Audit User Account Changes by automatically read Event Viewer
Introduction...
Introduction
Since there's a group of people responsible for maintaining the user accounts in Active Directory, I needed an application to log the changes made to those accounts. I developed a small C# class who interacts with Windows Event Viewer to look for changes made in Active Directory, including user accounts created, deleted and changed. The application is scheduled to run every 8 hours (Windows Scheduled Task) and saves a different file for each dayUsing the Code
I declared the following attributes to manage the time, the date and a file to save exceptions
private int hour = DateTime.Now.Hour;
private string today = DateTime.Now.ToString("dd");
private string yesterday = DateTime.Now.AddDays(-1).ToString("dd");
private string month = DateTime.Now.ToString("MMM");
private string year = DateTime.Now.ToString("yyyy");
private StreamWriter errors = File.AppendText("c:/Audit/erros.txt");
I’ve written two methods. The first creates an Event Viewer object type, chooses the log “Security” and reads all entries in the last 8 hours seeking for three different types of events.
public void ReadEvent()
{
EventLog elog = new EventLog(); //Event Viewer object type
elog.Log = "Security";
StreamWriter sw;
if (hour == 00)
{
//for the period 16H - 0H
sw = File.AppendText("c:/Audit/Report_" + yesterday + month + year + ".txt");
}
else
{
//for the periods 0H - 8H and 8H - 16H
sw = File.AppendText("c:/Audit/Report_" + today + month + year + ".txt");
}
//total number of entries saved in Event Log
int size = elog.Entries.Count;
for (int i = 0; i < size; i++)
{
try
{
//check the entries in the last 8 hours
if (elog.Entries[i].TimeWritten.Hour >= (DateTime.Now.AddHours(-8).Hour) &&
elog.Entries[i].TimeWritten.Hour <= (DateTime.Now.AddHours(-1).Hour))
{
//624 is the event id for creating user accounts
if (elog.Entries[i].InstanceId == 624)
{
sw.WriteLine("User Account Created");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
"=============================" + "\n\n");
}
//630 is the event id for deleting user accounts
if (elog.Entries[i].InstanceId == 630)
{
sw.WriteLine("User Account Deleted");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
=============================+ "\n\n");
}
//642 is the event id for changing user accounts
if (elog.Entries[i].InstanceId == 642)
{
sw.WriteLine("User Account Changed");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
=============================+ "\n\n");
}
}
}
catch (Exception ex){
errors.WriteLine("Date: " + DateTime.Now.Hour + "\n" + "Error: " + ex.Message + "\n");
}
}
sw.Close();
}
The second method is used to send the log file by e-mail. I’ll not transcript any code because it’s not the core of the article, just attach the log file and send it through the smtp server of the company