|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Remote WMI Queries to Security EventLog Using System.Management inI have been searching the web for some time, trying to come up with a solution to my dilhema. I am using Microsoft Visual Studio 2003 .NET with the .NET Framework 1.1 to write an application to automate a process for server administrators who are required to audit the security eventlog for specific events. I have been able to write code that can do this on the application and system event logs, but when I modify the code for the security event log I get "Access Denied" errors. What is stranger is that the code below does work when I replace the server value with ".", making it run on the local host. Is there a bug in the ..NET framework that does not permit impersonation to read the security log remotely? Here is my code: Imports System Imports System.Management Private blnDebug As Boolean = True Private strAdminUser, strAdminPW As String Private Sub btnOK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnOK.Click Dim strTargetServer As String = "myServer" Dim colAuditIDs As New Collection colAuditIDs.Add(529) colAuditIDs.Add(530) colAuditIDs.Add(531) colAuditIDs.Add(532) colAuditIDs.Add(533) colAuditIDs.Add(534) colAuditIDs.Add(535) colAuditIDs.Add(536) colAuditIDs.Add(537) colAuditIDs.Add(539) colAuditIDs.Add(681) Dim intRecNum As Integer For Each intRecNum In colAuditIDs ' Create a query ' The following properties are available for WMI query string: ' Name Type ' Category Integer ' CategoryString String ' ComputerName String ' Data String ' EventCode Integer ' EventIdentifier Integer (Example: 2147483668) ' EventType Integer ' InsertionStrings String ' Logfile String ' Message Memo ' RecordNumber Integer ' SourceName String ' TimeGenerated DateTime (Format: 20050307113227.0 - 300) ' TimeWritten DateTime YYYYMMDDhhmmss ' Type String ' User String 'Set the WMI scope options Dim oWMI_Scope As New ManagementScope oWMI_Scope.Path.Server = strTargetServer oWMI_Scope.Path.Path = "\\" & strTargetServer & "\root\CIMV2" oWMI_Scope.Path.NamespacePath = "root\CIMV2" oWMI_Scope.Options.Authentication = AuthenticationLevel.Default oWMI_Scope.Options.Impersonation = ImpersonationLevel.Impersonate oWMI_Scope.Options.EnablePrivileges = True 'Define the WMI query Dim oWMI_Query As New ObjectQuery oWMI_Query.QueryString = "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'system' AND EventCode = '" & intRecNum & "'" 'Create the WMI search engine Dim oWMI_Results As New ManagementObjectSearcher(oWMI_Scope, oWMI_Query) Dim oWMI_Property As PropertyData Dim oWMI_Object As Object ' Iterate through the resulting collection If blnDebug = True Then txtOutput.Text += "Auditing " & intRecNum & vbNewLine End If For Each oWMI_Object In oWMI_Results.Get() If blnDebug = True Then ' print out each name/value pair For Each oWMI_Property In oWMI_Object.Properties txtOutput.Text &= vbNewLine & oWMI_Property.Name & "=" & Convert.ToString(oWMI_Property.Value) Next Else ' Insert code to parse data End If Next oWMI_Object If blnDebug = True Then txtOutput.Text += "Done!" & vbNewLine End If Next intRecNum End Sub Thank you.  |
|||||||||||||||||||||||
Other interesting topics