internal static void Start_EVTX_Process()
{
try
{
Read_EventLog EvntLogSearch = new Read_EventLog();
PARSE_Commandline_Input(EvntLogSearch);
Search_EventLog search_Obj = new Search_EventLog(EvntLogSearch.EVTX_File_Logs);
Settings.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.CMDLine_EVTX_File);
if (Settings.output_csv)
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Start_Write_To_SWELF_EventLogs();
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
catch (Exception e)
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_EVTX_Process() ", e.Message.ToString(), e.StackTrace.ToString());
}
}
private static void Start_Searching_Logs(int Index)
{
try
{
Read_EventLog EVNT_Log = new Read_EventLog();
Sec_Checks.Live_Run_Sec_Checks(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));
EVNT_Log.READ_EventLog(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)]);
if (Data_Store.contents_of_EventLog.Count > 0)
{
Search_EventLog search_Obj = new Search_EventLog();
Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));
}
Data_Store.contents_of_EventLog.Clear();
}
catch (Exception e)
{
if (e.Message == "Object reference not set to an instance of an object.")
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index) + " " + e.Message.ToString() + " This error means the EventLog was not read or searched. \n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
else if (e.Message.ToString().Contains("The process cannot access the file"))
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", e.Message.ToString() + " OS File lock of vital resource at runtime." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
else
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", " " + Settings.EventLog_w_PlaceKeeper_List.ElementAt(Settings.Total_Threads_Run) + " x=" + (Settings.Total_Threads_Run).ToString() + " " + e.Message.ToString() + ". Check search Syntx." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
GC.Collect();
}
private static void PARSE_Commandline_Input(Read_EventLog EvntLogSearch)
{
for (int x = 0; x < Program_Start_Args.Count; ++x)
{
switch (Program_Start_Args.ElementAt(x).ToLower())
{
//ONCE YOU ADD COMMAND HERE ADD TO HELP MENU at Settings.SHOW_Help_Menu()
case "-help":
{
Settings.SHOW_Help_Menu();
break;
}
case "-h":
{
Settings.SHOW_Help_Menu();
break;
}
case "?":
{
Settings.SHOW_Help_Menu();
break;
}
case "-output_csv":
{
Settings.CMDLine_Output_CSV = Program_Start_Args.ElementAt(x + 1);
Settings.output_csv = true;
break;
}
case "-evtx_file":
{
Settings.CMDLine_EVTX_File = Program_Start_Args.ElementAt(x + 1);
EvntLogSearch.READ_EVTX_File(Settings.CMDLine_EVTX_File);
Settings.EVTX_Override = true;
break;
}
case "-evtx_folder":
{
Settings.CMDLine_EVTX_File = Program_Start_Args.ElementAt(x + 1);
EvntLogSearch.READ_EVTX_Folder(Settings.CMDLine_EVTX_File);
Settings.EVTX_Override = true;
break;
}
case "-search_terms":
{
Settings.CMDLine_Search_Terms = Program_Start_Args.ElementAt(x + 1);
Settings.READ_Search_Terms_File(false, false);
break;
}
case "-dissolve":
{
Settings.CMDLine_Dissolve = true;
break;
}
case "-find":
{
Settings.CMDLine_Find_SEARCHTERM = Program_Start_Args.ElementAt(x + 1);
break;
}
default:
{
break;
}
}
}
}
