private void SetDateTime(ref Rec r, EVENTLOGRECORD recCast)
{
try
{
DateTime d = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(Convert.ToDouble(recCast.TimeWritten));
r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute + ":" + d.Second + "." + recCast.TimeWritten;
r.Datetime = Convert.ToDateTime(r.Datetime).AddMinutes(120).ToString("yyyy/MM/dd HH:mm:ss");
}
catch (Exception ex)
{
r.CustomInt1 = recCast.TimeWritten;
Log.Log(LogType.FILE, LogLevel.ERROR, " SetDateTime() -->> An error occurred." + ex.ToString());
}
}
public override void Parse()
{
try
{
IntPtr handle = OpenEventLog(remoteHost, Dir);
Byte[] output = new byte[65536];
Int32 bytesRead = 0;
Int32 minNumberOfBytesNeeded = 0;
try
{
Int32 flags = 0;
if (Position == 0)
flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
else
flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
Int32 readLineCount = 0;
while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead,
ref minNumberOfBytesNeeded))
{
Object rec = new EVENTLOGRECORD();
Int32 dw = 0;
bool changed = false;
while (bytesRead > dw)
{
Rec r = new Rec();
ByteArrayToStructure(output, dw, ref rec);
EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec;
if (Position != recCast.RecordNumber)
{
changed = true;
try
{
DateTime d =
new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(
Convert.ToDouble(recCast.TimeWritten));
r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute +
":" + d.Second + "." + recCast.TimeWritten;
r.Datetime =
Convert.ToDateTime(r.Datetime).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
}
catch
{
r.CustomInt1 = recCast.TimeWritten;
}
//r.EventId = recCast.EventID;
r.EventId = returneventid(recCast.EventID);
Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId);
r.EventType = ((EventType)(recCast.EventType)).ToString();
//r.EventCategory = recCast.EventCategory.ToString();
r.LogName = "NT-" + Dir;
r.Recordnum = recCast.RecordNumber;
IntPtr ptr = IntPtr.Zero;
String SourceName = "";
try
{
ptr = Marshal.AllocHGlobal(bytesRead);
Int32 total = dw + 56;
Marshal.Copy(output, total, ptr, bytesRead - total); //56 struct size
SourceName = Marshal.PtrToStringAnsi(ptr);
Marshal.FreeHGlobal(ptr);
}
catch
{
}
r.SourceName = SourceName;
//r.EventCategory = GetString((UInt32)recCast.EventCategory, r.SourceName, "CategoryMessageFile", new List<String>());
r.EventCategory = recCast.EventCategory.ToString();
String ComputerName = "";
try
{
ptr = Marshal.AllocHGlobal(bytesRead);
Int32 total = dw + 57 + SourceName.Length;
Marshal.Copy(output, total, ptr, bytesRead - total);
ComputerName = Marshal.PtrToStringAnsi(ptr);
Marshal.FreeHGlobal(ptr);
}
catch
{
}
r.ComputerName = ComputerName;
List<String> lst = new List<String>();
Int32 offset = dw + recCast.StringOffset;
for (Int32 i = 0; i < recCast.NumStrings; i++)
{
ptr = Marshal.AllocHGlobal(bytesRead);
Marshal.Copy(output, offset, ptr, bytesRead - offset);
String str = Marshal.PtrToStringAnsi(ptr);
lst.Add(str);
Marshal.FreeHGlobal(ptr);
offset += str.Length + 1;
}
try
{
r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile",
lst);
r = setRecParse(r, r.Description);
}
catch (Exception e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, e.Message);
}
/*if (lst.Count > 0)
r.CustomStr1 = lst[0];
if (lst.Count > 1)
r.CustomStr2 = lst[1];
if (lst.Count > 2)
r.CustomStr3 = lst[2];
if (lst.Count > 3)
r.CustomStr4 = lst[3];
if (lst.Count > 4)
r.CustomStr5 = lst[4];
if (lst.Count > 5)
r.CustomStr6 = lst[5];
if (lst.Count > 6)
r.CustomStr7 = lst[6];
if (lst.Count > 7)
r.CustomStr8 = lst[7];
if (lst.Count > 8)
r.CustomStr9 = lst[8];
if (lst.Count > 9)
r.CustomStr10 = lst[9];
