0

I am trying to read windows event logs for: "Microsoft-Windows-Sysmon/Operational" I tried:

string eventLogName = "Microsoft-Windows-Sysmon/Operational";

            EventLog eventLog = new EventLog();
            eventLog.Log = eventLogName;

            foreach (EventLogEntry log in eventLog.Entries)
            {
                Console.WriteLine("{0}\n", log.Message);
            }

However, I get:

System.InvalidOperationException: 'The event log 'Microsoft-Windows-Sysmon/Operational' on computer '.' does not exist.'*

I found a solution here It is using System.Diagnostics.Eventing.Reader namespace. However, I cannot seem to get this anywhere in my system or in the package manager.

Also, since many are claiming that the name of the log may be incorrect. Following is the screenshot of it: enter image description here

Rahul
  • 21
  • 1
  • 6
  • Are you sure you are using the correct naming semantics. This is the error you get if a log source has been created with that name on that machine. – Ross Bush Sep 19 '19 at 20:07
  • 3
    Possible duplicate of [this](https://stackoverflow.com/a/33680763/6311045) –  Sep 19 '19 at 20:11
  • Yes, I took the name from the event properties – Rahul Sep 19 '19 at 20:12
  • Possible duplicate of [How to retrieve event log other than Application category?](https://stackoverflow.com/questions/33680388/how-to-retrieve-event-log-other-than-application-category) – Christian Gollhardt Sep 19 '19 at 20:43

1 Answers1

1

Are you sure you are using the correct naming semantics. This is the error you get if a log source has been created with that name on that machine. As alternative you can use System.Management and query directly.

Below is a function I have used in the past...NOTE : ServerLogEntry is an object from my application domain.

public List<ServerLogEntry> GetLastestServerLogEntries(int number)
{
    string logSource = this.GetEventLogSourceName();
    string Query = String.Format("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND SourceName='{0}'", logSource);

    List<ServerLogEntry> logs = new List<ServerLogEntry>();

    ManagementObjectSearcher mos = new ManagementObjectSearcher(Query);

    foreach (ManagementObject mo in mos.Get().Take(number).ToList())
    {
        ServerLogEntry log = new ServerLogEntry();
        log.Category = Convert.ToInt32(mo["Category"]);
        log.CategoryString = SafeString(mo["CategoryString"]);
        log.ComputerName = SafeString(mo["ComputerName"]);
        log.EventCode = Convert.ToInt32(mo["EventCode"]);
        log.EventIdentifier = Convert.ToInt32(mo["EventIdentifier"]);
        log.EventType = Convert.ToInt32(mo["EventType"]);
        log.EventTypeName = this.ConvertLogEventType(log.EventType);
        log.LogFile = SafeString(mo["LogFile"]);
        log.Message = SafeString(mo["Message"]);
        log.RecordNumber = Convert.ToInt32(mo["RecordNumber"]);
        log.SourceName = SafeString(mo["SourceName"]);
        log.TimeGenerated = this.ConvertLogDateTime(SafeString(mo["TimeGenerated"]));
        log.TimeWritten = this.ConvertLogDateTime(SafeString(mo["TimeWritten"]));
        log.Type = SafeString(mo["Type"]);
        log.User = SafeString(mo["User"]);
        logs.Add(log);
    }
    return logs.OrderByDescending(p => p.TimeGenerated).ToList();
}

private string SafeString(object propertyValue)
{
    return (propertyValue != null) ? propertyValue.ToString() : "";
}

private string ConvertLogEventType(int eventType)
{
    switch (eventType)
    {
        case 1: return "Error";
        case 2: return "Warning";
        case 3: return "Information";    
        case 4: return "Security Audit Success";
        case 5: return "Security Audit Failure";
        default: return "Unknown";
    }        
}

private DateTime ConvertLogDateTime(string entryTimeGeneratedString)
{
    //TimeGenerated, for example: 20071107135007.000000-300
    //
    //                            yyyy mm dd hh mm ss.milisec 
    //                            0123 45 67 89 01 23
    // convert to new DateTime(yyyy,month,day,hour,minute,seconds)

    return new DateTime(Convert.ToInt32(entryTimeGeneratedString.Substring(0, 4)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(4, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(6, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(8, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(10, 2)),
                        Convert.ToInt32(entryTimeGeneratedString.Substring(12, 2)));
}

Here is the native structure returned -->

/*class Win32_NTLogEvent
{
    uint16   Category;
    string   CategoryString;
    string   ComputerName;
    uint8    Data[];
    uint16   EventCode;
    uint32   EventIdentifier;
    uint8    EventType;
    string   InsertionStrings[];
    string   Logfile;
    string   Message;
    uint32   RecordNumber;
    string   SourceName;
    datetime TimeGenerated;
    datetime TimeWritten;
    string   Type;
    string   User;
};*/
Ross Bush
  • 14,648
  • 2
  • 32
  • 55
  • It seems it will work. However, am not sure how to read the data from ManagementObject mo. Sorry, but am an amateur c# Also, the name I had copied from the log source properties. – Rahul Sep 19 '19 at 20:29
  • Added my translation source. – Ross Bush Sep 19 '19 at 20:36
  • Then I would bet that "Microsoft-Windows-Sysmon/Operational" is not the correct log source. What does the LogName of an event from this source look like and are the events are coming from the machine you are on? – Ross Bush Sep 20 '19 at 12:16