Coding-Enthusiast Coding-Enthusiast - 1 year ago 394 Question

VB / C# Query Event Logs from Domain Controller by looking at username in EventData

I am attempting to have specific event logs that contain a username that are Security Audit Failures from a DC, in powershell I can easily do this with something like this:

Where the variables would be something like: $DC = "MyDomainController" and $user = "jdoe"

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='4503599627370496';Data=$user} -MaxEvents 4 | Format-List -Property ID, TimeCreated, MachineName, Message

This would pull 4 event logs that are security audit failures with the person's username from a DC I am looking at, however I have been unable to find or reproduce this behavior to something similar in, I have been searching pages for the last few days and coming up with a lot of writing and pulling all logs on DC's but not filtering down, any help or guidance would be great, thank you!

Answer Source

I was able to find the answer to this by looking at custom log query's by using xpath, I did the following in C# but the same can be applied in VB,
Domaincontroller.text = The domain controller your looking up:
Username.text = The AD username to lookup
Statustextbox = I have all the logs go to a textbox to read but you could do something like console.writeline

private void LookupLogs_Click(object sender, EventArgs e)
        string query = "<QueryList>" +
                       "  <Query Id=\"0\" Path=\"Security\">" +
                       "    <Select Path=\"Security\">" +
                       "        *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" +
                       "    </Select>" +
                       "  </Query>" +
        EventLogSession session = new EventLogSession(DomainController.Text);
        EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query);
        evntquery.Session = session;
            EventLogReader logreader = new EventLogReader(evntquery);
        catch (Exception ex)
            MessageBox.Show("An exception occured: " + ex.Message);

private void DisplayEventAndLogInformation(EventLogReader logReader)
        for (EventRecord eventInstance = logReader.ReadEvent();
            null != eventInstance; eventInstance = logReader.ReadEvent())
            Statustextbox.AppendText(Environment.NewLine + Environment.NewLine);
            Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine);
            Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine);
            Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine);

                Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine);
            catch (EventLogException ex)
                Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine);
            EventLogRecord logRecord = (EventLogRecord)eventInstance;
            Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine);