Example #1
0
        internal static void WRITE_Warning_EventLog_DataType(EventLog_Entry EvntLog)
        {
            Settings.SWELF_EvtLog_OBJ.Source = Settings.SWELF_EventLog_Name;

            using (EventLog myLogger = new EventLog(Settings.SWELF_EvtLog_OBJ.Source, Environment.MachineName, CHECK_If_Protected_Log_Name(EvntLog.LogName)))
            {
                myLogger.WriteEntry(EvntLog.EventData, EventLogEntryType.Warning, EvntLog.EventID);
            }
        }
Example #2
0
        private static long GET_First_EventRecordID_InLogFile(string Eventlog_FullName)
        {
            EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);

            EventLogtoReader.BatchSize = 100;
            EventRecord    Windows_EventLog_API = EventLogtoReader.ReadEvent();
            EventLog_Entry Eventlog             = new EventLog_Entry();

            return(Windows_EventLog_API.RecordId.Value);
        }
Example #3
0
        internal static void WRITE_EventLog_From_SWELF_Search(EventLog_Entry EvntLog)
        {
            //TODO Have eventlog log EventLogEntryType same as original

            using (EventLog myLogger = new EventLog(Settings.SWELF_EvtLog_OBJ.Source, Environment.MachineName, CHECK_If_Protected_Log_Name(EvntLog.LogName)))
            {
                //THIS is where SWELF eventlog get the severity BTW.
                myLogger.WriteEntry("Search_Rule=" + EvntLog.SearchRule + "\r\n\r\n" + EvntLog.EventData, EventLogEntryType.Information, EvntLog.EventID);
                //IF ERROR For eventlog source occures it because in reg the 'source' is a sub folder uner a eventlog reg key with same name. Might want to do renaming to avoid issues.
            }
        }
Example #4
0
        internal static string FORMAT_Output(EventLog_Entry EventLog)
        {
            string EventData;

            EventData = EventLog.EventData;
            EventData = EventData.Replace('\n', ' ');
            EventData = EventData.Replace('\r', ' ');
            EventData = EventData.Replace("\n\r", " ");
            EventData = EventData.Replace("\r\n", " ");

            return(EventLog.LogName + "," + EventLog.EventRecordID + "," + EventLog.EventID + "," + EventLog.CreatedTime + "," + EventLog.ComputerName + "," + EventLog.UserID + "," + EventLog.Severity + "," + EventLog.TaskDisplayName + ",\"" + EventData + "\"" + '\n');
        }
Example #5
0
        private long GET_First_EventRecordID_InLogFile(string Eventlog_FullName)
        {
            EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);

            EventLogtoReader.BatchSize = 100;
            EventRecord    Windows_EventLog_API = EventLogtoReader.ReadEvent();
            EventLog_Entry Eventlog             = new EventLog_Entry();

            First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;
            ThreadsDone_Setup++;
            return(First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value);
        }
Example #6
0
        private static string GET_Log_Output_Format(EventLog_Entry data)
        {
            string format = Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[10]];
            string Data   = "";

            format = Regex.Replace(format, @"\s+", String.Empty);//remove spaces from value
            switch (format.ToLower())
            {
            case  "data":
            {
                string EventData = "";
                EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                Data      = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   " + EventData;
                break;
            }

            case "syslog":
            {
                string EventData = "";
                EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                Data      = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   " + Settings.ComputerName + "   " + data.Severity + "   " + "SWELF_Syslog" + "   " + data.EventID.ToString() + "   " + data.LogName + "   " + data.CreatedTime + "   " + data.EventRecordID + "   " + data.TaskDisplayName + "    " + data.SearchRule + "\"" + "    " + EventData;
                break;
            }

            case "syslogxml":
            {
                Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   " + Settings.ComputerName + "   " + data.Severity + "   " + "SWELF_Syslog" + "   " + data.EventID.ToString() + "   " + data.LogName + "   " + data.CreatedTime + "   " + data.EventRecordID + "   " + data.TaskDisplayName + "   " + data.SearchRule + "\"" + "   " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                break;
            }

            case "xml":
            {
                Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                break;
            }

