tags:

views:

33

answers:

1
Q: 

How to get new logs in an EventLogEntyCollection?

I need to monitor security event logs on very busy domain controllers, which generate hundreds of them each minute.

I know how to use EventLog, EventLogEntry and EvenLogEntryCollection to open and read a server's event log, but an EvenLogEntryCollection can contain ~300.000 events, and it wraps around continuously (and very fast), so I can't rely on its index to find new entries.

So far, the only thing I was able to come up with is saving the timestamp of the last processed log entry and then iterate above the EventLogEntryCollection until I find an EventLogEntry which TimeGenerated properties is greater than the timestamp I saved; but it's terribly slow to iterate on ~300.000 entries to find the new ones.

How can I quickly find the new entries in an big event log?

Edit:

I forgot to mention: I need to do this remotely, not on the DC itself...

+1  A: 

You may consider using Windows Management Instrumentation. WMI Query Language (WQL) allows you to specify your constraints. ManagementEventWatcher allows you to respond to WMI events.

Look here for an example of the type of WQL query you need.

Here is how you code this:

WqlEventQuery wqlQuery = new WqlEventQuery(...);
ManagementEventWatcher watcher = new ManagementEventWatcher(wqlQuery);
watcher.EventArrived += new EventArrivedEventHandler(_Your_Event_Handler_);
watcher.Start();

// Do stuff.

watcher.Stop();
Seventh Element  2010-04-22 14:22:45
Nice! Makes me wonder why there aren't event handlers in the EventLog and/or EventLogEntryCollection class...
Massimo  2010-04-22 15:02:13
My fault: there actually **is** an "EventWritten" event in the EventLog class which can be used for this purpose. But it only works on the local computer :-(
Massimo  2010-04-22 16:27:11
...which takes me directly to the next question: does this WMI method work with remote systems, too?
Massimo  2010-04-22 16:27:43
I'm pretty sure WMI can be used to query information about a remote computer, but I'm not sure if this will work with events. Take a look at the constructor for ManagementScope. It takes a string of the form "\\computer_name\root\cimv2"
Seventh Element  2010-04-22 16:55:51

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?