StrokesPlus.net
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
randomConstant  
#1 Posted : Wednesday, April 6, 2022 3:30:04 PM(UTC)
randomConstant

Rank: Advanced Member

Reputation:

Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 135

Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
Hi all

I have an event viewer query in the form of an .xml file which loads when S+ starts. Basically it's a filter which displays a few relevant things in event viewer.

In my case the filter filters and shows Windows sleep, shutdown, boot-up events. This is how I keep track of who logged in and when, to Windows.

Is there a way to fetch the data directly from the event viewer into S+ so it can be displayed *neatly* or stored elsewhere?

Searching online gives ways to do something similar(?) on power shell such as here: Use PowerShell to Query All Event Logs for Recent Events

This is not a high priority thing but any pointers are much appreciated.
Thanks
Rob  
#2 Posted : Thursday, April 7, 2022 12:39:59 AM(UTC)
Rob

Rank: Administration

Reputation:

Groups: Translators, Members, Administrators
Joined: 1/11/2018(UTC)
Posts: 1,349
United States
Location: Tampa, FL

Thanks: 28 times
Was thanked: 416 time(s) in 354 post(s)
I'm pretty sure I have System.Diagnostics included in the script engine, so you should be able to get this to work with some refactoring

https://docs.microsoft.c...view=dotnet-plat-ext-6.0
randomConstant  
#3 Posted : Wednesday, April 13, 2022 10:15:34 AM(UTC)
randomConstant

Rank: Advanced Member

Reputation:

Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 135

Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
Thanks for the pointer Rob

I have tried this so far,
Code:
var myLog = new System.Diagnostics.EventLog();

myLog = System.Diagnostics.EventLog.GetEventLogs();

var n = 2;
myLog[n].Log; //contains log name
myLog[n].LogDisplayName; //contains read-friendly log name
myLog[n].Entries.Count; //contains count of entries in the log


MS Documentation gives examples but I am unable to convert them for S+ properly such as How to: Query for Events, sample:
Code:
' Query two different event logs using a structured query.
        Dim queryString As String = _
                "<QueryList>" & _
                "  <Query Id=""0"" Path=""Application"">" & _
                "    <Select Path=""Application"">" & _
                "        *[System[(Level &lt;= 3) and" & _
                "        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" & _
                "    </Select>" & _
                "    <Suppress Path=""Application"">" & _
                "        *[System[(Level = 2)]]" & _
                "    </Suppress>" & _
                "    <Select Path=""System"">" & _
                "        *[System[(Level=1  or Level=2 or Level=3) and" & _
                "        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" & _
                "    </Select>" & _
                "  </Query>" & _
                "</QueryList>"

        Dim eventsQuery As New EventLogQuery("Application", PathType.LogName, queryString)
        Dim logReader As New EventLogReader(eventsQuery)

        ' Display query results.
        DisplayEventAndLogInformation(logReader)



On a similar note, I found a power shell query to fetch required logs such as
Code:
Get-EventLog -LogName System -InstanceId 1 -Newest 1 //can be customized according to event ID, source, message text and so on.


Is there a way to get power shell output (as input) in S+ in the form of string or something so it can be displayed neatly? Crying
Rob  
#4 Posted : Wednesday, April 13, 2022 3:40:40 PM(UTC)
Rob

Rank: Administration

Reputation:

Groups: Translators, Members, Administrators
Joined: 1/11/2018(UTC)
Posts: 1,349
United States
Location: Tampa, FL

Thanks: 28 times
Was thanked: 416 time(s) in 354 post(s)
You can probably get the output from a PowerShell command by redirecting the standard output. See this post, search for "redirect"

https://forum.strokesplus.net/posts/t8434-Searching-text-file-contents-in-background

However, this script sample should help you along working within S+:
Code:
var allEventLogs = System.Diagnostics.EventLog.GetEventLogs();
var systemEventLog = -1;

// Find the System event log
for(var i = 0; i < allEventLogs.Count(); i++) {
    //StrokesPlus.Console.Log(allEventLogs[i].Log);
    if (allEventLogs[i].Log == "System") {
        systemEventLog = i;
    }
}

// Start at the end of the event log and work backward (most recent first)
for(var i = allEventLogs[systemEventLog].Entries.Count - 1; i > 0; i--) {

    // EventLogEntry Properties:
    //https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlogentry?view=dotnet-plat-ext-6.0
    let entry = allEventLogs[systemEventLog].Entries.Item(i);

    // Looks like these types will show logoff/shutdown/etc (but see link in next section for better details)
    if(entry.EntryType.ToString() == "Information" 
       && entry.Source == "User32") {
        StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - ${entry.Message}`)
    }

    // Below are just 2 events I found to map here, the post below seems to cover a variety of event sources and IDs
    // https://serverfault.com/questions/885601/windows-event-codes-for-startup-shutdown-lock-unlock
    if(entry.EntryType.ToString() == "Information" 
       && entry.Source == "Microsoft-Windows-Kernel-General") 
    {
        switch(entry.EventID) {
            case 12:
                StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - System Started`)        
                break;
            case 13:
                StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - System Shudown`)        
                break;
        }
        
    }
}
thanks 1 user thanked Rob for this useful post.
randomConstant on 4/14/2022(UTC)
randomConstant  
#5 Posted : Thursday, April 14, 2022 5:36:42 AM(UTC)
randomConstant

Rank: Advanced Member

Reputation:

Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 135

Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
Amazing!!

Thank you Rob Laugh

Both of the methods work great.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.