            case "keyvalue":
            {
                string EventData = "";
                EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                Data      = " CreatedTime=\"" + data.CreatedTime + "\"" + "\t" + "SourceComputer=\"" + Settings.ComputerName + "\"" + "\t" + "EventID=\"" + data.EventID.ToString() + "\"" + "\t" + "EventLogName=\"" + data.LogName + "\"" + "\t" + "EventRecordID=\"" + data.EventLog_Seq_num + "\"" + "\t" + "DisplayName=\"" + data.TaskDisplayName + "\"" + "\t" + "Severity=\"" + data.Severity + "\"" + "\t" + "UserID=\"" + data.UserID + "\"" + "\t" + "Search_Rule=\"" + data.SearchRule + "\"" + "\t" + "ParentCommandLine=\"" + data.ParentCMDLine + "\"" + "\t" + "ChildCommandLine=\"" + data.ChildCMDLine + "\"" + "\t" + "EventData=\"" + EventData + "\"" + "\t" + data.GET_Parsed_Sysmon_EventData().Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "") + "\t";
                break;
            }

            default:
            {
                Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + "   " + data.SearchRule + "    " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
                break;
            }
            }
            return(Data);
        }
Example #7
0
 internal static bool CHECK_If_EventLog_Missing(EventLog_File ELF, EventLog_Entry EVE)
 {
     if ((EVE.EventLog_Seq_num != ELF.ID_Number_Of_Individual_log_Entry_EVENTLOG + 1) && ELF.EventlogMissing == false && (ELF.ID_Number_Of_Individual_log_Entry_EVENTLOG != 0 && EVE.EventRecordID != 0))
     {
         ELF.EventlogMissing = true;
         LOG_SEC_CHECK_Fail("CHECK_If_EventLog_Missing() Logs on " + Settings.ComputerName + " under Event Log name " + EVE.LogName + " near or around Event ID " + EVE.EventRecordID.ToString() + " found Eventlogs missing.");
         return(true);
     }
     else
     {
         return(false);
     }
 }
Example #8
0
        private void GET_Last_EventRecordID_InLogFile(string Eventlog_FullName)
        {
            TimeSpan       Timeout          = new TimeSpan(0, 30, 0);
            EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);

            EventLogtoReader.BatchSize = 100;
            EventRecord    Windows_EventLog_API = EventLogtoReader.ReadEvent();
            EventLog_Entry Eventlog             = new EventLog_Entry();

            First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;

            while ((Windows_EventLog_API = EventLogtoReader.ReadEvent(Timeout)) != null)
            {
                Last_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;
            }
            ThreadsDone_Setup++;
        }
Example #9
0
        private static void Start_Run_Plugins()
        {
            try
            {
                Settings.Plugin_Search_Terms_Unparsed = Settings.Plugin_Search_Terms_Unparsed.Distinct().ToList();

                for (int x = 0; x < Settings.Plugin_Search_Terms_Unparsed.Count; ++x)
                {
                    EventLog_Entry PSLog = new EventLog_Entry();
                    PSLog.ComputerName    = Settings.ComputerName;
                    PSLog.EventID         = Convert.ToInt32(Error_Operation.EventID.Powershell_Plugin);
                    PSLog.LogName         = "SWELF PowerShell Plugin Output";
                    PSLog.Severity        = "Information";
                    PSLog.CreatedTime     = DateTime.Now;
                    PSLog.TaskDisplayName = "SWELF Powershell Plugin Output";
                    PSLog.SearchRule      = "SWELF_Powershell_Plugin=" + Settings.Plugin_Search_Terms_Unparsed.ElementAt(x);
                    PSLog.UserID          = Environment.UserName;

                    PSLog.EventData = Powershell_Plugin.Run_PS_Script(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(0), Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(2));

                    if (PSLog.EventData.ToLower().Contains(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(1).ToLower()))
                    {
                        Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.Enqueue(PSLog);

                        try
                        {
                            EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.ElementAt(0));
                            Log_Network_Forwarder.SEND_Logs(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs);
                        }
                        catch (Exception e)
                        {
                            Error_Operation.Log_Error("Network_Forwarder.SEND_Logs(), EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(), or Start_Run_Plugins()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(x) + " HostEventLogAgent_Eventlog.WRITE_EventLog " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                        }
                    }
                }
                Settings.PS_PluginDone = true;
                GC.Collect();
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("Powershell_Plugin.Run_PS_Script() ", e.StackTrace.ToString(), e.Message.ToString(), Error_Operation.LogSeverity.Warning);
                Error_Operation.SEND_Errors_To_Central_Location();
                Settings.PS_PluginDone = true;
            }
        }
Example #10
0
        private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read)
        {
            try
            {
                EventLogQuery  eventsQuery      = new EventLogQuery(Eventlog_FullName, PathType.LogName);
                EventLogReader EventLogtoReader = new EventLogReader(eventsQuery);

