internal static void Start_EVTX_Process() { try { Read_EventLog EvntLogSearch = new Read_EventLog(); PARSE_Commandline_Input(EvntLogSearch); Search_EventLog search_Obj = new Search_EventLog(EvntLogSearch.EVTX_File_Logs); Settings.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.CMDLine_EVTX_File); if (Settings.output_csv) { File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs); } else { Start_Write_To_SWELF_EventLogs(); } if (Settings.CMDLine_Dissolve) { Settings.Dissolve(); } Error_Operation.WRITE_Stored_Errors(); } catch (Exception e) { Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Start_EVTX_Process() ", e.Message.ToString(), e.StackTrace.ToString()); } }
private static void Start_Searching_Logs(int Index) { try { Read_EventLog EVNT_Log = new Read_EventLog(); Sec_Checks.Live_Run_Sec_Checks(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)); EVNT_Log.READ_EventLog(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)]); if (Data_Store.contents_of_EventLog.Count > 0) { Search_EventLog search_Obj = new Search_EventLog(); Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)); } Data_Store.contents_of_EventLog.Clear(); } catch (Exception e) { if (e.Message == "Object reference not set to an instance of an object.") { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index) + " " + e.Message.ToString() + " This error means the EventLog was not read or searched. \n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } else if (e.Message.ToString().Contains("The process cannot access the file")) { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", e.Message.ToString() + " OS File lock of vital resource at runtime." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } else { Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", " " + Settings.EventLog_w_PlaceKeeper_List.ElementAt(Settings.Total_Threads_Run) + " x=" + (Settings.Total_Threads_Run).ToString() + " " + e.Message.ToString() + ". Check search Syntx." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion); } } GC.Collect(); }
private static void PARSE_Commandline_Input(Read_EventLog EvntLogSearch) { for (int x = 0; x < Program_Start_Args.Count; ++x) { switch (Program_Start_Args.ElementAt(x).ToLower()) { //ONCE YOU ADD COMMAND HERE ADD TO HELP MENU at Settings.SHOW_Help_Menu() case "-help": { Settings.SHOW_Help_Menu(); break; } case "-h": { Settings.SHOW_Help_Menu(); break; } case "?": { Settings.SHOW_Help_Menu(); break; } case "-output_csv": { Settings.CMDLine_Output_CSV = Program_Start_Args.ElementAt(x + 1); Settings.output_csv = true; break; } case "-evtx_file": { Settings.CMDLine_EVTX_File = Program_Start_Args.ElementAt(x + 1); EvntLogSearch.READ_EVTX_File(Settings.CMDLine_EVTX_File); Settings.EVTX_Override = true; break; } case "-evtx_folder": { Settings.CMDLine_EVTX_File = Program_Start_Args.ElementAt(x + 1); EvntLogSearch.READ_EVTX_Folder(Settings.CMDLine_EVTX_File); Settings.EVTX_Override = true; break; } case "-search_terms": { Settings.CMDLine_Search_Terms = Program_Start_Args.ElementAt(x + 1); Settings.READ_Search_Terms_File(false, false); break; } case "-dissolve": { Settings.CMDLine_Dissolve = true; break; } case "-find": { Settings.CMDLine_Find_SEARCHTERM = Program_Start_Args.ElementAt(x + 1); break; } default: { break; } } } }