public void initMonitorEventLog()
{EventLogSession session = new EventLogSession();EventLogQuery query = new EventLogQuery("Security", PathType.LogName, "*[System/EventID=4663]") {TolerateQueryErrors = true,Session = session};EventLogWatcher logWatcher = new EventLogWatcher(query);logWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);try{logWatcher.Enabled = true;}catch (EventLogException ex){Console.WriteLine(ex.Message);Console.ReadLine();}
}private void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{EventRecord eventRecord = e.EventRecord;var time = e.EventRecord.TimeCreated;var id = e.EventRecord.Id;var logname = e.EventRecord.LogName;var level = e.EventRecord.Level;var task = e.EventRecord.TaskDisplayName;var opCode = e.EventRecord.OpcodeDisplayName;var machineName = e.EventRecord.MachineName;string providerName = eventRecord.ProviderName;eventRecord.ToXml();Console.WriteLine(eventRecord.FormatDescription());//Console.WriteLine($@"{time}, {id}, {logname}, {level}, {task}, {opCode}, {machineName},{providerName}");
}其中,EventLogQuery构造函数的第三个参数是Windows日志的查询筛选条件。我在网上查想要筛选监视多个EventID的情况,按照XPath的语法写,一直都没办法写对。后面受到外国博主的启发,在下图的Windows日志里面设置筛选条件,然后切换XML的视图,能看到自动生成的查询条件,复制到代码里就行了。
*[System[(EventID=4663 or EventID=5142 or EventID=5144)]]就是这个条件,复制到代码里就搞定了。
_web前端开发设计_荆州百度推广_百度一下首页手机版)