if (lst.Count > 10)
{
if (lst.Count > 11)
{
for (Int32 i = 10; i < lst.Count; i++)
r.Description += lst[i] + " ";
r.Description = r.Description.Trim();
}
else
{
r.Description = lst[10];
}
}
else
r.Description = "";*/
/*if (lst.Count > 6)
r.Description = lst[6];
else if (lst.Count != 0)
r.Description = lst[0];
else
r.Description = "";*/
SetRegistry();
SetRecordData(r);
}
if (maxReadLineCount != -1)
{
readLineCount++;
if (readLineCount > maxReadLineCount)
{
if (threadSleepTime <= 0)
Thread.Sleep(60000);
else
Thread.Sleep(threadSleepTime);
readLineCount = 0;
}
}
dw += recCast.Length;
}
if (!changed)
break;
}
}
catch (Exception e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, e.Message);
Log.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
Int32 error = Marshal.GetLastWin32Error();
if (error == 87)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Win Error on parse, probably eventlog cleared. Error code(" + error + ")");
Log.Log(LogType.FILE, LogLevel.ERROR, "Starting from begining.");
Position = 0;
SetRegistry();
}
CloseEventLog(handle);
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
public override void Parse()
{
Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> is STARTED ");
IntPtr handle = OpenEventLog(remoteHost, Dir);
Byte[] output = new byte[65536];
Int32 bytesRead = 0;
Int32 minNumberOfBytesNeeded = 0;
try
{
Int32 flags = 0;
if (Position == 0)
{
flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
}
else
{
flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
}
Int32 readLineCount = 0;
while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead, ref minNumberOfBytesNeeded))
{
Object rec = new EVENTLOGRECORD();
Int32 dw = 0;
bool changed = false;
while (bytesRead > dw)
{
Rec r = new Rec();
ByteArrayToStructure(output, dw, ref rec);
EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec;
if (Position != recCast.RecordNumber)
{
changed = true;
IntPtr ptr = IntPtr.Zero;
SetDateTime(ref r, recCast);
r.SourceName = GetSourceName(ptr, bytesRead, dw, output);
//r.EventCategory = recCast.EventCategory.ToString();
//r.EventType = ((EventType)(recCast.EventType)).ToString();
Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> Event log source name is : " + r.SourceName);
if (r.SourceName.ToLower() == "hmbs")
{
r.ComputerName = GetComputerName(ptr, bytesRead, dw, output, r.SourceName.Length);
//r.EventId = GetEventId(recCast.EventID);
//Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId);
//r.Recordnum = recCast.RecordNumber;
//r.LogName = Dir;
Int32 offset = dw + recCast.StringOffset;
ptr = Marshal.AllocHGlobal(bytesRead);
Marshal.Copy(output, offset, ptr, bytesRead - offset);
String str = Marshal.PtrToStringAnsi(ptr);
//List<String> lst = new List<String>();
//for (Int32 i = 0; i < recCast.NumStrings; i++)
//{
// ptr = Marshal.AllocHGlobal(bytesRead);
// Marshal.Copy(output, offset, ptr, bytesRead - offset);
// String str = Marshal.PtrToStringAnsi(ptr);
// lst.Add(str);
// Marshal.FreeHGlobal(ptr);
// offset += str.Length + 1;
//}
//r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst);
PrivateParse(ref r, str);
SetRecordData(r);
}//end of if hmbs
Position = recCast.RecordNumber;
//Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> Last position is : " + Position.ToString());
SetRegistry();
}//end of if
if (maxReadLineCount != -1)
{
readLineCount++;
if (readLineCount > maxReadLineCount)
{
if (threadSleepTime <= 0)
{
Thread.Sleep(60000); // previous value is 60000
}
else
{
Thread.Sleep(threadSleepTime);
}
readLineCount = 0;
}
}
dw += recCast.Length;
}
if (!changed)
break;
}
Log.Log(LogType.FILE, LogLevel.DEBUG, " Parse() -->> is successfully FINISHED. ");
