public void GetReport() { var logQuery = new MSUtil.LogQueryClass(); var input = new MSUtil.COMTSVInputContextClass { iSeparator = Separator }; var resultDataSet = logQuery.Execute($@"SELECT Level, COUNT(*) AS Total FROM {_sourcePath}\*.log GROUP BY Level", input); while (!resultDataSet.atEnd()) { var record = resultDataSet.getRecord(); Console.WriteLine($"{record.getValue("Level")}:{record.getValue("Total")}"); resultDataSet.moveNext(); } resultDataSet = logQuery.Execute($@"SELECT * FROM {_sourcePath}\*.log WHERE Level='ERROR'", input); while (!resultDataSet.atEnd()) { var record = resultDataSet.getRecord(); Console.WriteLine($"{record.getValue("Level")} : {record.getValue("Date")} : {record.getValue("Message")}"); resultDataSet.moveNext(); } }
public override void Open() { if (state != System.Data.ConnectionState.Open) { this.query = new LogQuery(); this.connection = new IISLogInputFormat(); } state = System.Data.ConnectionState.Open; }
public DataTable readFromEvt(string sql) { try { DataTable datat = new DataTable(); datat.Columns.Add("事件ID", typeof(string)); datat.Columns.Add("日期", typeof(string)); datat.Columns.Add("来源", typeof(string)); datat.Columns.Add("描述", typeof(string)); // Instantiate the LogQuery object LogQuery oLogQuery = new LogQuery(); // Instantiate the Event Log Input Format object EvtInputFormat oEvtInputFormat = new EvtInputFormat(); // Set its "direction" parameter to "BW" //oEvtInputFormat.direction = "BW"; // Create the query string query = sql; // Execute the query LogRecordSet oRecordSet = oLogQuery.Execute(query, oEvtInputFormat); while (!oRecordSet.atEnd()) { var itemData = oRecordSet.getRecord(); DataRow dr = datat.NewRow(); dr["事件ID"] = itemData.getValue("EventID").ToString(); dr["日期"] = itemData.getValue("TimeGenerated").ToString(); dr["来源"] = itemData.getValue("SourceName").ToString(); dr["描述"] = itemData.getValue("Message").ToString(); datat.Rows.Add(dr); oRecordSet.moveNext(); } // Close the recordset oRecordSet.close(); return(datat); } catch (System.Runtime.InteropServices.COMException exc) { MessageBox.Show("Unexpected error: " + exc.Message); return(null); } }
static int Main(string[] args) { bool binst = false; bool bdelete = false; bool bnorun = false; string evtid = "4625"; //The ID in the Security Log for the event that we're looking for ("An account failed to log on.") string evtrshld = "10"; //adjust this number to determine what should be the threshold for the max # of failed events before an IP is flagged currdir = Directory.GetCurrentDirectory(); //check directory write permissions as the first step. If we can't output the netsh script, we can't be useful. if (!HasFilePermissions()) { Console.WriteLine("You don't have the required file access permissions to run this application."); return (int)ErrorLevel.ErrFilePermission; } mydb = "Data Source=\"" + currdir + "\\bannedips.dat\";Version=3;"; if (args.Length > 0) //check args for "--install", "--remove", "--norun" or "--debug" { foreach (string s in args) { switch(s.ToLower()) { case "--debug": bdebug = true; break; case "--install": binst = true; break; case "--remove": bdelete = true; break; case "--norun": bnorun = true; break; } } if (binst && bdelete) //if providing both install & delete options { OutputMsg("Options --install and --remove are mutually exclusive. Please choose only one."); return 0; } } if (bdebug) OutputMsg("SQLite DB Connection String: " + mydb); if (binst) //original setup for firewall rule and scheduled task { //check to see if the rule is already there. We don't want to have extra copies if (!FirewallRuleExists()) { if (!AddFirewallRule()) //now add the rule if it's not already there { OutputMsg("Failed creating the firewall rule to block IPs. Unable to continue."); return (int)ErrorLevel.ErrFirewall; } } if (!ScheduleTask()) //now add scheduled task, if exists it will be overwritten { OutputMsg("Failed creating a scheduled task to update list of blocked IP addresses. Unable to continue."); return (int)ErrorLevel.ErrScheduler; } //it will continue to run once after the installation unless "--norun" is specified if (bnorun) { OutputMsg("Installation was successful. Exiting app until next scheduled run."); return 0; } } if (bdelete) //remove firewall rule and the scheduled task (if they exist), then exit the app { if (!DeleteFirewallRule()) { OutputMsg("Failed deleting the firewall rule: \"Banned IP Addresses\". Unable to continue."); return (int)ErrorLevel.ErrFirewall; } if (!RemoveScheduledTask()) { OutputMsg("Failed removing the scheduled task to update banned IP address list. Unable to continue."); return (int)ErrorLevel.ErrScheduler; } OutputMsg("Scheduled System Task and Firewall Rule are now uninstalled."); return 0; } //we're starting the scheduled run. It could be happening without required installation if (!binst && !FirewallRuleExists()) //skip if right after installation { OutputMsg("Firewall rule not found. Run the app with \"--install\" parameter to set it up."); return (int)ErrorLevel.ErrFirewall; } //get records from