event log watcher

   Public Sub ApplicationLog_OnEntryWritten(ByVal [source] As Object, ByVal e As EntryWrittenEventArgs)

        'm_LogWatcherLog.WriteEntry("LogWacther:Application Log " & e.Entry.Message, EventLogEntryType.Information)

        'WriteFile(e.Entry.Message & vbCrLf & "---", "c:\temp\servicefailed.txt")

        'https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

        If e.Entry.EventID = 4625 Then

            Dim y As Integer = 0

            'For Each x As String In e.Entry.ReplacementStrings

            WriteFile(y & ">>Account > " & e.Entry.ReplacementStrings(5) & vbCrLf, "c:\temp\servicefailed.txt")

            WriteFile(y & " >SourceIP> " & e.Entry.ReplacementStrings(19) & vbCrLf & "---", "c:\temp\servicefailed.txt")

            Dim sType As String = "?"

            Dim ent = FindEntry("(&(sAMAccountName=" & e.Entry.ReplacementStrings(5) & ")(objectClass=user))")

            'Dim dn = "" & ent.Properties("sAMAccountName").Value

            Try

                If ent IsNot Nothing Then

                    DictionaryAdd(dictValuesLDAP, e.Entry.ReplacementStrings(5), e.Entry.ReplacementStrings(19), Now)

                    sType = "AD"

                Else

                    DictionaryAdd(dictValues, e.Entry.ReplacementStrings(5), e.Entry.ReplacementStrings(19), Now)

                    sType = "NonAD"

                End If

                funSendMail("RDPGuardRichStyle@crouse.org", "richlemmermann@crouse.org", "#4625: " & sType, ">>Account > " & e.Entry.ReplacementStrings(5) & vbCrLf & " >SourceIP> "

                   e.Entry.ReplacementStrings(19) & vbCrLf & "---", False)


            Catch ex As Exception

                funSendMail("RDPGuardRichStyle@crouse.org", "richlemmermann@crouse.org", "#Error: ", ex.Message.ToString & vbCrLf & "---", False)

            End Try

        End If

        ' y += 1

        ' 5 = account

        ' 19 = source IP

        'Next

        'Status And Sub Status Codes     Description (Not checked against "Failure Reason:")

        '0xC0000064 user name does Not exist

        '0xC000006A user name Is correct but the password Is wrong

        '0xC0000234 user Is currently locked out

        '0xC0000072 account Is currently disabled

        '0xC000006F user tried to logon outside his day of week Or time of day restrictions

        '0xC0000070 workstation restriction, Or Authentication Policy Silo violation (look for event ID 4820 on domain controller)

        '0xC0000193 account expiration

        '0xC0000071 expired password

        '0xC0000133 clocks between DC And other computer too far out of sync

        '0xC0000224 user Is required to change password at next logon

        '0xC0000225 evidently a bug in Windows And Not a risk

        '0xc000015b The user has Not been granted the requested logon type (aka logon right) at this machine

    End Sub

    Sub StartWatch()

        WriteFile("Started (StartWatch): " & Now & " #" & Thread.CurrentThread.ManagedThreadId.ToString, "c:\temp\servicefailed.txt")

        m_ApplicationLog = New EventLog()

        m_ApplicationLog.Log = "Security"

        AddHandler m_ApplicationLog.EntryWritten, AddressOf ApplicationLog_OnEntryWritten

        m_ApplicationLog.EnableRaisingEvents = True

        While Not m_bMustStop

            Thread.Sleep(2000)

        End While

        WriteFile("Stopped (StartWatch): " & Now & " #" & Thread.CurrentThread.ManagedThreadId.ToString, "c:\temp\servicefailed.txt")

    End Sub