}
catch (Exception e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> An error occurred : " + e.Message);
Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> An error occurred : " + e.StackTrace);
}
Int32 error = Marshal.GetLastWin32Error();
if (error == 87)
{
Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> Win Error on parse, probably eventlog cleared. Error code(" + error + ")");
Log.Log(LogType.FILE, LogLevel.ERROR, " Parse() -->> Starting from begining.");
Position = 0;
SetRegistry();
}
CloseEventLog(handle);
}
public override void Parse()
{
IntPtr handle = OpenEventLog(remoteHost, Dir);
Byte[] output = new byte[65536];
Int32 bytesRead = 0;
Int32 minNumberOfBytesNeeded = 0;
try
{
Int32 flags = 0;
if (Position == 0)
flags = (Int32)ReadFlags.EVENTLOG_SEQUENTIAL_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
else
flags = (Int32)ReadFlags.EVENTLOG_SEEK_READ | (Int32)ReadFlags.EVENTLOG_FORWARDS_READ;
Int32 readLineCount = 0;
while (ReadEventLog(handle, flags, (UInt32)Position, output, output.Length, ref bytesRead, ref minNumberOfBytesNeeded))
{
Object rec = new EVENTLOGRECORD();
Int32 dw = 0;
bool changed = false;
while (bytesRead > dw)
{
Rec r = new Rec();
ByteArrayToStructure(output, dw, ref rec);
EVENTLOGRECORD recCast = (EVENTLOGRECORD)rec;
if (Position != recCast.RecordNumber)
{
changed = true;
try
{
DateTime d = new DateTime(1970, 1, 1, 0, 0, 0).AddSeconds(Convert.ToDouble(recCast.TimeWritten));
r.Datetime = d.Year + "/" + d.Month + "/" + d.Day + " " + d.Hour + ":" + d.Minute + ":" + d.Second + "." + recCast.TimeWritten;
r.Datetime = Convert.ToDateTime(r.Datetime).AddMinutes(zone).ToString("yyyy/MM/dd HH:mm:ss");
}
catch
{
r.CustomInt1 = recCast.TimeWritten;
}
//r.EventId = recCast.EventID;
r.EventId = returneventid(recCast.EventID);
Log.Log(LogType.FILE, LogLevel.INFORM, "Event_Id :" + r.EventId);
r.EventType = ((EventType)(recCast.EventType)).ToString();
//r.EventCategory = recCast.EventCategory.ToString();
r.LogName = "NT-" + Dir;
r.Recordnum = recCast.RecordNumber;
IntPtr ptr = IntPtr.Zero;
String SourceName = "";
try
{
ptr = Marshal.AllocHGlobal(bytesRead);
Int32 total = dw + 56;
Marshal.Copy(output, total, ptr, bytesRead - total); //56 struct size
SourceName = Marshal.PtrToStringAnsi(ptr);
Marshal.FreeHGlobal(ptr);
}
catch
{
}
r.SourceName = SourceName;
//r.EventCategory = GetString((UInt32)recCast.EventCategory, r.SourceName, "CategoryMessageFile", new List<String>());
r.EventCategory = recCast.EventCategory.ToString();
String ComputerName = "";
try
{
ptr = Marshal.AllocHGlobal(bytesRead);
Int32 total = dw + 57 + SourceName.Length;
Marshal.Copy(output, total, ptr, bytesRead - total);
ComputerName = Marshal.PtrToStringAnsi(ptr);
Marshal.FreeHGlobal(ptr);
}
catch
{
}
r.ComputerName = ComputerName;
List<String> lst = new List<String>();
Int32 offset = dw + recCast.StringOffset;
for (Int32 i = 0; i < recCast.NumStrings; i++)
{
ptr = Marshal.AllocHGlobal(bytesRead);
Marshal.Copy(output, offset, ptr, bytesRead - offset);
String str = Marshal.PtrToStringAnsi(ptr);
lst.Add(str);
Marshal.FreeHGlobal(ptr);
offset += str.Length + 1;
}
try
{
r.Description = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst);
string line = GetString((UInt32)recCast.EventID, r.SourceName, "EventMessageFile", lst);
string[] DescArr = line.Split(':');
if ((r.EventId != 0) && (DescArr.Length > 20))
{
string[] sequence_number = DescArr[5].Split('a');
r.CustomInt1 = Convert.ToInt32(sequence_number[0]);
string[] bitmask = DescArr[8].Split('i');
r.CustomInt2 = Convert.ToInt32(bitmask[0]);
string[] session = DescArr[10].Split('s');
