Rank: Advanced Member
Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 130
Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
|
Hi allI have an event viewer query in the form of an .xml file which loads when S+ starts. Basically it's a filter which displays a few relevant things in event viewer. In my case the filter filters and shows Windows sleep, shutdown, boot-up events. This is how I keep track of who logged in and when, to Windows. Is there a way to fetch the data directly from the event viewer into S+ so it can be displayed *neatly* or stored elsewhere? Searching online gives ways to do something similar(?) on power shell such as here: Use PowerShell to Query All Event Logs for Recent EventsThis is not a high priority thing but any pointers are much appreciated. Thanks
|
|
|
|
|
|
Rank: Administration
Groups: Translators, Members, Administrators Joined: 1/11/2018(UTC) Posts: 1,308  Location: Tampa, FL Thanks: 28 times
Was thanked: 410 time(s) in 351 post(s)
|
|
|
|
|
|
|
Rank: Advanced Member
Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 130
Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
|
Thanks for the pointer RobI have tried this so far, Code:var myLog = new System.Diagnostics.EventLog();
myLog = System.Diagnostics.EventLog.GetEventLogs();
var n = 2;
myLog[n].Log; //contains log name
myLog[n].LogDisplayName; //contains read-friendly log name
myLog[n].Entries.Count; //contains count of entries in the log
MS Documentation gives examples but I am unable to convert them for S+ properly such as How to: Query for Events, sample: Code:' Query two different event logs using a structured query.
Dim queryString As String = _
"<QueryList>" & _
" <Query Id=""0"" Path=""Application"">" & _
" <Select Path=""Application"">" & _
" *[System[(Level <= 3) and" & _
" TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _
" </Select>" & _
" <Suppress Path=""Application"">" & _
" *[System[(Level = 2)]]" & _
" </Suppress>" & _
" <Select Path=""System"">" & _
" *[System[(Level=1 or Level=2 or Level=3) and" & _
" TimeCreated[timediff(@SystemTime) <= 86400000]]]" & _
" </Select>" & _
" </Query>" & _
"</QueryList>"
Dim eventsQuery As New EventLogQuery("Application", PathType.LogName, queryString)
Dim logReader As New EventLogReader(eventsQuery)
' Display query results.
DisplayEventAndLogInformation(logReader)
On a similar note, I found a power shell query to fetch required logs such as Code:Get-EventLog -LogName System -InstanceId 1 -Newest 1 //can be customized according to event ID, source, message text and so on.
Is there a way to get power shell output (as input) in S+ in the form of string or something so it can be displayed neatly? 
|
|
|
|
|
|
Rank: Administration
Groups: Translators, Members, Administrators Joined: 1/11/2018(UTC) Posts: 1,308 Location: Tampa, FL Thanks: 28 times
Was thanked: 410 time(s) in 351 post(s)
|
You can probably get the output from a PowerShell command by redirecting the standard output. See this post, search for "redirect" https://forum.strokesplus.net/posts/t8434-Searching-text-file-contents-in-backgroundHowever, this script sample should help you along working within S+: Code:var allEventLogs = System.Diagnostics.EventLog.GetEventLogs();
var systemEventLog = -1;
// Find the System event log
for(var i = 0; i < allEventLogs.Count(); i++) {
//StrokesPlus.Console.Log(allEventLogs[i].Log);
if (allEventLogs[i].Log == "System") {
systemEventLog = i;
}
}
// Start at the end of the event log and work backward (most recent first)
for(var i = allEventLogs[systemEventLog].Entries.Count - 1; i > 0; i--) {
// EventLogEntry Properties:
//https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlogentry?view=dotnet-plat-ext-6.0
let entry = allEventLogs[systemEventLog].Entries.Item(i);
// Looks like these types will show logoff/shutdown/etc (but see link in next section for better details)
if(entry.EntryType.ToString() == "Information"
&& entry.Source == "User32") {
StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - ${entry.Message}`)
}
// Below are just 2 events I found to map here, the post below seems to cover a variety of event sources and IDs
// https://serverfault.com/questions/885601/windows-event-codes-for-startup-shutdown-lock-unlock
if(entry.EntryType.ToString() == "Information"
&& entry.Source == "Microsoft-Windows-Kernel-General")
{
switch(entry.EventID) {
case 12:
StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - System Started`)
break;
case 13:
StrokesPlus.Console.Log(`${entry.TimeGenerated.ToString("yyyy-MM-dd hh:mm:ss tt")} - ${entry.EntryType.ToString()} - ${entry.Source} - System Shudown`)
break;
}
}
}
|
 1 user thanked Rob for this useful post.
|
|
|
|
Rank: Advanced Member
Groups: Translators, Approved
Joined: 7/17/2021(UTC)
Posts: 130
Thanks: 35 times
Was thanked: 18 time(s) in 15 post(s)
|
Amazing!! Thank you Rob  Both of the methods work great.
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The StrokesPlus.net Forum uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
