从 Windows 审核日志中提取任何计算机特定信息?
这是此问题的后续问题。
我遵循了接受的答案,并认为我对结果感到满意,但遇到了障碍。
安装
我正在从监视目录的服务器运行我的 C# 程序。每当文件被修改时,FileSystemWatcher 都会触发一个事件,使程序检查安全审核日志(已打开,请参阅上一个问题的解决方案)。
问题
我的问题是,当我在远程用户修改文件后检查安全日志时,他们会被记录为匿名用户。具体来说是“NT AUTHORITY\SYSTEM”。有没有什么方法可以从这些安全日志中提取独特的信息,以帮助我区分修改文件的用户?
Deets
我正在使用 EventLog 来读取安全日志,如下所示:
EventLog log = new EventLog("security");
EventLogEntryCollection col = log.Entries;
//...
string username = entry.UserName;
This is a follow up to this question.
I followed the accepted answer and thought I was satisfied with the results but ran into a roadblock.
The Setup
I'm running my C# program from the server that monitors a directory. Any time a file is modified, FileSystemWatcher triggers an event that causes the program to check the security audit logs (which have been turned on, see previous question's solution).
The Problem
My problem is that when I check the security logs after a remote user has modified a file, they are logged as an anonymous user. Specifically "NT AUTHORITY\SYSTEM". Is there any way to pull unique information from these security logs that will help me differentiate the users modifying the files?
The Deets
I'm using EventLog to read the security logs like this:
EventLog log = new EventLog("security");
EventLogEntryCollection col = log.Entries;
//...
string username = entry.UserName;
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这可能有帮助
字符串 userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
This may help
string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;