How do I watch the event log for a specific entry in realtime, also getting the XML data?

Question

I'm building an application which should watch file for access, reading, writing, deleting.

I'm using the built in auditing system on a Windows 7 Pro. You turn it on in gpedit.msc, and then set the audit flags for the files you want to watch, and then you get entries in the security log.

What I want to do is watching the security log in real time, which I do like this:

static EventLog securityLog = new EventLog("Security", System.Environment.MachineName);

securityLog.EntryWritten += new EntryWrittenEventHandler(OnEntryWritten);
securityLog.EnableRaisingEvents = true;

This works and calls my OnEntryWritten-Function.

public static void OnEntryWritten(object source, EntryWrittenEventArgs entry)

entry.Entry is the EntryWrittenEventArgs.Entry Property, which doesn't seem to give me any access to the XML-properties of the entry, which I need, beecause it contains additional information.

What I'm trying to do afterwards is to query the event log via another EventLogReader, because I can get entry.Entry.Index which should be the eventInstance.RecordId of an event that I get from the EventLogReader.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">">*[System[(EventRecordID=181616)]]</Select>
  </Query>
</QueryList>

works as XPath query directly in the event log, it gives back just one entry.

string query = "*[System[(EventRecordID=" + entry.Entry.Index + ")]]";

// Create Event Log Query and Reader
EventLogQuery eventsQuery = new EventLogQuery("Security",
                                              PathType.LogName,
                                              query);

EventLogReader logReader = new EventLogReader(eventsQuery);

// For each event returned from the query
for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())
            {
                if (eventInstance.RecordId == entry.Entry.Index)  //RecordId and Index are the same thing: the identifier of the record/entry. 
                {
                    XDocument xml;
                    try
                    {
                        xml = XDocument.Parse(logReader.ReadEvent().ToXml());
                    }

                    catch (Exception e)
                    {
                        //logger.Write(e.Message.ToString());
                        break;      //We seem to have a newline character in the logReader.ReadEvent() sometimes, but nothing else, so we can safely break here or completely ignore it.
                    }

This fails when I try to get the xml, why is that?

I get an "Object reference not set to an instance of an object." which is an System.NullReferenceException. I'm not sure how this error actually can happen.

If I query the log like this

EventLogQuery eventsQuery = new EventLogQuery("Security",
                                              PathType.LogName,
                                              "*[EventData[Data[@Name='ObjectType'] and (Data='File')]] ");

it works without a problem.

What's the best way to do this, anyway?

score 1 · Answer 1 · answered Oct 07 '14 at 11:48

1

The InstanceId does not return the same value as the index value.

Try the following snippet to get the correct ID

UInt16 eventid = (UInt16)(entry.Entry.InstanceId)

answered Oct 07 '14 at 11:48

Leslie Jordaan

11
1

score 0 · Answer 2 · answered Sep 04 '13 at 08:01

0

Have you checked the output of XDocument.Parse(logReader.ReadEvent().ToXml()) ? Does ToXml() generate a proper XDocument (with header, root element...)? That might be the problem.

However if you don't stick to this solution, you could try to use FileSystemWatcher or the official file monitoring tool from Microsoft: Filemon

answered Sep 04 '13 at 08:01

dave

223
2
9

thanks for your answer, I edited my question with some more detail. I don't get an xml in the first place, but a boring `System.NullReferenceException`, but it does work when I change my query. I have to use the event log, FileSystemWatcher and others are out of the question. – HansM Sep 04 '13 at 08:10

score 0 · Answer 3 · answered Jul 21 '15 at 01:35

Every time you call ReadEvent() you are retrieving the next event. Your query only returns one event. The line

xml = XDocument.Parse(logReader.ReadEvent().ToXml());

is the culprit.

Your code should look more like this:

string query = "*[System[(EventRecordID=" + entry.Entry.Index + ")]]";
// Create Event Log Query and Reader
EventLogQuery eventsQuery = new EventLogQuery("Security",
                                          PathType.LogName,
                                          query);
EventLogReader logReader = new EventLogReader(eventsQuery);

EventRecord eventInstance = logReader.ReadEvent();
if (eventInstance != null)
{
    XDocument xml;
    try
    {
        xml = XDocument.Parse(eventInstance.ToXml());
    }
    catch (Exception e)
    {
        //This probably won't happen now.
        break;      //We seem to have a newline character in the 
    }
}

How do I watch the event log for a specific entry in realtime, also getting the XML data?

3 Answers3