I'm trying to determine a machines most frequent user by looking at the security event logs. I'm looking at using the 4624 Event ID but I cant seem to work out how to add anything from the EventData in the query. I can get the standard data from a 4624 event but what I'm trying to query is events that also have the logontype of 7 and then be able to read the targetusername details.
string query = @"*[System/EventID=4624]";
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);
try
{
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
{
Console.WriteLine(eventdetail.ProcessId);
}
}
catch (EventLogNotFoundException)
{
Console.WriteLine("Error while reading the event logs");
return;
}
Try this:
string query = @
"*[EventData[Data[@Name='LogonType']='7'] and System[(EventID='4624')]]";
EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);
try {
EventLogReader logReader = new EventLogReader(eventsQuery);
for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) {
string description = eventdetail.FormatDescription();
string usernametemp = description.Substring(description.IndexOf("Account Name:") + ("Account Name:").Length + 2);
string username = usernametemp.Substring(0, usernametemp.IndexOf("\r"));
}
} catch (EventLogNotFoundException) {
Console.WriteLine("Error while reading the event logs");
return;
}
Sorted out your query, and used the description to find the "Account Name" field. Hope this answers your question. You can apply that split/substring method to really find anything in that description variable. It's just a giant string - the text you see in the event log window when you select a log.