Coding-Enthusiast Coding-Enthusiast - 6 months ago 193
Vb.net Question

VB / C# Query Event Logs from Domain Controller by looking at username in EventData

I am attempting to have specific event logs that contain a username that are Security Audit Failures from a DC, in powershell I can easily do this with something like this:

Where the variables would be something like: $DC = "MyDomainController" and $user = "jdoe"

Get-WinEvent -ComputerName $DC -FilterHashtable @{Logname='Security';Keywords='4503599627370496';Data=$user} -MaxEvents 4 | Format-List -Property ID, TimeCreated, MachineName, Message


This would pull 4 event logs that are security audit failures with the person's username from a DC I am looking at, however I have been unable to find or reproduce this behavior to something similar in vb.net, I have been searching pages for the last few days and coming up with a lot of writing and pulling all logs on DC's but not filtering down, any help or guidance would be great, thank you!

Answer

I was able to find the answer to this by looking at custom log query's by using xpath, I did the following in C# but the same can be applied in VB,
Domaincontroller.text = The domain controller your looking up:
Username.text = The AD username to lookup
Statustextbox = I have all the logs go to a textbox to read but you could do something like console.writeline

private void LookupLogs_Click(object sender, EventArgs e)
    {
        Statustextbox.Clear();
        string query = "<QueryList>" +
                       "  <Query Id=\"0\" Path=\"Security\">" +
                       "    <Select Path=\"Security\">" +
                       "        *[System[band(Keywords,4503599627370496)]] and *[EventData[Data[@Name='TargetUserName'] and (Data='" + Username.Text + "')]]" +
                       "    </Select>" +
                       "  </Query>" +
                       "</QueryList>";
        EventLogSession session = new EventLogSession(DomainController.Text);
        EventLogQuery evntquery = new EventLogQuery("Security", PathType.LogName, query);
        evntquery.Session = session;
        try
        {
            EventLogReader logreader = new EventLogReader(evntquery);
            DisplayEventAndLogInformation(logreader);
        }
        catch (Exception ex)
        {
            MessageBox.Show("An exception occured: " + ex.Message);
        }
    }

private void DisplayEventAndLogInformation(EventLogReader logReader)
    {
        for (EventRecord eventInstance = logReader.ReadEvent();
            null != eventInstance; eventInstance = logReader.ReadEvent())
        {
            Statustextbox.AppendText(Environment.NewLine + Environment.NewLine);
            Statustextbox.AppendText("---------------------------------------------------------------------------------------------------------------------------------------------------------------" + Environment.NewLine);
            Statustextbox.AppendText("Event ID: " + eventInstance.Id + Environment.NewLine);
            Statustextbox.AppendText("Publisher: " + eventInstance.ProviderName + Environment.NewLine);

            try
            {
                Statustextbox.AppendText("Description: " + eventInstance.FormatDescription() + Environment.NewLine);
            }
            catch (EventLogException ex)
            {
                Statustextbox.AppendText("An exception was thrown: " + ex.Message + Environment.NewLine);
            }
            EventLogRecord logRecord = (EventLogRecord)eventInstance;
            Statustextbox.AppendText(Environment.NewLine);
            Statustextbox.AppendText("Container Event Log: " + logRecord.ContainerLog + Environment.NewLine);
        }
    }