internal static void WRITE_Warning_EventLog_DataType(EventLog_Entry EvntLog)
{
Settings.SWELF_EvtLog_OBJ.Source = Settings.SWELF_EventLog_Name;
using (EventLog myLogger = new EventLog(Settings.SWELF_EvtLog_OBJ.Source, Environment.MachineName, CHECK_If_Protected_Log_Name(EvntLog.LogName)))
{
myLogger.WriteEntry(EvntLog.EventData, EventLogEntryType.Warning, EvntLog.EventID);
}
}
private static long GET_First_EventRecordID_InLogFile(string Eventlog_FullName)
{
EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);
EventLogtoReader.BatchSize = 100;
EventRecord Windows_EventLog_API = EventLogtoReader.ReadEvent();
EventLog_Entry Eventlog = new EventLog_Entry();
return(Windows_EventLog_API.RecordId.Value);
}
internal static void WRITE_EventLog_From_SWELF_Search(EventLog_Entry EvntLog)
{
//TODO Have eventlog log EventLogEntryType same as original
using (EventLog myLogger = new EventLog(Settings.SWELF_EvtLog_OBJ.Source, Environment.MachineName, CHECK_If_Protected_Log_Name(EvntLog.LogName)))
{
//THIS is where SWELF eventlog get the severity BTW.
myLogger.WriteEntry("Search_Rule=" + EvntLog.SearchRule + "\r\n\r\n" + EvntLog.EventData, EventLogEntryType.Information, EvntLog.EventID);
//IF ERROR For eventlog source occures it because in reg the 'source' is a sub folder uner a eventlog reg key with same name. Might want to do renaming to avoid issues.
}
}
internal static string FORMAT_Output(EventLog_Entry EventLog)
{
string EventData;
EventData = EventLog.EventData;
EventData = EventData.Replace('\n', ' ');
EventData = EventData.Replace('\r', ' ');
EventData = EventData.Replace("\n\r", " ");
EventData = EventData.Replace("\r\n", " ");
return(EventLog.LogName + "," + EventLog.EventRecordID + "," + EventLog.EventID + "," + EventLog.CreatedTime + "," + EventLog.ComputerName + "," + EventLog.UserID + "," + EventLog.Severity + "," + EventLog.TaskDisplayName + ",\"" + EventData + "\"" + '\n');
}
private long GET_First_EventRecordID_InLogFile(string Eventlog_FullName)
{
EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);
EventLogtoReader.BatchSize = 100;
EventRecord Windows_EventLog_API = EventLogtoReader.ReadEvent();
EventLog_Entry Eventlog = new EventLog_Entry();
First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;
ThreadsDone_Setup++;
return(First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value);
}
private static string GET_Log_Output_Format(EventLog_Entry data)
{
string format = Settings.AppConfig_File_Args[Settings.SWELF_AppConfig_Args[10]];
string Data = "";
format = Regex.Replace(format, @"\s+", String.Empty);//remove spaces from value
switch (format.ToLower())
{
case "data":
{
string EventData = "";
EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + EventData;
break;
}
case "syslog":
{
string EventData = "";
EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + Settings.ComputerName + " " + data.Severity + " " + "SWELF_Syslog" + " " + data.EventID.ToString() + " " + data.LogName + " " + data.CreatedTime + " " + data.EventRecordID + " " + data.TaskDisplayName + " " + data.SearchRule + "\"" + " " + EventData;
break;
}
case "syslogxml":
{
Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + Settings.ComputerName + " " + data.Severity + " " + "SWELF_Syslog" + " " + data.EventID.ToString() + " " + data.LogName + " " + data.CreatedTime + " " + data.EventRecordID + " " + data.TaskDisplayName + " " + data.SearchRule + "\"" + " " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
break;
}
case "xml":
{
Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
break;
}
case "keyvalue":
{
string EventData = "";
EventData = data.EventData.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
