How can I query the Eventdata using a EventLogQuery?

Question

Im trying to determine a machines most frequent user by looking at the security event logs. im looking at using the 4624 Event ID but I cant seem to work out how to add anything from the EventData in the query. I can get the standard data from a 4624 event but what im trying to query is events that also have the logontype of 7 and then be able to read the targetusername details.

thanks!

            string query = @"*[System/EventID=4624]";

            EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);

            try
            {
                EventLogReader logReader = new EventLogReader(eventsQuery);

                for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent())
                {
                    Console.WriteLine(eventdetail.ProcessId);
                }
            }
            catch (EventLogNotFoundException)
            {
                Console.WriteLine("Error while reading the event logs");
                return;
            }

score 2 · Accepted Answer · answered Jul 20 '15 at 03:32

Try this:

string query = @
"*[EventData[Data[@Name='LogonType']='7'] and System[(EventID='4624')]]";

EventLogQuery eventsQuery = new EventLogQuery("Security", PathType.LogName, query);

try {
    EventLogReader logReader = new EventLogReader(eventsQuery);

    for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) {
        string description = eventdetail.FormatDescription();
        string usernametemp = description.Substring(description.IndexOf("Account Name:") + ("Account Name:").Length + 2);
        string username = usernametemp.Substring(0, usernametemp.IndexOf("\r"));
    }
} catch (EventLogNotFoundException) {
    Console.WriteLine("Error while reading the event logs");
    return;
}

Sorted out your query, and used the description to find the "Account Name" field. Hope this answers your question. You can apply that split/substring method to really find anything in that description variable. It's just a giant string - the text you see in the event log window when you select a log.

so very close, I added a != null check before username temp because it was failing with "object reference not set to an instance of an object" but I checked what the formatdescription was returning and its null on every one. Could it be something to do with CHar/string difference? — Will Smith, Jul 20 '15 at 03:57
Checkout this answer: http://stackoverflow.com/questions/7531557/why-does-eventrecord-formatdescription-return-null - that may explain it. — , Jul 20 '15 at 04:24
haha thank you I just read the same thing, i tweaked the substrings a bit as well to get the username rather than the computername string newsub1 = description.Substring(description.IndexOf("New Logon:")); string newsub2 = newsub1.Substring(description.IndexOf("Account Name:") + ("Account Name:").Length - 1); string username = newsub2.Substring(0, newsub2.IndexOf("\r")); — Will Smith, Jul 20 '15 at 04:45

How can I query the Eventdata using a EventLogQuery?

1 Answers1