Exemple #1
0
        private static void Run_Live_Process_Workflow()
        {
            if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
            {
                Start_Setup();

                Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
                PS_Plugins_Thread.IsBackground = true;
                PS_Plugins_Thread.Priority     = ThreadPriority.Lowest;
                PS_Plugins_Thread.Start();

                Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
                READ_Local_LogFiles_Thread.IsBackground = true;
                READ_Local_LogFiles_Thread.Priority     = ThreadPriority.Lowest;
                READ_Local_LogFiles_Thread.Start();

                while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
                {
                    Thread.Sleep(10000);
                }
                PS_Plugins_Thread.Abort();
                READ_Local_LogFiles_Thread.Abort();

                Start_Read_Search_Write_Forward_EventLogs();

                Start_Send_File_Based_Logs();

                Write_HashFile_IPsFile();
            }
            else
            {
                Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
            }
            Error_Operation.WRITE_Stored_Errors();
        }
Exemple #2
0
        internal static void Start_Output_Post_Run()
        {
            if (Settings.SWELF_Events_Of_Interest_Matching_EventLogs.Count > 0)
            {
                try
                {
                    if (Settings.output_csv && Program_Start_Args.Count >= 3 && (Settings.Log_Forwarders_HostNames.Count < 1))
                    {
                        File_Operation.Write_Ouput_CSV(Settings.CMDLine_Output_CSV, Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
                    }
                    else
                    {
                        Log_Network_Forwarder.SEND_Logs(Settings.SWELF_Events_Of_Interest_Matching_EventLogs);
                    }
                }
                catch (Exception e)
                {
                    Error_Operation.Log_Error("Start_Output_Post_Run()  Network_Forwarder.SEND_Logs() File_Operation.Write_Ouput_CSV()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                }

                if (Settings.Logs_Sent_to_ALL_Collectors)
                {
                    Start_Write_To_SWELF_EventLogs();
                }
                Sec_Checks.Post_Run_Sec_Checks();
            }
            Settings.UPDATE_EventLog_w_PlaceKeeper_File();
        }
Exemple #3
0
        private static void Start_Searching_Logs(int Index)
        {
            try
            {
                Read_EventLog EVNT_Log = new Read_EventLog();

                Sec_Checks.Live_Run_Sec_Checks(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));

                EVNT_Log.READ_EventLog(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index), Settings.EventLog_w_PlaceKeeper[Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index)]);

                if (Data_Store.contents_of_EventLog.Count > 0)
                {
                    Search_EventLog search_Obj = new Search_EventLog();

                    Data_Store.SWELF_Events_Of_Interest_Matching_EventLogs = search_Obj.Search(Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index));
                }
                Data_Store.contents_of_EventLog.Clear();
            }
            catch (Exception e)
            {
                if (e.Message == "Object reference not set to an instance of an object.")
                {
                    Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(Index) + " " + e.Message.ToString() + " This error means the EventLog was not read or searched. \n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
                }
                else if (e.Message.ToString().Contains("The process cannot access the file"))
                {
                    Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", e.Message.ToString() + " OS File lock of vital resource at runtime." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                }
                else
                {
                    Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", " " + Settings.EventLog_w_PlaceKeeper_List.ElementAt(Settings.Total_Threads_Run) + " x=" + (Settings.Total_Threads_Run).ToString() + " " + e.Message.ToString() + ". Check search Syntx." + " This error means the EventLog was not read or searched.\n", e.StackTrace.ToString(), Error_Operation.LogSeverity.Informataion);
                }
            }
            GC.Collect();
        }
Exemple #4
0
 internal static void UnSecure_File(string FilePath, int RetryNumber = 0)
 {
     try
     {
         if (File_Operation.CHECK_File_Encrypted(FilePath) == true)
         {
             File.AppendAllText(FilePath, Decrypt_File_Contents(FilePath));
         }
         File.Decrypt(FilePath);
     }
     catch (Exception e)
     {
         if (RetryNumber == 0)
         {
             if (e.Message.ToString().Contains("The input data is not a complete block.") && File_Operation.CHECK_File_Encrypted(FilePath) == false)
             {
                 Encrypt_File_Contents(FilePath);
                 File.Encrypt(FilePath);
                 UnSecure_File(FilePath, 1);
             }
             else
             {
                 File.Decrypt(FilePath);
             }
         }
         if (e.Message.Contains("Padding"))
         {
             Sec_Checks.CHECK_Reg_vs_File_Config(FilePath);
         }
         else if (e.Message.Contains("The input data is not a complete block."))
         {
             if (FilePath.Contains(Settings.AppConfigFile_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
             {
                 File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
             }
             else if (FilePath.Contains(Settings.SearchTermsFileName_FileName) && Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.SearchTerms_File_Contents))
             {
                 File.WriteAllText(Settings.GET_AppConfigFile_Path, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.SearchTerms_File_Contents));
             }
             else
             {
                 //error is logic
             }
         }
         else
         {
             Error_Operation.Log_Error("UnLock_File()", e.Message.ToString() + " " + FilePath + "  retry=" + RetryNumber, "", Error_Operation.LogSeverity.FailureAudit);
         }
     }
 }
Exemple #5
0
        private static void Start_Live_Process()
        {
            if (Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin())
            {
                if (Program_Start_Args.ElementAt(0).ToLower().Equals("-dissolve") && Settings.CHECK_If_EventLog_Exsits(Settings.SWELF_EventLog_Name) == false && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
                {
                    Settings.CMDLine_Dissolve = true;
                }

