private void SetDateTime(ref Rec r, EVENTLOGRECORD recCast) { try { DateTime d = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(Convert.ToDouble(recCast.TimeWritten)); r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute + ":" + d.Second + "." + recCast.TimeWritten; r.Datetime = Convert.ToDateTime(r.Datetime).AddMinutes(120).ToString("yyyy/MM/dd HH:mm:ss"); } catch (Exception ex) { r.CustomInt1 = recCast.TimeWritten; Log.Log(LogType.FILE, LogLevel.ERROR, " SetDateTime() -->> An error occurred." + ex.ToString()); } }
public override void Parse() { try { IntPtr handle = OpenEventLog(remoteHost, Dir); Byte[] output = new byte[65536]; Int32 bytesRead = 0; Int32 minNumberOfBytesNeeded = 0; try { Int32 flags = 0; if (Position == 0) flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; else flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; Int32 readLineCount = 0; while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead, ref minNumberOfBytesNeeded)) { Object rec = new EVENTLOGRECORD(); Int32 dw = 0; bool changed = false; while (bytesRead > dw) { Rec r = new Rec(); ByteArrayToStructure(output, dw, ref rec); EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec; if (Position != recCast.RecordNumber) { changed = true; try { DateTime d = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds( Convert.ToDouble(recCast.TimeWritten)); r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute + ":" + d.Second + "." + recCast.TimeWritten; r.Datetime = Convert.ToDateTime(r.Datetime).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); } catch { r.CustomInt1 = recCast.TimeWritten; } //r.EventId = recCast.EventID; r.EventId = returneventid(recCast.EventID); Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId); r.EventType = ((EventType)(recCast.EventType)).ToString(); //r.EventCategory = recCast.EventCategory.ToString(); r.LogName = "NT-" + Dir; r.Recordnum = recCast.RecordNumber; IntPtr ptr = IntPtr.Zero; String SourceName = ""; try { ptr = Marshal.AllocHGlobal(bytesRead); Int32 total = dw + 56; Marshal.Copy(output, total, ptr, bytesRead - total); //56 struct size SourceName = Marshal.PtrToStringAnsi(ptr); Marshal.FreeHGlobal(ptr); } catch { } r.SourceName = SourceName; //r.EventCategory = GetString((UInt32)recCast.EventCategory, r.SourceName, "CategoryMessageFile", new List<String>()); r.EventCategory = recCast.EventCategory.ToString(); String ComputerName = ""; try { ptr = Marshal.AllocHGlobal(bytesRead); Int32 total = dw + 57 + SourceName.Length; Marshal.Copy(output, total, ptr, bytesRead - total); ComputerName = Marshal.PtrToStringAnsi(ptr); Marshal.FreeHGlobal(ptr); } catch { } r.ComputerName = ComputerName; List<String> lst = new List<String>(); Int32 offset = dw + recCast.StringOffset; for (Int32 i = 0; i < recCast.NumStrings; i++) { ptr = Marshal.AllocHGlobal(bytesRead); Marshal.Copy(output, offset, ptr, bytesRead - offset); String str = Marshal.PtrToStringAnsi(ptr); lst.Add(str); Marshal.FreeHGlobal(ptr); offset += str.Length + 1; } try { r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst); r = setRecParse(r, r.Description); } catch (Exception e) { Log.Log(LogType.FILE, LogLevel.ERROR, e.Message); } /*if (lst.Count > 0) r.CustomStr1 = lst[0]; if (lst.Count > 1) r.CustomStr2 = lst[1]; if (lst.Count > 2) r.CustomStr3 = lst[2]; if (lst.Count > 3) r.CustomStr4 = lst[3]; if (lst.Count > 4) r.CustomStr5 = lst[4]; if (lst.Count > 5) r.CustomStr6 = lst[5]; if (lst.Count > 6) r.CustomStr7 = lst[6]; if (lst.Count > 7) r.CustomStr8 = lst[7]; if (lst.Count > 8) r.CustomStr9 = lst[8]; if (lst.Count > 9) r.CustomStr10 = lst[9]; if (lst.Count > 10) { if (lst.Count > 11) { for (Int32 i = 10; i < lst.Count; i++) r.Description += lst[i] + " "; r.Description = r.Description.Trim(); } else { r.Description = lst[10]; } } else r.Description = "";*/ /*if (lst.Count > 6) r.Description = lst[6]; else if (lst.Count != 0) r.Description = lst[0]; else r.Description = "";*/ SetRegistry(); SetRecordData(r); } if (maxReadLineCount != -1) { readLineCount++; if (readLineCount > maxReadLineCount) { if (threadSleepTime <= 0) Thread.Sleep(60000); else Thread.Sleep(threadSleepTime); readLineCount = 0; } } dw += recCast.Length; } if (!changed) break; } } catch (Exception e) { Log.Log(LogType.FILE, LogLevel.ERROR, e.Message); Log.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } Int32 error = Marshal.GetLastWin32Error(); if (error == 87) { Log.Log(LogType.FILE, LogLevel.ERROR, "Win Error on parse, probably eventlog cleared. Error code(" + error + ")"); Log.Log(LogType.FILE, LogLevel.ERROR, "Starting from begining."); Position = 0; SetRegistry(); } CloseEventLog(handle); } catch (Exception e) { Console.WriteLine(e); } }
public override void Parse() { Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> is STARTED "); IntPtr handle = OpenEventLog(remoteHost, Dir); Byte[] output = new byte[65536]; Int32 bytesRead = 0; Int32 minNumberOfBytesNeeded = 0; try { Int32 flags = 0; if (Position == 0) { flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; } else { flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; } Int32 readLineCount = 0; while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead, ref minNumberOfBytesNeeded)) { Object rec = new EVENTLOGRECORD(); Int32 dw = 0; bool changed = false; while (bytesRead > dw) { Rec r = new Rec(); ByteArrayToStructure(output, dw, ref rec); EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec; if (Position != recCast.RecordNumber) { changed = true; IntPtr ptr = IntPtr.Zero; SetDateTime(ref r, recCast); r.SourceName = GetSourceName(ptr, bytesRead, dw, output); //r.EventCategory = recCast.EventCategory.ToString(); //r.EventType = ((EventType)(recCast.EventType)).ToString(); Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> Event log source name is : " + r.SourceName); if (r.SourceName.ToLower() == "hmbs") { r.ComputerName = GetComputerName(ptr, bytesRead, dw, output, r.SourceName.Length); //r.EventId = GetEventId(recCast.EventID); //Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId); //r.Recordnum = recCast.RecordNumber; //r.LogName = Dir; Int32 offset = dw + recCast.StringOffset; ptr = Marshal.AllocHGlobal(bytesRead); Marshal.Copy(output, offset, ptr, bytesRead - offset); String str = Marshal.PtrToStringAnsi(ptr); //List<String> lst = new List<String>(); //for (Int32 i = 0; i < recCast.NumStrings; i++) //{ // ptr = Marshal.AllocHGlobal(bytesRead); // Marshal.Copy(output, offset, ptr, bytesRead - offset); // String str = Marshal.PtrToStringAnsi(ptr); // lst.Add(str); // Marshal.FreeHGlobal(ptr); // offset += str.Length + 1; //} //r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst); PrivateParse(ref r, str); SetRecordData(r); }//end of if hmbs Position = recCast.RecordNumber; //Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> Last position is : " + Position.ToString()); SetRegistry(); }//end of if if (maxReadLineCount != -1) { readLineCount++; if (readLineCount > maxReadLineCount) { if (threadSleepTime <= 0) { Thread.Sleep(60000); // previous value is 60000 } else { Thread.Sleep(threadSleepTime); } readLineCount = 0; } } dw += recCast.Length; } if (!changed) break; } Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> is successfully FINISHED. "); } catch (Exception e) { Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> An error occurred : " + e.Message); Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> An error occurred : " + e.StackTrace); } Int32 error = Marshal.GetLastWin32Error(); if (error == 87) { Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> Win Error on parse, probably eventlog cleared. Error code(" + error + ")"); Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> Starting from begining."); Position = 0; SetRegistry(); } CloseEventLog(handle); }
public override void Parse() { IntPtr handle = OpenEventLog(remoteHost, Dir); Byte[] output = new byte[65536]; Int32 bytesRead = 0; Int32 minNumberOfBytesNeeded = 0; try { Int32 flags = 0; if (Position == 0) flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; else flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ; Int32 readLineCount = 0; while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead, ref minNumberOfBytesNeeded)) { Object rec = new EVENTLOGRECORD(); Int32 dw = 0; bool changed = false; while (bytesRead > dw) { Rec r = new Rec(); ByteArrayToStructure(output, dw, ref rec); EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec; if (Position != recCast.RecordNumber) { changed = true; try { DateTime d = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(Convert.ToDouble(recCast.TimeWritten)); r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute + ":" + d.Second + "." + recCast.TimeWritten; r.Datetime = Convert.ToDateTime(r.Datetime).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss"); } catch { r.CustomInt1 = recCast.TimeWritten; } //r.EventId = recCast.EventID; r.EventId = returneventid(recCast.EventID); Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId); r.EventType = ((EventType)(recCast.EventType)).ToString(); //r.EventCategory = recCast.EventCategory.ToString(); r.LogName = "NT-" + Dir; r.Recordnum = recCast.RecordNumber; IntPtr ptr = IntPtr.Zero; String SourceName = ""; try { ptr = Marshal.AllocHGlobal(bytesRead); Int32 total = dw + 56; Marshal.Copy(output, total, ptr, bytesRead - total); //56 struct size SourceName = Marshal.PtrToStringAnsi(ptr); Marshal.FreeHGlobal(ptr); } catch { } r.SourceName = SourceName; //r.EventCategory = GetString((UInt32)recCast.EventCategory, r.SourceName, "CategoryMessageFile", new List<String>()); r.EventCategory = recCast.EventCategory.ToString(); String ComputerName = ""; try { ptr = Marshal.AllocHGlobal(bytesRead); Int32 total = dw + 57 + SourceName.Length; Marshal.Copy(output, total, ptr, bytesRead - total); ComputerName = Marshal.PtrToStringAnsi(ptr); Marshal.FreeHGlobal(ptr); } catch { } r.ComputerName = ComputerName; List<String> lst = new List<String>(); Int32 offset = dw + recCast.StringOffset; for (Int32 i = 0; i < recCast.NumStrings; i++) { ptr = Marshal.AllocHGlobal(bytesRead); Marshal.Copy(output, offset, ptr, bytesRead - offset); String str = Marshal.PtrToStringAnsi(ptr); lst.Add(str); Marshal.FreeHGlobal(ptr); offset += str.Length + 1; } try { r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst); string line = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst); string[] DescArr = line.Split(':'); if ((r.EventId != 0) && (DescArr.Length > 20)) { string[] sequence_number = DescArr[5].Split('a'); r.CustomInt1 = Convert.ToInt32(sequence_number[0]); string[] bitmask = DescArr[8].Split('i'); r.CustomInt2 = Convert.ToInt32(bitmask[0]); string[] session = DescArr[10].Split('s'); r.CustomInt3 = Convert.ToInt32(session[0]); string[] server = DescArr[11].Split('d'); r.CustomInt4 = Convert.ToInt32(server[0]); string[] data_base = DescArr[12].Split('t'); r.CustomInt5 = Convert.ToInt32(data_base[0]); string[] target_server = DescArr[13].Split('t'); r.CustomInt6 = Convert.ToInt32(target_server[0]); string[] target_database = DescArr[14].Split('o'); r.CustomInt7 = Convert.ToInt32(target_database[0]); string[] object_id = DescArr[15].Split('c'); r.CustomInt8 = Convert.ToInt32(object_id[0]); string server_principal_name = DescArr[18].Substring(0, DescArr[18].Length - 20); r.CustomStr1 = server_principal_name; string server_principal_sid = DescArr[19].Substring(0, DescArr[19].Length - 23); r.CustomStr3 = server_principal_sid; string database_principal_name = DescArr[20].Substring(0, DescArr[20].Length - 28); r.CustomStr2 = database_principal_name; string target_server_principal_name = DescArr[21].Substring(0, DescArr[21].Length - 27); r.CustomStr1 += " " + target_server_principal_name; string target_server_principal_sid = DescArr[22].Substring(0, DescArr[22].Length - 30); r.CustomStr2 += " " + target_server_principal_sid; string server_instance_name = DescArr[24].Substring(0, DescArr[24].Length - 13); r.CustomStr4 = server_instance_name; string database_name = DescArr[25].Substring(0, DescArr[25].Length - 11); r.CustomStr5 = database_name; string schema_name = DescArr[26].Substring(0, DescArr[26].Length - 11); r.CustomStr6 = schema_name; string object_name = DescArr[27].Substring(0, DescArr[27].Length - 9); r.CustomStr7 = object_name; string statement = DescArr[28].Substring(0, DescArr[28].Length - 22); r.CustomStr8 = statement; string[] additional = DescArr[28].Split(')'); r.CustomStr9 = additional[4]; string[] action = DescArr[6].Split(' '); r.EventType += " " + action[0]; string succeeded = DescArr[7].Substring(0, DescArr[7].Length - 18); r.EventCategory += " " + succeeded; Log.Log(LogType.FILE, LogLevel.INFORM, "Parsing successful :"); } r = setRecParse(r, r.Description); } catch (Exception e) { Log.Log(LogType.FILE, LogLevel.ERROR, e.Message); } /*if (lst.Count > 0) r.CustomStr1 = lst[0]; if (lst.Count > 1) r.CustomStr2 = lst[1]; if (lst.Count > 2) r.CustomStr3 = lst[2]; if (lst.Count > 3) r.CustomStr4 = lst[3]; if (lst.Count > 4) r.CustomStr5 = lst[4]; if (lst.Count > 5) r.CustomStr6 = lst[5]; if (lst.Count > 6) r.CustomStr7 = lst[6]; if (lst.Count > 7) r.CustomStr8 = lst[7]; if (lst.Count > 8) r.CustomStr9 = lst[8]; if (lst.Count > 9) r.CustomStr10 = lst[9]; if (lst.Count > 10) { if (lst.Count > 11) { for (Int32 i = 10; i < lst.Count; i++) r.Description += lst[i] + " "; r.Description = r.Description.Trim(); } else { r.Description = lst[10]; } } else r.Description = "";*/ /*if (lst.Count > 6) r.Description = lst[6]; else if (lst.Count != 0) r.Description = lst[0]; else r.Description = "";*/ Position = recCast.RecordNumber; SetRegistry(); SetRecordData(r); } if (maxReadLineCount != -1) { readLineCount++; if (readLineCount > maxReadLineCount) { if (threadSleepTime <= 0) Thread.Sleep(60000); else Thread.Sleep(threadSleepTime); readLineCount = 0; } } dw += recCast.Length; } if (!changed) break; } } catch (Exception e) { Log.Log(LogType.FILE, LogLevel.ERROR, e.Message); Log.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace); } Int32 error = Marshal.GetLastWin32Error(); if (error == 87) { Log.Log(LogType.FILE, LogLevel.ERROR, "Win Error on parse, probably eventlog cleared. Error code(" + error + ")"); Log.Log(LogType.FILE, LogLevel.ERROR, "Starting from begining."); Position = 0; SetRegistry(); } CloseEventLog(handle); }