Click here to Skip to main content
11,567,143 members (50,874 online)
Click here to Skip to main content

Tagged as

Audit User Account Changes by automatically read Event Viewer

, 26 Jan 2010 CPOL 4.9K 1
Rate this:
Please Sign up or sign in to vote.
Introduction...

Introduction

Since there's a group of people responsible for maintaining the user accounts in Active Directory, I needed an application to log the changes made to those accounts. I developed a small C# class who interacts with Windows Event Viewer to look for changes made in Active Directory, including user accounts created, deleted and changed. The application is scheduled to run every 8 hours (Windows Scheduled Task) and saves a different file for each day

Using the Code

I declared the following attributes to manage the time, the date and a file to save exceptions
			
    private int hour = DateTime.Now.Hour;
    private string today = DateTime.Now.ToString("dd");
    private string yesterday = DateTime.Now.AddDays(-1).ToString("dd");
    private string month = DateTime.Now.ToString("MMM");
    private string year = DateTime.Now.ToString("yyyy");
    private StreamWriter errors = File.AppendText("c:/Audit/erros.txt");
I’ve written two methods. The first creates an Event Viewer object type, chooses the log “Security” and reads all entries in the last 8 hours seeking for three different types of events.
			
	public void ReadEvent()
    	{
        EventLog elog = new EventLog(); //Event Viewer object type
        elog.Log = "Security";
        StreamWriter sw;
                
        if (hour == 00)
            {
                //for the period 16H - 0H 
                sw = File.AppendText("c:/Audit/Report_" + yesterday + month + year + ".txt");
            }
        else
            {
                //for the periods 0H - 8H and 8H - 16H
                sw = File.AppendText("c:/Audit/Report_" + today + month + year + ".txt");
            }
 
        //total number of entries saved in Event Log
        int size = elog.Entries.Count;
       
        for (int i = 0; i < size; i++)
        {
            try
            {
                //check the entries in the last 8 hours
                if (elog.Entries[i].TimeWritten.Hour >= (DateTime.Now.AddHours(-8).Hour) && 
                        elog.Entries[i].TimeWritten.Hour <= (DateTime.Now.AddHours(-1).Hour))
                {
                    //624 is the event id for creating user accounts
                    if (elog.Entries[i].InstanceId == 624)
                    {
                        sw.WriteLine("User Account Created");
                        sw.WriteLine(elog.Entries[i].TimeWritten);
                        sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
                                        "Message: " + elog.Entries[i].Message + "\n" +
                                            "=============================" + "\n\n");
                    }
 
                    //630 is the event id for deleting user accounts
                    if (elog.Entries[i].InstanceId == 630)
                    {
                        sw.WriteLine("User Account Deleted");
                        sw.WriteLine(elog.Entries[i].TimeWritten);
                        sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
                                        "Message: " + elog.Entries[i].Message + "\n" +
                                            =============================+ "\n\n");
                    }
 
                    //642 is the event id for changing user accounts
                    if (elog.Entries[i].InstanceId == 642)
                    {
                        sw.WriteLine("User Account Changed");
                        sw.WriteLine(elog.Entries[i].TimeWritten);
                        sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
                                        "Message: " + elog.Entries[i].Message + "\n" +
                                            =============================+ "\n\n");
                    }
                }
            }
            catch (Exception ex){
                errors.WriteLine("Date: " + DateTime.Now.Hour + "\n" + "Error: " + ex.Message + "\n");
            }
        }
        sw.Close();
    }
The second method is used to send the log file by e-mail. I’ll not transcript any code because it’s not the core of the article, just attach the log file and send it through the smtp server of the company

Points of Interest

I think this application is interesting in the way it helps you to interact with the Event Viewer and read its events in a more “user-friendly” way. This one in particular it’s useful to audit user account changes, making possible to log which account was changed, when and who changed it.

History

Version 0.1 – Saves the changes made to user accounts in a log file

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

PCMartins
Network Administrator
Portugal Portugal
No Biography provided

You may also be interested in...

Comments and Discussions

 
QuestionAuditing active directory changes Pin
Denial Parl25-Nov-14 19:37
memberDenial Parl25-Nov-14 19:37 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.150624.2 | Last Updated 26 Jan 2010
Article Copyright 2010 by PCMartins
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid