private static void Run_Live_Process_Workflow()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
Error_Operation.WRITE_Stored_Errors();
}
internal static void Start_Output_Post_Run()
{
if (Settings.SWELF_Events_Of_Interest_Matching_EventLogs.Count > 0)
{
try
{
if (Settings.output_csv && Program_Start_Args.Count >= 3 && (Settings.Log_Forwarders_HostNames.Count < 1))
{
File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
else
{
Log_Network_Forwarder.SEND_Logs(Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Start_Output_Post_Run() Network_Forwarder.SEND_Logs() File_Operation.Write_Ouput_CSV()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
if (Settings.Logs_Sent_to_ALL_Collectors)
{
Start_Write_To_SWELF_EventLogs();
}
Sec_Checks.Post_Run_Sec_Checks();
}
Settings.UPDATE_EventLog_w_PlaceKeeper_File();
}
private static void Start_Searching_Logs(int Index)
{
try
{
Read_EventLog EVNT_Log = new Read_EventLog();
Sec_Checks.Live_Run_Sec_Checks(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));
EVNT_Log.READ_EventLog(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)]);
if (Data_Store.contents_of_EventLog.Count > 0)
{
Search_EventLog search_Obj = new Search_EventLog();
Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));
}
Data_Store.contents_of_EventLog.Clear();
}
catch (Exception e)
{
if (e.Message == "Object reference not set to an instance of an object.")
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index) + " " + e.Message.ToString() + " This error means the EventLog was not read or searched. \n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
else if (e.Message.ToString().Contains("The process cannot access the file"))
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", e.Message.ToString() + " OS File lock of vital resource at runtime." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
else
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", " " + Settings.EventLog_w_PlaceKeeper_List.ElementAt(Settings.Total_Threads_Run) + " x=" + (Settings.Total_Threads_Run).ToString() + " " + e.Message.ToString() + ". Check search Syntx." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
}
}
GC.Collect();
}
internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
{
try
{
if (File_Operation.CHECK_File_Encrypted(FilePath) == true)
{
File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath));
}
File.Decrypt(FilePath);
}
catch (Exception e)
{
if (RetryNumber == 0)
{
if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false)
{
Encrypt_File_Contents(FilePath);
File.Encrypt(FilePath);
UnSecure_File(FilePath, 1);
}
else
{
File.Decrypt(FilePath);
}
}
if (e.Message.Contains("Padding"))
{
Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
}
else if (e.Message.Contains("The input data is not a complete block."))
{
if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
}
else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents))
{
File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents));
}
else
{
//error is logic
}
}
else
{
Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + " retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit);
}
}
}
private static void Start_Live_Process()
{
if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
{
if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
Settings.CMDLine_Dissolve = true;
}
Start_Setup();
Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
PS_Plugins_Thread.IsBackground = true;
PS_Plugins_Thread.Priority = ThreadPriority.Lowest;
PS_Plugins_Thread.Start();
Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
READ_Local_LogFiles_Thread.IsBackground = true;
READ_Local_LogFiles_Thread.Priority = ThreadPriority.Lowest;
READ_Local_LogFiles_Thread.Start();
while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
{
Thread.Sleep(10000);
}
PS_Plugins_Thread.Abort();
READ_Local_LogFiles_Thread.Abort();
Start_Read_Search_Write_Forward_EventLogs();
Start_Send_File_Based_Logs();
Write_HashFile_IPsFile();
}
else
{
Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
}
if (Settings.CMDLine_Dissolve)
{
Settings.Dissolve();
}
Error_Operation.WRITE_Stored_Errors();
}
private static void Start_Read_Search_Write_Forward_EventLogs()
{
if (Settings.Max_Thread_Count < 1)
{
Settings.Max_Thread_Count = 1;
}
if (Settings.EventLog_w_PlaceKeeper_List.Count > 0)
{
Sec_Checks.Pre_Live_Run_Sec_Checks();
while (Settings.Total_Threads_Run < Settings.EventLog_w_PlaceKeeper_List.Count)//READ and Search