                Start_Setup();

                Thread PS_Plugins_Thread = new Thread(() => Start_Run_Plugins());
                PS_Plugins_Thread.IsBackground = true;
                PS_Plugins_Thread.Priority     = ThreadPriority.Lowest;
                PS_Plugins_Thread.Start();

                Thread READ_Local_LogFiles_Thread = new Thread(() => READ_Local_LogFiles());
                READ_Local_LogFiles_Thread.IsBackground = true;
                READ_Local_LogFiles_Thread.Priority     = ThreadPriority.Lowest;
                READ_Local_LogFiles_Thread.Start();

                while (Settings.PS_PluginDone != true && !READ_Local_LogFiles_Thread.IsAlive && !READ_Local_LogFiles_Thread.IsAlive)
                {
                    Thread.Sleep(10000);
                }
                PS_Plugins_Thread.Abort();
                READ_Local_LogFiles_Thread.Abort();

                Start_Read_Search_Write_Forward_EventLogs();

                Start_Send_File_Based_Logs();

                Write_HashFile_IPsFile();
            }
            else
            {
                Settings.Stop(Settings.SWELF_CRIT_ERROR_EXIT_CODE, "Sec_Checks.Pre_Run_Sec_Checks() && Sec_Checks.CHECK_If_Running_as_Admin()", "FAILED Sec_Checks.Pre_Run_Sec_Checks() SWELF not running as local admin.", "");
            }
            if (Settings.CMDLine_Dissolve)
            {
                Settings.Dissolve();
            }
            Error_Operation.WRITE_Stored_Errors();
        }
Exemple #6
0
        private static void Start_Read_Search_Write_Forward_EventLogs()
        {
            if (Settings.Max_Thread_Count < 1)
            {
                Settings.Max_Thread_Count = 1;
            }
            if (Settings.EventLog_w_PlaceKeeper_List.Count > 0)
            {
                Sec_Checks.Pre_Live_Run_Sec_Checks();

                while (Settings.Total_Threads_Run < Settings.EventLog_w_PlaceKeeper_List.Count)//READ and Search
                {
                    Thread Search_Thread = new Thread(() => Start_Threaded_Search(Settings.Total_Threads_Run));
                    if ((Settings.Running_Thread_Count < Settings.Max_Thread_Count) || Settings.Total_Threads_Run == 0)//start threads
                    {
                        Search_Thread.IsBackground = true;
                        Search_Thread.Priority     = ThreadPriority.AboveNormal;
                        Search_Thread.Start();
                        Thread.Sleep(100);                                             //wait for thread to start
                    }
                    while (Settings.Running_Thread_Count >= Settings.Max_Thread_Count) //wait for 1 thread to finish when max limit is hit. sleep becuz no work to do while threads work
                    {
                        Thread.Sleep(Settings.Thread_Sleep_Time);
                    }
                    Search_Thread.Abort();
                    GC.Collect();
                }
                while (Settings.Running_Thread_Count != 0)//wait for started threads to finish
                {
                    Thread.Sleep(Settings.Thread_Sleep_Time);
                }
                Start_Output_Post_Run();
            }
            else
            {
                Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", "Settings.EventLog_w_PlaceKeeper_List.Count is " + Settings.EventLog_w_PlaceKeeper_List.Count, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Warning);
            }
        }
Exemple #7
0
        private static void Start_Read_Search_Write_Forward_EventLogs()
        {
            if (Settings.EventLog_w_PlaceKeeper_List.Count > 0)
            {
                Sec_Checks.Pre_Live_Run_Sec_Checks();

