// 4660 - event about deleted file but without file name,
// 4663 - event only about attempt, but contains all info, and it raises always before 4660 (immediately, EventRecordId differ by 1)
// so we need to use both events
private CEventInfo AnalyzeEventDelete(CEventInfo eventInfo)
{
var nextEventRecordId = eventInfo.EventRecordId + 1;
var handleId = eventInfo.HandleId;
var fileEventRecord = EFileEvents.None;
EventLogQuery query = new EventLogQuery("Security", PathType.LogName, $"*[System/EventRecordID={nextEventRecordId}]");
EventLogReader reader = new EventLogReader(query);
EventRecord recordNext = reader.ReadEvent();
if (recordNext != null)
{
CEventInfo eventNext = new CEventInfo(recordNext, _clientId);
if (handleId.Equals(eventNext.HandleId))
{
if (eventNext.EventId == (int)ESecurityEventType.OdjectWasDeleted)
{
fileEventRecord = fileEventRecord.AddValue(EFileEvents.Deleted);
}
}
else
{
fileEventRecord = fileEventRecord.AddValue(EFileEvents.Renamed);
}
}
else
{
fileEventRecord = EFileEvents.None;
}
eventInfo.FileEvent = fileEventRecord;
return(eventInfo);
}
/// <summary>
/// 帧更新
/// </summary>
public void Update()
{
while (m_ListenedEvent.IsEmpty() == false)
{
System.Object objInfo = null;
if (m_ListenedEvent.Pop(ref objInfo) == false || objInfo == null)
{
continue;
}
CEventInfo info = objInfo as CEventInfo;
if (info == null)
{
continue;
}
UInt32 uEventId = info.GetEventId();
System.Object objParam = info.GetEventParam();
m_EventInfoPool.GiveBackObject(info);
CHandleInfo handleInfo = null;
if (m_EventActionList.QuickFind(uEventId, ref handleInfo) == false || handleInfo == null)
{
continue;
}
bool bTriggerRet = handleInfo.TriggerHandle(objParam);
if (bTriggerRet == false)
{
BTDebug.Warning(string.Format("Trigger Event:{0} With Param:{2} Failed", uEventId, objParam), "ACTION");
}
}
}
public void WriteEventInfo_TransactionWithFail()
{
var clients = _faStorageService.FindClientsWithLastDate();
CEventInfo newEventInfo = CreateEvent(clients.First(), (int)ESecurityEventType.OdjectWasDeleted);
bool success = _faStorageService.WriteEventInfo(newEventInfo);
success.Should().BeFalse();
}
public bool WriteEventInfo(CEventInfo eventInfo)
{
bool success = false;
using (var context = _contextFactory.Get <CDbContext>())
{
context.CallWithTransaction(con =>
{
success = con.TryAdd(eventInfo) && con.TryExecute("sp_IncrementEventTriggerCount @p0", new object[] { eventInfo.FileEvent.ToString() });
return(success);
});
}
return(success);
}
/// <summary>
/// 触发事件
/// </summary>
/// <param name="uEventId"></param>
/// <param name="objParam"></param>
/// <returns></returns>
public bool TriggerAction(UInt32 uEventId, System.Object objParam)
{
CEventInfo eventInfo = m_EventInfoPool.RentObject() as CEventInfo;
if (eventInfo == null)
{
BTDebug.Warning(string.Format("Action {0} Trigger Failed, Event Info NULL", uEventId), "ACTION");
return(false);
}
eventInfo.Set(uEventId, objParam);
if (m_ListenedEvent.Push(eventInfo) == false)
{
BTDebug.Warning(string.Format("Action {0} Trigger Failed, Event Info Push Failed", uEventId), "ACTION");
return(false);
}
return(true);
}
private CEventInfo AnalyzeEventAccess(CEventInfo eventInfo)
{
var fileEventRecord = EFileEvents.None;
if (eventInfo.AccessMask.HasFlag(EAccessMask.WriteData))
{
fileEventRecord = fileEventRecord.AddValue(EFileEvents.Created);
}
if (eventInfo.AccessMask.HasFlag(EAccessMask.AppendData))
{
fileEventRecord = fileEventRecord.AddValue(EFileEvents.Changed);
}
eventInfo.FileEvent = fileEventRecord;
return(eventInfo);
}
private bool IsRelevantEvent(CEventInfo eventInfo, out CRule connectedRule)
{
connectedRule = null;
if (eventInfo.FileEvent == EFileEvents.None)
{
return(false);
}
var eventSystemPath = new CFileSystemPath(Path.GetDirectoryName(eventInfo.ObjectName));
var rulesSameDirectory = _rules.Where(r => r.FolderPath.Equals(eventSystemPath));
foreach (var rule in rulesSameDirectory)
{
if (!rule.FileEvents.HasFlag(eventInfo.FileEvent))
{
continue;
}
string fileName = eventInfo.ObjectName;
if (!string.IsNullOrEmpty(rule.MasksExclude))
{
var excludeMasks = rule.MasksExclude.Split(new[] { Environment.NewLine }, StringSplitOptions.None);
if (FileNameMatchesAnyMask(fileName, excludeMasks))
{
continue;
}
}
if (!string.IsNullOrEmpty(rule.MasksInclude))
{
var includeMasks = rule.MasksInclude.Split(Convert.ToChar(Environment.NewLine));
if (FileNameMatchesAnyMask(fileName, includeMasks))
{
connectedRule = rule;
return(true);
}
}
else
{
connectedRule = rule;
return(true);
}
}
return(false);
}
public bool SendNotification(CEventInfo eventInfo, CRule rule)
{
bool success = false;
try
{
_notificationService.Send(ESenders.Smtp, new CMessage
{
Receiver = rule.Email,
Body = $"New event with file. Event: {eventInfo}, Rule: {rule}",
Subject = $"New event with file {eventInfo.FileEvent}"
});
success = true;
}
catch (Exception ex)
{
s_logger.Error(ex);
}
return(success);
}
private void AnalyzeRecord(EventRecord record)
{
CEventInfo eventInfo = new CEventInfo(record, _clientId);
if (eventInfo.AccessMask.HasFlag(EAccessMask.Delete))
{
eventInfo = AnalyzeEventDelete(eventInfo);
}
else
{
eventInfo = AnalyzeEventAccess(eventInfo);
}
if (IsRelevantEvent(eventInfo, out CRule connectedRule))
{
s_logger.Trace($"Detected new relevant event: {eventInfo.EventRecordId}, {eventInfo.FileEvent.ToString()}, {eventInfo.ObjectName}");
OnNewEventRecord?.Invoke(this, new CEventRecordArgs()
{
EventInfo = eventInfo, Rule = connectedRule
});
}
}
public CEventViewModel(CEventInfo eventInfo)
{
_eventInfo = eventInfo;
}