internal static void Start_EVTX_Process()
{
try
{
Read_EventLog EvntLogSearch = new Read_EventLog();
PARSE_Commandline_Input(EvntLogSearch);
Search_EventLog search_Obj = new Search_EventLog(EvntLogSearch.EVTX_File_Logs);
Settings.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.CMDLine_EVTX_File);
if (Settings.output_csv)
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Start_Write_To_SWELF_EventLogs();
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
catch (Exception e)
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_EVTX_Process() ", e.Message.ToString(), e.StackTrace.ToString());
}
}
internal static void Start_Output_Post_Run()
{
if (Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs.Count > 0)
{
try
{
if (Settings.output_csv && Program_Start_Args.Count >= 3 && (Settings.Log_Forwarders_HostNames.Count < 1))
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Log_Network_Forwarder.SEND_Logs(Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs);
}
}
catch (Exception e)
{
Settings.Logs_Sent_to_ALL_Collectors = false;
Error_Operation.Log_Error("Start_Output_Post_Run() Network_Forwarder.SEND_Logs() File_Operation.Write_Ouput_CSV()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
if (Settings.Logs_Sent_to_ALL_Collectors)
{
Start_Write_To_SWELF_EventLogs();
}
Sec_Checks.Post_Run_Sec_Checks();
}
Settings.UPDATE_EventLog_w_PlaceKeeper_RegKeys();
Update_Eventlog_Placekeeper_Reg();
Error_Operation.WRITE_Stored_Errors();
}
private static void Run_Live_Process_Workflow()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
Error_Operation.WRITE_Stored_Errors();
}
internal static void Stop(int error_code, string ErrorMethod, string Message, string StackInfo)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("ALERT: SWELF MAIN UNSALVAGEABLE ERROR: " + ErrorMethod + " " + Message + " " + StackInfo, Error_Operation.EventID.SWELF_MAIN_APP_ERROR);
Error_Operation.WRITE_Stored_Errors();
Error_Operation.SEND_Errors_To_Central_Location();
Environment.Exit(error_code);
}
private static void CHECK_If_App_Has_Run_To_Long()
{
var watch = System.Diagnostics.Stopwatch.StartNew();
while (watch.Elapsed.Hours < 1)
{
Thread.Sleep(600000);
}
watch.Stop();
var elapsedTime = watch.Elapsed;
Start_Output_Post_Run();
Error_Operation.Log_Error("CHECK_If_App_Has_Run_To_Long()", "SWELF's time running on machine timer says that SWELF to long (" + elapsedTime.ToString() + ") this could be for many reasons. Most likely is that there are to many log sources your trying to read into SWELF or that some of the logs files are to large to be read in with all the other searchs. Try running SWELF in sequence. ", "", Error_Operation.LogSeverity.Critical);
Error_Operation.SEND_Errors_To_Central_Location();
Error_Operation.WRITE_Stored_Errors();
Environment.Exit((int)Error_Operation.EventID.SWELF_MAIN_APP_ERROR);
}
private static void Start_Live_Process()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
Settings.CMDLine_Dissolve = true;
}
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}