the Security Logs try { MSUtil.LogQueryClass lq = new MSUtil.LogQueryClass(); MSUtil.ILogRecordset rs = lq.Execute("SELECT EXTRACT_TOKEN(Strings, 19, '|') AS [IP4Detected], MAX(TimeWritten) AS [DateLastSeen]," + " COUNT(*) AS [InstanceCount] FROM Security WHERE EventID=" + evtid + " AND TimeWritten>SUB(TO_LOCALTIME(SYSTEM_TIMESTAMP()), TIMESTAMP('0000-01-01 23:59:59', 'yyyy-MM-dd HH:mm:ss'))" + " GROUP BY EXTRACT_TOKEN(Strings, 19, '|') HAVING COUNT(*)>" + evtrshld); while (!rs.atEnd()) { MSUtil.ILogRecord rec = rs.getRecord(); FoundInLog tmp = new FoundInLog(); tmp.IP4Detected = rec.getValue(0); tmp.DateLastSeen = rec.getValue(1); tmp.InstanceCount = rec.getValue(2); spmrs.Add(tmp); if (bdebug) OutputMsg(tmp.IP4Detected.ToString() + ", " + tmp.DateLastSeen.ToShortDateString() + ", " + tmp.InstanceCount.ToString()); rs.moveNext(); } if (spmrs.Count == 0) { OutputMsg("Run successfully completed, no new records were found."); return 0; } } catch (Exception e) { OutputMsg("Unable to query Event Log. Make sure LogParser is installed (see README for details)." , e.ToString()); return (int)ErrorLevel.ErrLogParser; } //add the new records to the local sqlite3 database if (!UpdateDBRecords()) { OutputMsg("Problem writing to the \"bannedips.dat\" database"); return (int)ErrorLevel.ErrSQLiteDB; } //export updated records to a script file to be used with netsh if (!ExportDBRecords()) { OutputMsg("Problem writing to the netsh script file"); return (int)ErrorLevel.ErrInputOutput; } //replace IP list in the firewall rule with the new set from the DB if (!UpdateFirewallRule()) { OutputMsg("Problem calling netsh.exe to update firewall rule."); return (int)ErrorLevel.ErrNetShell; } //final step - record our activity if (!StampLastRun()) { //nothing to do } //every step is nicely completed. Report success and be done. OutputMsg("IP Address Blacklist was successfully updated with data from last 24 hours."); return 0; }
private void btIIS(object sender, RoutedEventArgs e) { if (Common.checkLogParser()) { #region 日志分析 //string filename = ""; Microsoft.Win32.OpenFileDialog dialogOpenFile = new Microsoft.Win32.OpenFileDialog(); dialogOpenFile.Filter = "IIS日志文件(*.log)|*.log"; dialogOpenFile.RestoreDirectory = true; dialogOpenFile.Multiselect = true;//允许同时选择多个文件 //dialogOpenFile.InitialDirectory = "c:\\"; //dialogOpenFile.FilterIndex = 2; List <string> filenames = new List <string>(); if (dialogOpenFile.ShowDialog() == true) { //filename = dialogOpenFile.FileName; for (int fi = 0; fi < dialogOpenFile.FileNames.Length; fi++) { filenames.Add(dialogOpenFile.FileNames[fi].ToString()); } } else { return; } //初始化 LogQuery oLogQuery = new LogQuery(); IISInputFormat oIISInputFormat = new IISInputFormat(); DataTable datat = new DataTable(); datat.Columns.Add("date", typeof(string)); datat.Columns.Add("time", typeof(string)); datat.Columns.Add("method", typeof(string)); datat.Columns.Add("uri", typeof(string)); datat.Columns.Add("query", typeof(string)); datat.Columns.Add("ip", typeof(string)); datat.Columns.Add("status", typeof(string)); datat.Columns.Add("useragent", typeof(string)); foreach (string filename in filenames) { string query = @"SELECT date,time,cs-method,cs-uri-stem,cs-uri-query,c-ip,sc-status,cs(User-Agent) from '" + filename + "'";// GROUP BY c-ip LogRecordSet oRecordSet = oLogQuery.Execute(query, oIISInputFormat); while (!oRecordSet.atEnd()) { var itemData = oRecordSet.getRecord(); DataRow dr = datat.NewRow(); dr["date"] = itemData.getValue("date").ToString("yyyy-MM-dd"); dr["time"] = itemData.getValue("time").ToString("hh:mm:ss"); dr["method"] = itemData.getValue("cs-method").ToString(); dr["uri"] = itemData.getValue("cs-uri-stem").ToString(); dr["query"] = itemData.getValue("cs-uri-query").ToString(); dr["ip"] = itemData.getValue("c-ip").ToString(); dr["status"] = itemData.getValue("sc-status").ToString(); dr["useragent"] = itemData.getValue("cs(User-Agent)").ToString(); datat.Rows.Add(dr); oRecordSet.moveNext(); } oRecordSet.close(); } dgQueryResult.Columns[0].Header = (object)("日期"); dgQueryResult.Columns[1].Header = (object)("时间"); dgQueryResult.Columns[2].Header = (object)("方法"); dgQueryResult.Columns[3].Header = (object)("相对路径"); dgQueryResult.Columns[4].Header = (object)("查询"); dgQueryResult.Columns[5].Header = (object)("IP"); dgQueryResult.Columns[6].Header = (object)("状态"); dgQueryResult.Columns[7].Header = (object)("用户代理"); dgQueryResult.DataContext = datat.DefaultView; #endregion } else { Xceed.Wpf.Toolkit.MessageBox.Show("该功能需要安装LogParser.", "警告", MessageBoxButton.OK, MessageBoxImage.Exclamation); System.Diagnostics.ProcessStartInfo Info = new System.Diagnostics.ProcessStartInfo(); //设置外部程序名 Info.FileName = "LogParser.msi"; //设置外部程序工作目录为 C:\ //Info.WorkingDirectory = @"D:\常用软件\eclipse"; //最小化方式启动 //Info.WindowStyle = System.Diagnostics.ProcessWindowStyle.Minimized; //声明一个程序类 System.Diagnostics.Process Proc; try { Proc = System.Diagnostics.Process.Start(Info); System.Threading.Thread.Sleep(500); } catch (System.ComponentModel.Win32Exception) { return; } } }