问题
I am using sysmon to capture a bunch of event information (network connections, DLL loads, etc). I want to pull that information and use it for various purposes, but it doesn't seem like there is any way to retrieve the nested logs. They reside at
Event Viewer/Applications and Services/Microsoft/Windows/Sysmon/Operational
All of the code I've tried only pulls the "standard" Event Logs. For example:
EventLog[] eventLogs = EventLog.GetEventLogs();
has "Application", "Hardware Events", "Internet Explorer", etc.
I know how to create and retrieve custom event logs, but that doesn't seem to apply here, as these logs are not in the standard locations. Any help you can provide would be very much appreciated!
回答1:
Take a look at the System.Diagnostics.Eventing.Reader namespace. In particular, you can get a complete list of log names from:
EventLogSession.GlobalSession.GetLogNames()
This has a much more complete list than EventLog.GetEventLogs(). Other useful classes in this namespace are EventLogReader and EventLogWatcher.
来源:https://stackoverflow.com/questions/29725103/c-sharp-read-nested-event-log-from-custom-application