{
Thread Search_Thread = new Thread(() => Start_Threaded_Search(Settings.Total_Threads_Run));
if ((Settings.Running_Thread_Count < Settings.Max_Thread_Count) || Settings.Total_Threads_Run == 0)//start threads
{
Search_Thread.IsBackground = true;
Search_Thread.Priority = ThreadPriority.AboveNormal;
Search_Thread.Start();
Thread.Sleep(100); //wait for thread to start
}
while (Settings.Running_Thread_Count >= Settings.Max_Thread_Count) //wait for 1 thread to finish when max limit is hit. sleep becuz no work to do while threads work
{
Thread.Sleep(Settings.Thread_Sleep_Time);
}
Search_Thread.Abort();
GC.Collect();
}
while (Settings.Running_Thread_Count != 0)//wait for started threads to finish
{
Thread.Sleep(Settings.Thread_Sleep_Time);
}
Start_Output_Post_Run();
}
else
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", "Settings.EventLog_w_PlaceKeeper_List.Count is " + Settings.EventLog_w_PlaceKeeper_List.Count, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Warning);
}
}
private static void Start_Read_Search_Write_Forward_EventLogs()
{
if (Settings.EventLog_w_PlaceKeeper_List.Count > 0)
{
Sec_Checks.Pre_Live_Run_Sec_Checks();
for (int x = 0; x < Settings.EventLog_w_PlaceKeeper_List.Count; ++x)
{
if (RanToLongTiner == false)
{
Start_Searching_Logs(x);
}
}
if (RanToLongTiner == false)//if this is true this method is already running
{
Start_Output_Post_Run();
}
}
else
{
Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", "Settings.EventLog_w_PlaceKeeper_List.Count is " + Settings.EventLog_w_PlaceKeeper_List.Count, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Warning);
}
}
private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read, EventLog_File EventLogName)
{
try
{
EventLogQuery eventsQuery = new EventLogQuery(Eventlog_FullName, PathType.LogName);
EventLogReader EventLogtoReader = new EventLogReader(eventsQuery);
EventLog_Entry SWELF_Eventlog;
while (GET_EventLogEntry_From_API(EventLogtoReader) != null)
{
try
{
SWELF_Eventlog = new EventLog_Entry();
if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read)
{
SWELF_Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.EventID = Windows_EventLog_from_API.Id; //if this doesnt work we have issues that we cant fix
SWELF_Eventlog.LogName = Windows_EventLog_from_API.LogName;
try
{
SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
}
catch (Exception e)
{
SWELF_Eventlog.ComputerName = Settings.ComputerName;
}
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
}
catch (Exception e)
{
try
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
}
catch
{
SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
}
catch (Exception e)
{
SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
}
}
catch (Exception e)
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
{
SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml();
}
else
{
SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix
}
}
try
{
SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log))
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()";
}
}
catch (Exception e)
{
SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown";
}
try
{
SWELF_Eventlog.GET_FileHash();
}
catch (Exception e)
{
//unable to get file hashs from log
}
try
{
SWELF_Eventlog.GET_IP_FromLogFile();
}
catch (Exception e)
{
//unable to get IP values from log
}
try
{
EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog);
}
catch (Exception e)
{
EventLogName.EventlogMissing = true;
}
try
{
EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value;
}
catch (Exception e)
{
EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0;
}
EventLogName.Enqueue_Log(SWELF_Eventlog);
}
}
catch (Exception e)
{
Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
MissingLogInFileDueToException = true;
}
}
try
{
if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
{
Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList());
Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
}
}
catch (Exception e)
{
Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
MissingLogInFileDueToException = false;
}
catch (Exception e)
{
Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read + " " + EventLogName.First_EventLogID_From_Check + " " + EventLogName.Last_EventLogID_From_Check + " " + EventLogName.Contents_of_EventLog.Count, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
MissingLogInFileDueToException = true;
}
}