Introduction
Since there's a group of people responsible for maintaining the user accounts in Active Directory, I needed an application to log the changes made to those accounts. I developed a small C# class who interacts with Windows Event Viewer to look for changes made in Active Directory, including user accounts created, deleted and changed. The application is scheduled to run every 8 hours (Windows Scheduled Task) and saves a different file for each day
Using the Code
I declared the following attributes to manage the time, the date and a file to save exceptions
private int hour = DateTime.Now.Hour;
private string today = DateTime.Now.ToString("dd");
private string yesterday = DateTime.Now.AddDays(-1).ToString("dd");
private string month = DateTime.Now.ToString("MMM");
private string year = DateTime.Now.ToString("yyyy");
private StreamWriter errors = File.AppendText("c:/Audit/erros.txt");
I’ve written two methods. The first creates an Event Viewer object type, chooses the log “Security” and reads all entries in the last 8 hours seeking for three different types of events.
public void ReadEvent()
{
EventLog elog = new EventLog();
elog.Log = "Security";
StreamWriter sw;
if (hour == 00)
{
sw = File.AppendText("c:/Audit/Report_" + yesterday + month + year + ".txt");
}
else
{
sw = File.AppendText("c:/Audit/Report_" + today + month + year + ".txt");
}
int size = elog.Entries.Count;
for (int i = 0; i < size; i++)
{
try
{
if (elog.Entries[i].TimeWritten.Hour >= (DateTime.Now.AddHours(-8).Hour) &&
elog.Entries[i].TimeWritten.Hour <= (DateTime.Now.AddHours(-1).Hour))
{
if (elog.Entries[i].InstanceId == 624)
{
sw.WriteLine("User Account Created");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
"=============================" + "\n\n");
}
if (elog.Entries[i].InstanceId == 630)
{
sw.WriteLine("User Account Deleted");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
=============================+ "\n\n");
}
if (elog.Entries[i].InstanceId == 642)
{
sw.WriteLine("User Account Changed");
sw.WriteLine(elog.Entries[i].TimeWritten);
sw.WriteLine("Log: " + elog.Entries[i].Source + "\n" +
"Message: " + elog.Entries[i].Message + "\n" +
=============================+ "\n\n");
}
}
}
catch (Exception ex){
errors.WriteLine("Date: " + DateTime.Now.Hour + "\n" + "Error: " + ex.Message + "\n");
}
}
sw.Close();
}
The second method is used to send the log file by e-mail. I’ll not transcript any code because it’s not the core of the article, just attach the log file and send it through the smtp server of the company
Points of Interest
I think this application is interesting in the way it helps you to interact with the Event Viewer and read its events in a more “user-friendly” way. This one in particular it’s useful to audit user account changes, making possible to log which account was changed, when and who changed it.
History
Version 0.1 – Saves the changes made to user accounts in a log file