                EventLog_Entry SWELF_Eventlog;

                while (GET_EventLogEntry_From_API(EventLogtoReader) != null)
                {
                    try
                    {
                        SWELF_Eventlog = new EventLog_Entry();
                        if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read)
                        {
                            SWELF_Eventlog.CreatedTime      = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value;    //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.EventID          = Windows_EventLog_from_API.Id;                //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.LogName          = Windows_EventLog_from_API.LogName;

                            try
                            {
                                SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.ComputerName = Settings.ComputerName;
                            }

                            try
                            {
                                SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
                            }
                            catch (Exception e)
                            {
                                try
                                {
                                    SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
                                }
                                catch
                                {
                                    SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
                                }
                            }

                            try
                            {
                                SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix
                            }

                            try
                            {
                                if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
                                {
                                    SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower();
                                }
                                else
                                {
                                    SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
                                }
                            }
                            catch (Exception e)
                            {
                                if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
                                {
                                    SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml();
                                }
                                else
                                {
                                    SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix
                                }
                            }

                            try
                            {
                                SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
                                if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log))
                                {
                                    SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()";
                                }
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown";
                            }

                            try
                            {
                                SWELF_Eventlog.GET_FileHash();
                            }
                            catch (Exception e)
                            {
                                //unable to get file hashs from log
                            }
                            try
                            {
                                SWELF_Eventlog.GET_IP_FromLogFile();
                            }
                            catch (Exception e)
                            {
                                //unable to get IP values from log
                            }
                            //try
                            //{
                            //    EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog);
                            //}
                            //catch (Exception e)
                            //{
                            //    EventLogName.EventlogMissing = true;
                            //}

                            //try
                            //{
                            //    EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value;
                            //}
                            //catch (Exception e)
                            //{
                            //    EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0;
                            //}
                            Data_Store.contents_of_EventLog.Enqueue(SWELF_Eventlog);
                        }
                    }
                    catch (Exception e)
                    {
                        Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                        MissingLogInFileDueToException = true;
                    }
                }

                try
                {
                    if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
                    {
                        Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList());
                        Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
                    }
                }
                catch (Exception e)
                {
                    Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                }
                MissingLogInFileDueToException = false;
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
                MissingLogInFileDueToException = true;
            }
        }
Example #11
0
 internal void READ_EVTX_File(string FilePath)
 {
     using (var reader = new EventLogReader(FilePath, PathType.FilePath))
     {
         while ((Windows_EventLog_from_API = reader.ReadEvent()) != null)
         {
             try
             {
                 EventLog_Entry Eventlog = new EventLog_Entry();
                 using (Windows_EventLog_from_API)
                 {
                     Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value;
                     Eventlog.ComputerName     = Windows_EventLog_from_API.MachineName;
                     Eventlog.EventID          = Windows_EventLog_from_API.Id;
                     Eventlog.CreatedTime      = Windows_EventLog_from_API.TimeCreated.Value;
                     try
                     {
                         Eventlog.LogName = Windows_EventLog_from_API.LogName;
                     }
                     catch
                     {
                         Eventlog.LogName = Settings.SWELF_EventLog_Name;
                     }
                     try
                     {
                         Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
                     }
                     catch (Exception e)
                     {
                         try
                         {
                             Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
                         }
                         catch
                         {
                             Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
                         }
                     }
                     try
                     {
                         Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
                     }
                     catch
                     {
                         Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;
                     }
                     try
                     {
                         Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
                         Eventlog.GET_FileHash();
                         Eventlog.GET_IP_FromLogFile();
                         Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
                     }
                     catch
                     {
                         Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
                         Eventlog.EventData      = Windows_EventLog_from_API.ToXml();
                     }
                 }
                 Data_Store.EVTX_File_Logs.Enqueue(Eventlog);
             }
             catch (Exception e)
             {
                 Error_Operation.Log_Error("READ_EVTX_File()", e.Message.ToString() + "Event Log Missing due to improper format. Possible tampering or invalid format.", e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
             }
         }
     }
 }
Example #12
0
 private static byte[] GET_Encoding_to_Return(EventLog_Entry Data)
 {
     return(Crypto_Operation.CONVERT_To_UTF8_Bytes(GET_Log_Output_Format(Data)));
 }
Example #13
0
 internal void Enqueue_Log(EventLog_Entry Eventlog)
 {
     Contents_of_EventLog.Enqueue(Eventlog);
 }