public LogRecordSentinel(dynamic record, EventBookmark bookmark, string serviceName)
{
Bookmark = bookmark;
SetCommonAttributes(record, serviceName);
}
public void EventLogRecord_CheckProperties_RemainSame()
{
if (PlatformDetection.IsWindows7) // Null events in PowerShell log
{
return;
}
SecurityIdentifier userId;
byte? version, level;
short? opcode;
Guid? providerId, activityId, relatedActivityId;
int? processId, threadId, qualifiers, task;
long? keywords, recordId;
string providerName, machineName, containerLog;
DateTime? timeCreated;
IEnumerable <int> matchedQueryIds;
EventBookmark bookmark, bookmarkArg = Helpers.GetBookmark("Application", PathType.LogName);
var query = new EventLogQuery("Application", PathType.LogName, "*[System]")
{
ReverseDirection = true
};
var eventLog = new EventLogReader(query, bookmarkArg);
using (eventLog)
{
using (var record = (EventLogRecord)eventLog.ReadEvent())
{
userId = record.UserId;
version = record.Version;
opcode = record.Opcode;
providerId = record.ProviderId;
processId = record.ProcessId;
recordId = record.RecordId;
threadId = record.ThreadId;
qualifiers = record.Qualifiers;
level = record.Level;
keywords = record.Keywords;
task = record.Task;
providerName = record.ProviderName;
machineName = record.MachineName;
timeCreated = record.TimeCreated;
containerLog = record.ContainerLog;
matchedQueryIds = record.MatchedQueryIds;
activityId = record.ActivityId;
relatedActivityId = record.RelatedActivityId;
bookmark = record.Bookmark;
}
}
using (eventLog = new EventLogReader(query, bookmarkArg))
{
using (var record = (EventLogRecord)eventLog.ReadEvent())
{
Assert.Equal(userId, record.UserId);
Assert.Equal(version, record.Version);
Assert.Equal(opcode, record.Opcode);
Assert.Equal(providerId, record.ProviderId);
Assert.Equal(processId, record.ProcessId);
Assert.Equal(recordId, record.RecordId);
Assert.Equal(threadId, record.ThreadId);
Assert.Equal(qualifiers, record.Qualifiers);
Assert.Equal(level, record.Level);
Assert.Equal(keywords, record.Keywords);
Assert.Equal(task, record.Task);
Assert.Equal(providerName, record.ProviderName);
Assert.Equal(machineName, record.MachineName);
Assert.Equal(timeCreated, record.TimeCreated);
Assert.Equal(containerLog, record.ContainerLog);
Assert.Equal(matchedQueryIds, record.MatchedQueryIds);
Assert.Equal(activityId, record.ActivityId);
Assert.Equal(relatedActivityId, record.RelatedActivityId);
Assert.NotNull(record.Bookmark);
Assert.NotEqual(bookmark, record.Bookmark);
}
}
}
public LogRecord(dynamic record, EventBookmark bookmark)
{
Bookmark = bookmark;
SetCommonAttributes(record);
}
public LogRecordSentinel(EventBookmark bookmark)
{
Bookmark = bookmark;
}
} //ETWTraceInBackground_Start_SYSTEM()
private void ETWTraceInBackground_DoWork_SYSTEM(object sender, DoWorkEventArgs e)
{
// This is the background thread
int count = 0;
string etwclass = e.Argument as string;
BackgroundWorker worker = sender as BackgroundWorker;
Thread.CurrentThread.Name = "ETWReaderSYSTEM";
//Thread.CurrentThread.Priority = ThreadPriority.BelowNormal;
try
{
string sQuery = "*[System/Level>0]";
EventLogQuery Q_Operational = new EventLogQuery(etwclass, PathType.LogName, sQuery);
EventBookmark Ev_OperationalBookmark = null;
EventLogReader R_Operational;
R_Operational = new EventLogReader(Q_Operational); // Walk through existing list to create a bookmark