r.CustomInt3 = Convert.ToInt32(session[0]);
string[] server = DescArr[11].Split('d');
r.CustomInt4 = Convert.ToInt32(server[0]);
string[] data_base = DescArr[12].Split('t');
r.CustomInt5 = Convert.ToInt32(data_base[0]);
string[] target_server = DescArr[13].Split('t');
r.CustomInt6 = Convert.ToInt32(target_server[0]);
string[] target_database = DescArr[14].Split('o');
r.CustomInt7 = Convert.ToInt32(target_database[0]);
string[] object_id = DescArr[15].Split('c');
r.CustomInt8 = Convert.ToInt32(object_id[0]);
string server_principal_name = DescArr[18].Substring(0, DescArr[18].Length - 20);
r.CustomStr1 = server_principal_name;
string server_principal_sid = DescArr[19].Substring(0, DescArr[19].Length - 23);
r.CustomStr3 = server_principal_sid;
string database_principal_name = DescArr[20].Substring(0, DescArr[20].Length - 28);
r.CustomStr2 = database_principal_name;
string target_server_principal_name = DescArr[21].Substring(0, DescArr[21].Length - 27);
r.CustomStr1 += " " + target_server_principal_name;
string target_server_principal_sid = DescArr[22].Substring(0, DescArr[22].Length - 30);
r.CustomStr2 += " " + target_server_principal_sid;
string server_instance_name = DescArr[24].Substring(0, DescArr[24].Length - 13);
r.CustomStr4 = server_instance_name;
string database_name = DescArr[25].Substring(0, DescArr[25].Length - 11);
r.CustomStr5 = database_name;
string schema_name = DescArr[26].Substring(0, DescArr[26].Length - 11);
r.CustomStr6 = schema_name;
string object_name = DescArr[27].Substring(0, DescArr[27].Length - 9);
r.CustomStr7 = object_name;
string statement = DescArr[28].Substring(0, DescArr[28].Length - 22);
r.CustomStr8 = statement;
string[] additional = DescArr[28].Split(')');
r.CustomStr9 = additional[4];
string[] action = DescArr[6].Split(' ');
r.EventType += " " + action[0];
string succeeded = DescArr[7].Substring(0, DescArr[7].Length - 18);
r.EventCategory += " " + succeeded;
Log.Log(LogType.FILE, LogLevel.INFORM, "Parsing successful :");
}
r = setRecParse(r, r.Description);
}
catch (Exception e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, e.Message);
}
/*if (lst.Count > 0)
r.CustomStr1 = lst[0];
if (lst.Count > 1)
r.CustomStr2 = lst[1];
if (lst.Count > 2)
r.CustomStr3 = lst[2];
if (lst.Count > 3)
r.CustomStr4 = lst[3];
if (lst.Count > 4)
r.CustomStr5 = lst[4];
if (lst.Count > 5)
r.CustomStr6 = lst[5];
if (lst.Count > 6)
r.CustomStr7 = lst[6];
if (lst.Count > 7)
r.CustomStr8 = lst[7];
if (lst.Count > 8)
r.CustomStr9 = lst[8];
if (lst.Count > 9)
r.CustomStr10 = lst[9];
if (lst.Count > 10)
{
if (lst.Count > 11)
{
for (Int32 i = 10; i < lst.Count; i++)
r.Description += lst[i] + " ";
r.Description = r.Description.Trim();
}
else
{
r.Description = lst[10];
}
}
else
r.Description = "";*/
/*if (lst.Count > 6)
r.Description = lst[6];
else if (lst.Count != 0)
r.Description = lst[0];
else
r.Description = "";*/
Position = recCast.RecordNumber;
SetRegistry();
SetRecordData(r);
}
if (maxReadLineCount != -1)
{
readLineCount++;
if (readLineCount > maxReadLineCount)
{
if (threadSleepTime <= 0)
Thread.Sleep(60000);
else
Thread.Sleep(threadSleepTime);
readLineCount = 0;
}
}
dw += recCast.Length;
}
if (!changed)
break;
}
}
catch (Exception e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, e.Message);
Log.Log(LogType.FILE, LogLevel.ERROR, e.StackTrace);
}
Int32 error = Marshal.GetLastWin32Error();
if (error == 87)
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Win Error on parse, probably eventlog cleared. Error code(" + error + ")");
Log.Log(LogType.FILE, LogLevel.ERROR, "Starting from begining.");
Position = 0;
SetRegistry();
}
CloseEventLog(handle);
}
