从Windows审核日志中提取任何特定于计算机的信息? [英] Pull any machine specific information from Windows audit log?

问题描述

这是对此问题的后续操作.

我遵循了被接受的答案，并认为我对结果感到满意，但遇到了障碍.

I followed the accepted answer and thought I was satisfied with the results but ran into a roadblock.

设置

我正在从监视目录的服务器上运行C#程序.每次修改文件时，FileSystemWatcher都会触发一个事件，该事件使程序检查安全审核日志(已打开，请参阅上一个问题的解决方案).

I'm running my C# program from the server that monitors a directory. Any time a file is modified, FileSystemWatcher triggers an event that causes the program to check the security audit logs (which have been turned on, see previous question's solution).

问题

我的问题是，当远程用户修改文件后检查安全日志时，它们将以匿名用户身份登录.特别是"NT AUTHORITY \ SYSTEM".有什么方法可以从这些安全日志中提取唯一信息，这将有助于我区分修改文件的用户吗?

My problem is that when I check the security logs after a remote user has modified a file, they are logged as an anonymous user. Specifically "NT AUTHORITY\SYSTEM". Is there any way to pull unique information from these security logs that will help me differentiate the users modifying the files?

The Deets

我正在使用EventLog读取安全日志，如下所示:

I'm using EventLog to read the security logs like this:

EventLog log = new EventLog("security");
EventLogEntryCollection col = log.Entries;
//...
string username = entry.UserName;

推荐答案

这可能会有所帮助 字符串userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

This may help string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

这篇关于从Windows审核日志中提取任何特定于计算机的信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！