R_Operational.Seek(System.IO.SeekOrigin.End, 0);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
}
R_Operational.Dispose();
WaitingForEventStart_SYSTEM = false;
worker.ReportProgress(count++);
while (!worker.CancellationPending && !PleaseStopCollecting)
{
Thread.Sleep(1000);
R_Operational = new EventLogReader(Q_Operational, Ev_OperationalBookmark);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
try
{
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "System", eventInstance.Id.ToString(), eventInstance.LevelDisplayName, eventInstance.FormatDescription(), "");
//SYSTEM_ITEM item = new SYSTEM_ITEM(eventInstance.LevelDisplayName, eventInstance.FormatDescription(), eventInstance.ProviderName, eventInstance.Id, eventInstance.ProcessId);
worker.ReportProgress(count++, eItem);
}
catch
{
// app provider might be virtual or missing
string leveldisplayname = "";
string stuff = "Formatter not available. Details:";
int ProcessId = -1;
int ThreadId = -1;
switch (eventInstance.Level)
{
case 1:
leveldisplayname = "Critical";
break;
case 2:
leveldisplayname = "Error";
break;
case 3:
leveldisplayname = "Warning";
break;
case 4:
leveldisplayname = "Information";
break;
default:
break;
}
foreach (EventProperty p in eventInstance.Properties)
{
stuff += p.Value.ToString() + " ";
}
if (eventInstance.ProcessId != null)
{
ProcessId = (int)eventInstance.ProcessId;
}
if (eventInstance.ThreadId != null)
{
ThreadId = (int)eventInstance.ThreadId;
}
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "System", eventInstance.Id.ToString(), leveldisplayname, stuff, "");
worker.ReportProgress(count++, eItem);
}
}
R_Operational.Dispose();
}
}
catch
{
WaitingForEventStart_SYSTEM = false;
}
} // ETWTraceInBackground_DoWork_SYSTEM()
public LogRecord(EventBookmark bookmark)
{
Bookmark = bookmark;
}
public static IEnumerable <EventLogRecord> FromLogQuery(string logName, string xpathQuery, EventBookmark bookmark)
{
long eventCount = 0; // for debugging
EventLogQuery query = new EventLogQuery(logName, PathType.LogName, xpathQuery);
using (var reader = new EventLogReader(query, bookmark))
{
for (; ;)
{
if (!(reader.ReadEvent() is EventLogRecord record))
{
yield break;
}
eventCount++;
yield return(record);
}
}
}
private async Task ReaderRoutine()
{
var delay = MinReaderDelayMs;
EventRecord entry = null;
EventBookmark eventBookmark = null;
using (var eventLogReader = new EventLogReader(new EventLogQuery(_logName, PathType.LogName, _query)))
{
if (eventBookmark == null)
{
eventLogReader.Seek(SeekOrigin.Begin, 0);
// now, for some odd reason, Seek to End will set the reader BEFORE the last record,
// so we do a random read here
var last = DoRead(eventLogReader);
eventBookmark = last?.Bookmark;
last?.Dispose();
}
}
await Task.Yield();
_logger?.LogInformation("{0} Id {1} started reading", nameof(WindowsEventPollingSource), Id);
while (!_cts.Token.IsCancellationRequested)
{
int batchCount = 0;
try
{
// setting batch size is pretty important for performance, as the .NET wrapper will attempt to query events in batches
// see https://referencesource.microsoft.com/#system.core/System/Diagnostics/Eventing/Reader/EventLogReader.cs,149
using (var eventLogReader = new EventLogReader(new EventLogQuery(_logName, PathType.LogName, _query), eventBookmark)
{
BatchSize = 128
})
{
