cs
public void initMonitorEventLog()
{
EventLogSession session = new EventLogSession();
EventLogQuery query = new EventLogQuery("Security", PathType.LogName, "*[System/EventID=4663]")
{
TolerateQueryErrors = true,
Session = session
};
EventLogWatcher logWatcher = new EventLogWatcher(query);
logWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(LogWatcher_EventRecordWritten);
try
{
logWatcher.Enabled = true;
}
catch (EventLogException ex)
{
Console.WriteLine(ex.Message);
Console.ReadLine();
}
}
cs
private void LogWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
EventRecord eventRecord = e.EventRecord;
var time = e.EventRecord.TimeCreated;
var id = e.EventRecord.Id;
var logname = e.EventRecord.LogName;
var level = e.EventRecord.Level;
var task = e.EventRecord.TaskDisplayName;
var opCode = e.EventRecord.OpcodeDisplayName;
var machineName = e.EventRecord.MachineName;
string providerName = eventRecord.ProviderName;
eventRecord.ToXml();
Console.WriteLine(eventRecord.FormatDescription());
//Console.WriteLine($@"{time}, {id}, {logname}, {level}, {task}, {opCode}, {machineName},{providerName}");
}
其中,EventLogQuery构造函数的第三个参数是Windows日志的查询筛选条件。我在网上查想要筛选监视多个EventID的情况,按照XPath的语法写,一直都没办法写对。后面受到外国博主的启发,在下图的Windows日志里面设置筛选条件,然后切换XML的视图,能看到自动生成的查询条件,复制到代码里就行了。


cs
*[System[(EventID=4663 or EventID=5142 or EventID=5144)]]
就是这个条件,复制到代码里就搞定了。