Data = " CreatedTime=\"" + data.CreatedTime + "\"" + "\t" + "SourceComputer=\"" + Settings.ComputerName + "\"" + "\t" + "EventID=\"" + data.EventID.ToString() + "\"" + "\t" + "EventLogName=\"" + data.LogName + "\"" + "\t" + "EventRecordID=\"" + data.EventLog_Seq_num + "\"" + "\t" + "DisplayName=\"" + data.TaskDisplayName + "\"" + "\t" + "Severity=\"" + data.Severity + "\"" + "\t" + "UserID=\"" + data.UserID + "\"" + "\t" + "Search_Rule=\"" + data.SearchRule + "\"" + "\t" + "ParentCommandLine=\"" + data.ParentCMDLine + "\"" + "\t" + "ChildCommandLine=\"" + data.ChildCMDLine + "\"" + "\t" + "EventData=\"" + EventData + "\"" + "\t" + data.GET_Parsed_Sysmon_EventData().Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "") + "\t";
break;
}
default:
{
Data = DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " " + data.SearchRule + " " + data.GET_XML_of_Log.Replace("\n", "").Replace("\r", "\n").Replace(":", ": ").Replace(": ", ": ").Replace(" \r ", "");
break;
}
}
return(Data);
}
internal static bool CHECK_If_EventLog_Missing(EventLog_File ELF, EventLog_Entry EVE)
{
if ((EVE.EventLog_Seq_num != ELF.ID_Number_Of_Individual_log_Entry_EVENTLOG + 1) && ELF.EventlogMissing == false && (ELF.ID_Number_Of_Individual_log_Entry_EVENTLOG != 0 && EVE.EventRecordID != 0))
{
ELF.EventlogMissing = true;
LOG_SEC_CHECK_Fail("CHECK_If_EventLog_Missing() Logs on " + Settings.ComputerName + " under Event Log name " + EVE.LogName + " near or around Event ID " + EVE.EventRecordID.ToString() + " found Eventlogs missing.");
return(true);
}
else
{
return(false);
}
}
private void GET_Last_EventRecordID_InLogFile(string Eventlog_FullName)
{
TimeSpan Timeout = new TimeSpan(0, 30, 0);
EventLogReader EventLogtoReader = new EventLogReader(Eventlog_FullName, PathType.LogName);
EventLogtoReader.BatchSize = 100;
EventRecord Windows_EventLog_API = EventLogtoReader.ReadEvent();
EventLog_Entry Eventlog = new EventLog_Entry();
First_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;
while ((Windows_EventLog_API = EventLogtoReader.ReadEvent(Timeout)) != null)
{
Last_EventLogID_From_Check = Windows_EventLog_API.RecordId.Value;
}
ThreadsDone_Setup++;
}
private static void Start_Run_Plugins()
{
try
{
Settings.Plugin_Search_Terms_Unparsed = Settings.Plugin_Search_Terms_Unparsed.Distinct().ToList();
for (int x = 0; x < Settings.Plugin_Search_Terms_Unparsed.Count; ++x)
{
EventLog_Entry PSLog = new EventLog_Entry();
PSLog.ComputerName = Settings.ComputerName;
PSLog.EventID = Convert.ToInt32(Error_Operation.EventID.Powershell_Plugin);
PSLog.LogName = "SWELF PowerShell Plugin Output";
PSLog.Severity = "Information";
PSLog.CreatedTime = DateTime.Now;
PSLog.TaskDisplayName = "SWELF Powershell Plugin Output";
PSLog.SearchRule = "SWELF_Powershell_Plugin=" + Settings.Plugin_Search_Terms_Unparsed.ElementAt(x);
PSLog.UserID = Environment.UserName;
PSLog.EventData = Powershell_Plugin.Run_PS_Script(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(0), Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(2));
if (PSLog.EventData.ToLower().Contains(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(1).ToLower()))
{
Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.Enqueue(PSLog);
try
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.ElementAt(0));
Log_Network_Forwarder.SEND_Logs(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs);
}
catch (Exception e)
{
Error_Operation.Log_Error("Network_Forwarder.SEND_Logs(), EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(), or Start_Run_Plugins()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(x) + " HostEventLogAgent_Eventlog.WRITE_EventLog " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
}
}
Settings.PS_PluginDone = true;
GC.Collect();
}
catch (Exception e)
{
Error_Operation.Log_Error("Powershell_Plugin.Run_PS_Script() ", e.StackTrace.ToString(), e.Message.ToString(), Error_Operation.LogSeverity.Warning);
Error_Operation.SEND_Errors_To_Central_Location();
Settings.PS_PluginDone = true;
}
}
private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read)
{
try
{
