ReadEventLog 日志读取

前言:域控拿到了之后每次都需要查询用户登录日志,这边的话简单做个笔记,学习下通过ReadEventLog读取日志作为ReadEventLog相关API的学习。

C代码实现

在C代码实现的过程中,自己不能通过ReadEventLog来进行完整的日志读取

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <cstdio>
#include <time.h>
#include <TCHAR.h>
#include <sddl.h>

void DisplayEntries()
{
	HANDLE h;
	EVENTLOGRECORD* pevlr;
	TCHAR* pChar;
	TCHAR szSubmitTime[32];
	TCHAR szWriteTime[32];
	TCHAR szBuffer[4096] = { 0 };
	DWORD dwRead, dwNeeded, cRecords = 0;
	time_t t_time;
	SID_NAME_USE sidNameUse = SidTypeUser;
	
	TCHAR szNameBuffer[64];
	TCHAR pRefDomainName[64];
	DWORD cbName = _MAX_PATH + 1;
	DWORD cbRefDomainName = _MAX_PATH + 1;
	PSID pUserSID = NULL;

	// Open the Application event log. 
	/*Windows 日志:
	应用程序          对应于OpenEventLog(NULL,"Application")
	安全              对应于OpenEventLog(NULL,"Security")
	setup
	系统              对应于OpenEventLog(NULL,"System")*/

	h = OpenEventLog(NULL, "Security");
	if (h == NULL)
	{
		printf("Could not open the Application event log.");
	}

	pevlr = (EVENTLOGRECORD *)&szBuffer;
	

	while (ReadEventLog(h,                // event log handle 
		EVENTLOG_FORWARDS_READ |  // reads forward 
		EVENTLOG_SEQUENTIAL_READ, // sequential read 
		0,            // ignored for sequential reads 
		pevlr,        // pointer to buffer 
		4096,  // size of buffer 
		&dwRead,      // number of bytes read 
		&dwNeeded))   // bytes in next record 
	{
		while (dwRead > 0)
		{
			memset(szSubmitTime, 0, 32);
			memset(szWriteTime, 0, 32);
			memset(szNameBuffer, 0, 64);
			memset(pRefDomainName, 0, 64);

			if ((SHORT)pevlr->EventID == (SHORT)4624){
				// get event id,type
				_tprintf("Event ID: %08d EventType: %d Source: %s\n",
					(SHORT)pevlr->EventID,
					pevlr->EventType,
					(LPCTSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD)));

				// get machine name
				pChar = (TCHAR*)pevlr + sizeof(EVENTLOGRECORD);
				pChar += (lstrlen(pChar) + 1);
				_tprintf("\t NACHINENAME: %s$\n", pChar);

				// get user name
				if (pevlr->UserSidLength > 0)
				{
					pUserSID = (SID *)GlobalAlloc(GPTR, pevlr->UserSidLength);
					memcpy(pUserSID, (PSID)((LPBYTE)pevlr + pevlr->UserSidOffset), pevlr->UserSidLength);
					if (LookupAccountSid(NULL, pUserSID, szNameBuffer, &cbName, pRefDomainName, &cbRefDomainName, &sidNameUse))
					{
						_tprintf("\t domainName: %s\n", pRefDomainName);
						_tprintf("\t userName: %s\n", szNameBuffer);
					}
					free(pUserSID);
					pUserSID = NULL;
				}

				// get login name
				t_time = pevlr->TimeGenerated;
				strftime(szSubmitTime, sizeof(szSubmitTime), "%Y-%m-%d %H:%M:%S\n", localtime(&t_time));
				_tprintf("\t login Time: %s\n", szSubmitTime);

				// get infor
				/*
				if (pevlr->DataOffset > pevlr->StringOffset)
				{
					for (short j = 0; j < pevlr->NumStrings; j++)
					{
						pChar += strlen(pChar) + 1;
						printf("%s ", pChar);
					}
				}*/
				
			}
			
			dwRead -= pevlr->Length;
			pevlr = (EVENTLOGRECORD *)((LPBYTE)pevlr + pevlr->Length);
		}

		pevlr = (EVENTLOGRECORD *)&szBuffer;
	}

	CloseEventLog(h);
}

int main(){
	DisplayEntries();
	return 0;
}

posted @ 2022-01-03 19:00  zpchcbd  阅读(1274)  评论(0)    收藏  举报