Example #1
0
        protected override EventLogEntry GetEntry(int index)
        {
            string logDir = FindLogStore(CoreEventLog.Log);

            // our file names are one-based
            string file = Path.Combine(logDir, (index + 1).ToString(
                                           CultureInfo.InvariantCulture) + ".log");

            using (TextReader tr = File.OpenText(file))
            {
                int eventIndex = int.Parse(Path.GetFileNameWithoutExtension(file),
                                           CultureInfo.InvariantCulture);
                uint instanceID = uint.Parse(tr.ReadLine().Substring(12),
                                             CultureInfo.InvariantCulture);
                EventLogEntryType type = (EventLogEntryType)
                                         Enum.Parse(typeof(EventLogEntryType), tr.ReadLine().Substring(11));
                string   source         = tr.ReadLine().Substring(8);
                string   category       = tr.ReadLine().Substring(10);
                short    categoryNumber = short.Parse(category, CultureInfo.InvariantCulture);
                string   categoryName   = "(" + category + ")";
                DateTime timeGenerated  = DateTime.ParseExact(tr.ReadLine().Substring(15),
                                                              DateFormat, CultureInfo.InvariantCulture);
                DateTime      timeWritten     = File.GetLastWriteTime(file);
                int           stringNums      = int.Parse(tr.ReadLine().Substring(20));
                ArrayList     replacementTemp = new ArrayList();
                StringBuilder sb = new StringBuilder();
                while (replacementTemp.Count < stringNums)
                {
                    char c = (char)tr.Read();
                    if (c == '\0')
                    {
                        replacementTemp.Add(sb.ToString());
                        sb.Length = 0;
                    }
                    else
                    {
                        sb.Append(c);
                    }
                }
                string [] replacementStrings = new string [replacementTemp.Count];
                replacementTemp.CopyTo(replacementStrings, 0);

                string message = FormatMessage(source, instanceID, replacementStrings);
                int    eventID = EventLog.GetEventID(instanceID);

                byte [] bin = Convert.FromBase64String(tr.ReadToEnd());
                return(new EventLogEntry(categoryName, categoryNumber, eventIndex,
                                         eventID, source, message, null, Environment.MachineName,
                                         type, timeGenerated, timeWritten, bin, replacementStrings,
                                         instanceID));
            }
        }
Example #2
0
        protected override EventLogEntry GetEntry(int index)
        {
            // http://msdn.microsoft.com/library/en-us/eventlog/base/readeventlog.asp
            // http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp
            // http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html

            index += OldestEventLogEntry;

            int bytesRead       = 0;
            int minBufferNeeded = 0;

            byte [] buffer = new byte [0x7ffff];             // according to MSDN this is the max size of the buffer

            ReadEventLog(index, buffer, ref bytesRead, ref minBufferNeeded);

            MemoryStream ms = new MemoryStream(buffer);
            BinaryReader br = new BinaryReader(ms);

            // skip first 8 bytes
            br.ReadBytes(8);

            int recordNumber = br.ReadInt32();              // 8

            int   timeGeneratedSeconds = br.ReadInt32();    // 12
            int   timeWrittenSeconds   = br.ReadInt32();    // 16
            uint  instanceID           = br.ReadUInt32();
            int   eventID        = EventLog.GetEventID(instanceID);
            short eventType      = br.ReadInt16();         // 24
            short numStrings     = br.ReadInt16();;        // 26
            short categoryNumber = br.ReadInt16();;        // 28

            // skip reservedFlags
            br.ReadInt16();                     // 30
            // skip closingRecordNumber
            br.ReadInt32();                     // 32
            int stringOffset  = br.ReadInt32(); // 36
            int userSidLength = br.ReadInt32(); // 40
            int userSidOffset = br.ReadInt32(); // 44
            int dataLength    = br.ReadInt32(); // 48
            int dataOffset    = br.ReadInt32(); // 52

            DateTime timeGenerated = new DateTime(1970, 1, 1).AddSeconds(
                timeGeneratedSeconds);

            DateTime timeWritten = new DateTime(1970, 1, 1).AddSeconds(
                timeWrittenSeconds);

            StringBuilder sb = new StringBuilder();

            while (br.PeekChar() != '\0')
            {
                sb.Append(br.ReadChar());
            }
            br.ReadChar();              // skip the null-char

            string sourceName = sb.ToString();

            sb.Length = 0;
            while (br.PeekChar() != '\0')
            {
                sb.Append(br.ReadChar());
            }
            br.ReadChar();              // skip the null-char
            string machineName = sb.ToString();

            sb.Length = 0;
            while (br.PeekChar() != '\0')
            {
                sb.Append(br.ReadChar());
            }
            br.ReadChar();              // skip the null-char

            string userName = null;

            if (userSidLength != 0)
            {
                // TODO: lazy init ?
                ms.Position = userSidOffset;
                byte [] sid = br.ReadBytes(userSidLength);
                userName = LookupAccountSid(machineName, sid);
            }

            ms.Position = stringOffset;
            string [] replacementStrings = new string [numStrings];
            for (int i = 0; i < numStrings; i++)
            {
                sb.Length = 0;
                while (br.PeekChar() != '\0')
                {
                    sb.Append(br.ReadChar());
                }
                br.ReadChar();                  // skip the null-char
                replacementStrings [i] = sb.ToString();
            }

            byte [] data = new byte [dataLength];
            ms.Position = dataOffset;
            br.Read(data, 0, dataLength);

            // TODO: lazy fetch ??
            string message  = this.FormatMessage(sourceName, instanceID, replacementStrings);
            string category = FormatCategory(sourceName, categoryNumber);

            return(new EventLogEntry(category, (short)categoryNumber, recordNumber,
                                     eventID, sourceName, message, userName, machineName,
                                     (EventLogEntryType)eventType, timeGenerated, timeWritten,
                                     data, replacementStrings, instanceID));
        }