get event log list from either event id or keyword

Question

I'm trying to get a list of events where people have attempted to log in to our server and ban immediately block the ip after x unsuccessful attempts.

Here is what I have so far:

public partial class Form1 : Form
{
public Form1()
{
  InitializeComponent();
}

private void button1_Click(object sender, EventArgs e)
{
  EventLog eventLog;
  eventLog = new EventLog();
  eventLog.Log = "Security";;
  eventLog.Source = "Security-Auditing";
  eventLog.MachineName = "TGSERVER";

  var count = 0;
  foreach (EventLogEntry log in eventLog.Entries)
  {
    if (count > 200)
    {
      return;
    }
    Console.Write("eventLog.Log: {0}", eventLog.Log);
    count++;
  }
}

Not much to it but it's a start.

My problem is, I can't seem to isolate those particular events since I can't filter by eventid or keyword, or at least I don't see a way to.

My goal is to get the ip of those bad attempts.

Anyone have any suggestions?

it doesn't give me that option in EventLog. Is there another way I'm missing? — ErocM, Jan 29 '13 at 03:52
That worked... you should put it as an answer so I can give you credit for it. — ErocM, Jan 29 '13 at 16:24

score 2 · Accepted Answer · answered Jan 30 '13 at 08:08

2

EventLogEntry contains EventID property. But be carefull, because EventID is now obsolote. Please read remarks section in EventID description. As far as I understand, EventID is shown in windows eventviewer (eventvwr.msc), but in eventlog file (.evtx) events are stored with InstanceId.

answered Jan 30 '13 at 08:08

westwood

1,774
15
29

According to the InstanceID documentation, "The EventID property equals the InstanceId with the top two bits masked off." Since that is the case, you can test InstanceID for an Event ID as follows: `bool isDesiredEvent = (eventLogEntry.InstanceID & 0x3FFFFFFF) == desiredEventID` – JamieSee Feb 17 '16 at 17:49

get event log list from either event id or keyword

1 Answers1