Is there a way to query Security Event Log with Filter in C#?

Hi Pucca,

I currently prcoess each Security Log
entry one by one to extract those that fit the selection criteria. Is
there
a function that I can use to query the entries with option of filtering
for
certain event id and/or time period in C#?

I'm afraid no such function/feature exists in .NET 2.0, but it shouldn't be
too difficult to write your own filtering when you loop through the entries
in the log using the Entries property. Here's a basic "how to" article on
different things you can do with event logs:

http://support.microsoft.com/kb/815314

Also, you might wish to enable notifications when new entries are written to
the event log, and then filter the events there (if applicable to your
solution). See the Receive Event Notifications section in the above article.

Thanks!

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

Thank you Jani. I'm already using the eventLog class and processing each log
entry and filtering them in my C# code (vs2005, .net2.0) and then place the
filtered / qualified rows in to a dataset table.

The problem is this is taking a long time. It's taking 45 secornds just to
read about 45k of entries(I get the entrycollection then use a logentry
varible to read each one). Are there anyway to improve this?
--
Thanks.
"Jani Järvinen [MVP]" wrote:

Hi Pucca,

I currently prcoess each Security Log
entry one by one to extract those that fit the selection criteria. Is
there
a function that I can use to query the entries with option of filtering
for
certain event id and/or time period in C#?

I'm afraid no such function/feature exists in .NET 2.0, but it shouldn't be
too difficult to write your own filtering when you loop through the entries
in the log using the Entries property. Here's a basic "how to" article on
different things you can do with event logs:

http://support.microsoft.com/kb/815314

Also, you might wish to enable notifications when new entries are written to
the event log, and then filter the events there (if applicable to your
solution). See the Receive Event Notifications section in the above article.

Thanks!

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

Hi !

You can try WMI query for this.
Example that filters event log by LogFile and TimeGenerated.

using System;
using System.Collections.Generic;
using System.Text;
using System.Management;

namespace QueryEventLog {

class Program {
static void Main(string[] args) {
string SomeDateTime = "20070101000000.000000+000";
string Query = String.Format("SELECT * FROM Win32_NTLogEvent
WHERE Logfile = 'Application' AND TimeGenerated '{0}'", SomeDateTime);
ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);
object o;

foreach (ManagementObject mo in mos.Get()) {

Console.WriteLine("///////////////////////////////////////////////////////////////////////////");
foreach (PropertyData pd in mo.Properties) {
o = mo[pd.Name];
if (o != null) {
Console.WriteLine(String.Format("{0}: {1}", pd.Name,
mo[pd.Name].ToString()));
}
}
}

Console.ReadLine();
}
}
}

Hope it helps.

Petar Repac

Pucca wrote:

Thank you Jani. I'm already using the eventLog class and processing each log
entry and filtering them in my C# code (vs2005, .net2.0) and then place the
filtered / qualified rows in to a dataset table.

The problem is this is taking a long time. It's taking 45 secornds just to
read about 45k of entries(I get the entrycollection then use a logentry
varible to read each one). Are there anyway to improve this?

"Pucca" <Pu***@discussions.microsoft.comwrote in message
news:78**********************************@microsof t.com...

The odd thing is that it works when I change the logfile = 'Application'.
Wieht Security it retrievs 0 entry. Why is that so? I did verify that I
have over 55k of entries in Security log in Event Viewer.
--
Thanks.
"Pucca" wrote:

>Thanks Peter. I tried it in my code but it's just exiting when it eaches the
statement mos.get(). Can you see what's wrong here? Also, where can I look
up syntax format and the properties names for the Security log? Thanks.

private void GetLog()
{
//string SomeDateTime = "20060101000000.000000+000";
//string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE
Logfile = 'Security' AND TimeGenerated '{0}'", SomeDateTime);
string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE
Logfile = 'Security'");

object o;
string name;
try
{
ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);
foreach (ManagementObject mo in mos.Get())
{
foreach (PropertyData pd in mo.Properties)
{
o = mo[pd.Name];
if (o != null)
{

//Console.WriteLine(String.Format("{0}: {1}", pd.Name,
mo[pd.Name].ToString()));
}
}
}
mos.Dispose();
}
catch (Exception e)
{
MessageBox.Show(e.Message);
}
}
--
Thanks.
"Petar Repac" wrote:

Hi !

You can try WMI query for this.
Example that filters event log by LogFile and TimeGenerated.

using System;
using System.Collections.Generic;
using System.Text;
using System.Management;

namespace QueryEventLog {

class Program {
static void Main(string[] args) {
string SomeDateTime = "20070101000000.000000+000";
string Query = String.Format("SELECT * FROM Win32_NTLogEvent
WHERE Logfile = 'Application' AND TimeGenerated '{0}'", SomeDateTime);
ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);
object o;

foreach (ManagementObject mo in mos.Get()) {

Console.WriteLine("///////////////////////////////////////////////////////////////////////////");
foreach (PropertyData pd in mo.Properties) {
o = mo[pd.Name];
if (o != null) {
Console.WriteLine(String.Format("{0}: {1}", pd.Name,
mo[pd.Name].ToString()));
}
}
}

Console.ReadLine();
}
}
}

Hope it helps.

Petar Repac

Pucca wrote:
Thank you Jani. I'm already using the eventLog class and processing each log
entry and filtering them in my C# code (vs2005, .net2.0) and then place the
filtered / qualified rows in to a dataset table.

The problem is this is taking a long time. It's taking 45 secornds just to
read about 45k of entries(I get the entrycollection then use a logentry
varible to read each one). Are there anyway to improve this?

Only administrators can read the security log!

Willy.

"Pucca" <Pu***@discussions.microsoft.comwrote in message
news:9D**********************************@microsof t.com...

Thanks Willy. I am login as an administrator on my Win2k server. Is there
any other setting that I need to configure for an administrator? Thanks.
--

Should work, please post your code.

Willy.

Thanks Willy. I alredy posted the code in my previous posting. Please have
a look and let me know what you think. Thanks.

p.s. The same query I ran in the WMI CIM Studio, and it says "No instances
found".
--
Thanks.
"Willy Denoyette [MVP]" wrote:

"Pucca" <Pu***@discussions.microsoft.comwrote in message
news:9D**********************************@microsof t.com...

Thanks Willy. I am login as an administrator on my Win2k server. Is there
any other setting that I need to configure for an administrator? Thanks.
--

Should work, please post your code.

Willy.