                for (int x = 0; x < Settings.EventLog_w_PlaceKeeper_List.Count; ++x)
                {
                    if (RanToLongTiner == false)
                    {
                        Start_Searching_Logs(x);
                    }
                }
                if (RanToLongTiner == false)//if this is true this method is already running
                {
                    Start_Output_Post_Run();
                }
            }
            else
            {
                Error_Operation.Log_Error("Start_Read_Search_Write_Forward_EventLogs()", "Settings.EventLog_w_PlaceKeeper_List.Count is " + Settings.EventLog_w_PlaceKeeper_List.Count, "", Error_Operation.LogSeverity.Warning, Error_Operation.EventID.SWELF_Warning);
            }
        }
Exemple #8
0
        private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read, EventLog_File EventLogName)
        {
            try
            {
                EventLogQuery  eventsQuery      = new EventLogQuery(Eventlog_FullName, PathType.LogName);
                EventLogReader EventLogtoReader = new EventLogReader(eventsQuery);

                EventLog_Entry SWELF_Eventlog;

                while (GET_EventLogEntry_From_API(EventLogtoReader) != null)
                {
                    try
                    {
                        SWELF_Eventlog = new EventLog_Entry();
                        if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read)
                        {
                            SWELF_Eventlog.CreatedTime      = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value;    //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.EventID          = Windows_EventLog_from_API.Id;                //if this doesnt work we have issues that we cant fix
                            SWELF_Eventlog.LogName          = Windows_EventLog_from_API.LogName;
                            try
                            {
                                SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName;
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.ComputerName = Settings.ComputerName;
                            }

                            try
                            {
                                SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName;
                            }
                            catch (Exception e)
                            {
                                try
                                {
                                    SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName;
                                }
                                catch
                                {
                                    SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix
                                }
                            }

                            try
                            {
                                SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName;
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix
                            }

                            try
                            {
                                if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
                                {
                                    SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower();
                                }
                                else
                                {
                                    SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower();
                                }
                            }
                            catch (Exception e)
                            {
                                if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16]))
                                {
                                    SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml();
                                }
                                else
                                {
                                    SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix
                                }
                            }

                            try
                            {
                                SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml();
                                if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log))
                                {
                                    SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()";
                                }
                            }
                            catch (Exception e)
                            {
                                SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown";
                            }

                            try
                            {
                                SWELF_Eventlog.GET_FileHash();
                            }
                            catch (Exception e)
                            {
                                //unable to get file hashs from log
                            }
                            try
                            {
                                SWELF_Eventlog.GET_IP_FromLogFile();
                            }
                            catch (Exception e)
                            {
                                //unable to get IP values from log
                            }

                            try
                            {
                                EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog);
                            }
                            catch (Exception e)
                            {
                                EventLogName.EventlogMissing = true;
                            }

                            try
                            {
                                EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value;
                            }
                            catch (Exception e)
                            {
                                EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0;
                            }
                            EventLogName.Enqueue_Log(SWELF_Eventlog);
                        }
                    }
                    catch (Exception e)
                    {
                        Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                        MissingLogInFileDueToException = true;
                    }
                }

                try
                {
                    if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11]))
                    {
                        Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList());
                        Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList());
                    }
                }
                catch (Exception e)
                {
                    Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
                }
                MissingLogInFileDueToException = false;
            }
            catch (Exception e)
            {
                Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read + " " + EventLogName.First_EventLogID_From_Check + " " + EventLogName.Last_EventLogID_From_Check + " " + EventLogName.Contents_of_EventLog.Count, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit);
                MissingLogInFileDueToException = true;
            }
        }