I'm trying to get a list of events where people have attempted to log in to our server and ban immediately block the ip after x unsuccessful attempts.
Here is what I have so far:
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
EventLog eventLog;
eventLog = new EventLog();
eventLog.Log = "Security";;
eventLog.Source = "Security-Auditing";
eventLog.MachineName = "TGSERVER";
var count = 0;
foreach (EventLogEntry log in eventLog.Entries)
{
if (count > 200)
{
return;
}
Console.Write("eventLog.Log: {0}", eventLog.Log);
count++;
}
}
Not much to it but it's a start.
My problem is, I can't seem to isolate those particular events since I can't filter by eventid or keyword, or at least I don't see a way to.
My goal is to get the ip of those bad attempts.
Anyone have any suggestions?
EventLogEntry contains EventID property. But be carefull, because EventID is now obsolote. Please read remarks section in EventID description. As far as I understand, EventID is shown in windows eventviewer (eventvwr.msc), but in eventlog file (.evtx) events are stored with InstanceId.