/// <summary>
/// Parse an event log base on tracelogging
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">dict will be filled with event data</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var property in record.Properties)
{
try
{
switch (property.Type)
{
case 1:
eventData[property.Name] = record.GetUnicodeString(property.Name);
break;
case 2:
eventData[property.Name] = record.GetAnsiString(property.Name);
break;
case 3:
eventData[property.Name] = record.GetInt8(property.Name);
break;
case 4:
eventData[property.Name] = record.GetUInt8(property.Name);
break;
case 5:
eventData[property.Name] = record.GetInt16(property.Name);
break;
case 6:
eventData[property.Name] = record.GetUInt16(property.Name);
break;
case 7:
eventData[property.Name] = record.GetInt32(property.Name);
break;
case 8:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 9:
eventData[property.Name] = record.GetInt64(property.Name);
break;
case 10:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
case 13:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 14:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 15:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 20:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 21:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
}
}
catch (Exception)
{
eventData[property.Name] = ERROR_PARSING_FIELD;
}
}
}
private object ParseBasicProperty(Property prop, IEventRecord record)
{
object propertyValue = null;
switch (prop.Type)
{
case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING:
propertyValue = record.GetAnsiString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY:
propertyValue = record.GetBinary(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING:
propertyValue = record.GetCountedString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT8:
propertyValue = record.GetInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT16:
propertyValue = record.GetInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT32:
propertyValue = record.GetInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT64:
propertyValue = record.GetInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8:
propertyValue = record.GetUInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16:
propertyValue = record.GetUInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32:
propertyValue = record.GetUInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64:
propertyValue = record.GetUInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING:
propertyValue = record.GetUnicodeString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME:
propertyValue = record.GetDateTime(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER:
propertyValue = record.GetUInt64(prop.Name);
break;
default:
propertyValue = "<Unknown type>";
break;
}
return(propertyValue);
}
