);
        log.EventType = Convert.ToInt32(mo["EventType"]);
        log.EventTypeName = this.ConvertLogEventType(log.EventType);
        log.LogFile = SafeString(mo["LogFile"]);
        log.Message = SafeString(mo["Message"]);
        log.RecordNumber = Convert.ToInt32(mo["RecordNumber"]);
        log.SourceName = SafeString(mo["SourceName"]);
        log.TimeGenerated = this.ConvertLogDateTime(SafeString(mo["TimeGenerated"]));
        log.TimeWritten = this.ConvertLogDateTime(SafeString(mo["TimeWritten"]));
        log.Type = SafeString(mo["Type"]);
        log.User = SafeString(mo["User"]);
        logs.Add(log);
    }
    return logs.OrderByDescending(p => p.TimeGenerated).ToList();
}

private string SafeString(object propertyValue)
{
    return (propertyValue != null) ? propertyValue.ToString() : "";
}

private string ConvertLogEventType(int eventType)
{
    switch (eventType)
    {
        case 1: return "Error";
        case 2: return "Warning";
        case 3: return "Information";    
        case 4: return "Security Audit Success";
        case 5: return "Security Audit Failure";
        default: return "Unknown";
    }        
}

private DateTime ConvertLogDateTime(string entryTimeGeneratedString)
{
    //TimeGenerated, for example: 20071107135007.000000-300
    //
    //                            yyyy mm dd hh mm ss.milisec 
    //                            0123 45 67 89 01 23
    // convert to new DateTime(yyyy,month,day,hour,minute,seconds)

    return new DateTime(Convert.ToInt32(entryTimeGeneratedString.Substring(0, 4)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(4, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(6, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(8, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(10, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(12, 2)));
}

这里是返回的本机结构->

/*class Win32_NTLogEvent
{
    uint16   Category;
    string   CategoryString;
    string   ComputerName;
    uint8    Data[];
    uint16   EventCode;
    uint32   EventIdentifier;
    uint8    EventType;
    string   InsertionStrings[];
    string   Logfile;
    string   Message;
    uint32   RecordNumber;
    string   SourceName;
    datetime TimeGenerated;
    datetime TimeWritten;
    string   Type;
    string   User;
};*/