internal static async Task RunAuditEventsReport(this IEnterpriseContext context, AuditReportOptions options) { if (context.AuditEvents == null) { var auditEvents = await context.Enterprise.Auth.GetAvailableEvents(); lock (context) { context.AuditEvents = new ConcurrentDictionary <string, AuditEventType>(); foreach (var evt in auditEvents) { context.AuditEvents[evt.Name] = evt; } } } var filter = new ReportFilter(); if (!string.IsNullOrEmpty(options.Created)) { filter.Created = ParseDateCreatedFilter(options.Created); } if (options.EventType != null && options.EventType.Any()) { filter.EventTypes = options.EventType.ToArray(); } if (!string.IsNullOrEmpty(options.Username)) { filter.Username = options.Username; } if (!string.IsNullOrEmpty(options.RecordUid)) { filter.RecordUid = options.RecordUid; } if (!string.IsNullOrEmpty(options.SharedFolderUid)) { filter.SharedFolderUid = options.SharedFolderUid; } var rq = new GetAuditEventReportsCommand { Filter = filter, Limit = options.Limit, }; var rs = await context.Enterprise.Auth.ExecuteAuthCommand <GetAuditEventReportsCommand, GetAuditEventReportsResponse>(rq); var tab = new Tabulate(4) { DumpRowNo = true }; tab.AddHeader("Created", "Username", "Event", "Message"); tab.MaxColumnWidth = 100; foreach (var evt in rs.Events) { if (!evt.TryGetValue("audit_event_type", out var v)) { continue; } var eventName = v.ToString(); if (!context.AuditEvents.TryGetValue(eventName, out var eventType)) { continue; } var message = eventType.SyslogMessage; do { var match = Regex.Match(message, ParameterPattern); if (!match.Success) { break; } if (match.Groups.Count != 2) { break; } var parameter = match.Groups[1].Value; var value = ""; if (evt.TryGetValue(parameter, out v)) { value = v.ToString(); } message = message.Remove(match.Groups[0].Index, match.Groups[0].Length); message = message.Insert(match.Groups[0].Index, value); } while (true); var created = ""; if (evt.TryGetValue("created", out v)) { created = v.ToString(); if (long.TryParse(created, out var epoch)) { created = DateTimeOffset.FromUnixTimeSeconds(epoch).ToString("G"); } } var username = ""; if (evt.TryGetValue("username", out v)) { username = v.ToString(); } tab.AddRow(created, username, eventName, message); } tab.Dump(); }
public static async Task <Tuple <GetAuditEventReportsResponse, long> > GetUserEvents(this IAuthentication auth, string forUser, long recentUnixTime, long latestUnixTime = 0) { if (recentUnixTime < 0 || latestUnixTime < 0 || string.IsNullOrEmpty(forUser)) { return(null); } if (recentUnixTime == 0) { recentUnixTime = DateTimeOffset.Now.ToUnixTimeMilliseconds() / 1000; } var rq = new GetAuditEventReportsCommand { Filter = new ReportFilter { Username = forUser, Created = new CreatedFilter { Max = recentUnixTime == 0 ? (long?)null : recentUnixTime, Min = latestUnixTime == 0 ? (long?)null : latestUnixTime } }, Limit = 1000, ReportType = "raw", Order = "descending" }; var rs = await auth.ExecuteAuthCommand <GetAuditEventReportsCommand, GetAuditEventReportsResponse>(rq); var response = Tuple.Create <GetAuditEventReportsResponse, long>(rs, -1); if (rs.Events == null || rs.Events.Count == 0) { return(response); } if (rq.Limit > 0 && rs.Events?.Count < 0.95 * rq.Limit) { return(response); } var pos = rs.Events.Count - 1; if (!rs.Events[pos].TryGetValue("created", out var lastCreated)) { return(response); } while (pos > 0) { pos--; if (rs.Events[pos].TryGetValue("created", out var created)) { if (!Equals(created, lastCreated)) { break; } } } if (pos <= 0 || pos >= rs.Events.Count - 1) { return(response); } if (!(lastCreated is IConvertible conv)) { return(response); } rs.Events.RemoveRange(pos + 1, rs.Events.Count - pos - 1); return(Tuple.Create(rs, conv.ToInt64(CultureInfo.InvariantCulture) + 1)); }