while ((entry = DoRead(eventLogReader)) != null)
{
batchCount++;
#if DEBUG
Interlocked.Increment(ref _total);
#endif
eventBookmark = entry.Bookmark;
this.LastEventLatency = DateTime.Now.Subtract(entry.TimeCreated ?? DateTime.Now);
OnEventRecord(entry);
if (batchCount == BatchSize)
{
this._logger?.LogDebug($"Read max possible number of events: {BatchSize}");
break;
}
_cts.Token.ThrowIfCancellationRequested();
}
if (entry is null)
{
_logger?.LogDebug("Read {0} events", batchCount);
}
}
delay = GetNextReaderDelayMs(delay, batchCount, this._logger);
batchCount = 0;
_logger?.LogDebug("Delaying {0}ms", delay);
await Task.Delay(delay, _cts.Token);
}
catch (OperationCanceledException ex)
{
_logger?.LogWarning(0, ex, "Error reading events, operation was canceled.");
break;
}
catch (Exception ex)
{
_logger?.LogError(0, ex, "Error reading events");
}
}
_logger?.LogInformation("{0} Id {1} stopped reading", nameof(WindowsEventPollingSource), Id);
}
// Token: 0x06000FBD RID: 4029 RVA: 0x000444D8 File Offset: 0x000426D8
private bool ProcessRecord(EventRecord rec)
{
bool flag = false;
int num = 0;
EventRecord suppressUntilRecord = null;
EventBookmark bookmark = null;
TagHandler tagHandler = null;
this.m_suppressUntilRecord = null;
try
{
this.Trace("Processing Record# {0}", new object[]
{
rec.RecordId
});
bookmark = rec.Bookmark;
DatabaseFailureItem databaseFailureItem = DatabaseFailureItem.Parse(rec);
if (databaseFailureItem != null)
{
if (databaseFailureItem.Tag == FailureTag.Remount)
{
DatabaseFailureItem databaseFailureItem2 = FailureItemWatcher.FindMostRecentIdenticalFailureItem(databaseFailureItem, out num, out suppressUntilRecord);
if (num > 0)
{
this.Trace("Skipped {0} identical failure items of tag {1}", new object[]
{
num,
databaseFailureItem.Tag
});
databaseFailureItem = databaseFailureItem2;
}
}
bookmark = databaseFailureItem.Bookmark;
this.Trace("Starting to process failure item: {0}", new object[]
{
databaseFailureItem
});
tagHandler = TagHandler.GetInstance(this, databaseFailureItem);
if (tagHandler != null)
{
ExTraceGlobals.FaultInjectionTracer.TraceTest(2640719165U);
flag = tagHandler.Execute();
if (flag)
{
this.Trace("Finished processing failure item for database '{0}'", new object[]
{
this.m_database.Name
});
}
else
{
this.Trace("Could not process failure item for database '{0}'", new object[]
{
this.m_database.Name
});
}
}
else
{
this.Trace("Failed to process failure item since there is no handler found (failureitem:{0})", new object[]
{
databaseFailureItem
});
flag = true;
}
this.Trace("Finished processing failure item", new object[0]);
}
}
catch (InvalidFailureItemException ex)
{
this.Trace("Ignoring the invalid failure item. (error={0}, eventxml={1})", new object[]
{
ex,
rec.ToXml()
});
flag = true;
}
if (flag)
{
this.Bookmarker.Write(bookmark);
if (num > 0)
{
this.m_suppressUntilRecord = suppressUntilRecord;
}
if (tagHandler != null && tagHandler.PostProcessingAction != null)
{
tagHandler.PostProcessingAction();
}
}
return(flag);
}
public void Bookmark(EventBookmark bookmark, string bookmarkName)
{
latest = bookmark;
onBookmark?.Invoke();
}
/// <summary>
/// Seeks the specified bookmark.
/// </summary>
/// <param name="bookmark">The bookmark.</param>
/// <param name="offset">The offset.</param>
public void Seek(EventBookmark bookmark, long offset = 0L)
{
log.Seek(bookmark, offset);
}