EventLogQuery eventsQuery = new EventLogQuery(Eventlog_FullName, PathType.LogName);
EventLogReader EventLogtoReader = new EventLogReader(eventsQuery);
EventLog_Entry SWELF_Eventlog;
while (GET_EventLogEntry_From_API(EventLogtoReader) != null)
{
try
{
SWELF_Eventlog = new EventLog_Entry();
if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read)
{
SWELF_Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventID = Windows_EventLog_from_API.Id; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.LogName = Windows_EventLog_from_API.LogName;
try
{
SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
}
catch (Exception e)
{
SWELF_Eventlog.ComputerName = Settings.ComputerName;
}
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
}
catch (Exception e)
{
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
}
catch
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
}
catch (Exception e)
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
}
}
catch (Exception e)
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log))
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()";
}
}
catch (Exception e)
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown";
}
try
{
SWELF_Eventlog.GET_FileHash();
}
catch (Exception e)
{
//unable to get file hashs from log
}
try
{
SWELF_Eventlog.GET_IP_FromLogFile();
}
catch (Exception e)
{
//unable to get IP values from log
}
//try
//{
// EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog);
//}
//catch (Exception e)
//{
// EventLogName.EventlogMissing = true;
//}
//try
//{
// EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value;
//}
//catch (Exception e)
//{
// EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0;
//}
Data_Store.contents_of_EventLog.Enqueue(SWELF_Eventlog);
}
}
catch (Exception e)
{
Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
MissingLogInFileDueToException = true;
}
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList());
Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
MissingLogInFileDueToException = false;
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
MissingLogInFileDueToException = true;
}
}
internal void READ_EVTX_File(string FilePath)
{
using (var reader = new EventLogReader(FilePath, PathType.FilePath))
{
while ((Windows_EventLog_from_API = reader.ReadEvent()) != null)
{
try
{
EventLog_Entry Eventlog = new EventLog_Entry();
using (Windows_EventLog_from_API)
{
Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value;
Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
Eventlog.EventID = Windows_EventLog_from_API.Id;
Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value;
try
{
Eventlog.LogName = Windows_EventLog_from_API.LogName;
}
catch
{
Eventlog.LogName = Settings.SWELF_EventLog_Name;
}
try
{
Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
}
catch (Exception e)
{
try
{
Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
}
catch
{
Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
}
}
try
{
Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
}
catch
{
Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;
}
try
{
Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
Eventlog.GET_FileHash();
Eventlog.GET_IP_FromLogFile();
Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
}
catch
{
Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
Eventlog.EventData = Windows_EventLog_from_API.ToXml();
}
}
Data_Store.EVTX_File_Logs.Enqueue(Eventlog);
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_EVTX_File()", e.Message.ToString() + "Event Log Missing due to improper format. Possible tampering or invalid format.", e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
}
}
}
}
private static byte[] GET_Encoding_to_Return(EventLog_Entry Data)
{
return(Crypto_Operation.CONVERT_To_UTF8_Bytes(GET_Log_Output_Format(Data)));
}
internal void Enqueue_Log(EventLog_Entry Eventlog)
{
Contents_of_EventLog.Enqueue(Eventlog);
}