public LogRecordSentinel(dynamic record, EventBookmark bookmark, string serviceName) { Bookmark = bookmark; SetCommonAttributes(record, serviceName); }
public void EventLogRecord_CheckProperties_RemainSame() { if (PlatformDetection.IsWindows7) // Null events in PowerShell log { return; } SecurityIdentifier userId; byte? version, level; short? opcode; Guid? providerId, activityId, relatedActivityId; int? processId, threadId, qualifiers, task; long? keywords, recordId; string providerName, machineName, containerLog; DateTime? timeCreated; IEnumerable <int> matchedQueryIds; EventBookmark bookmark, bookmarkArg = Helpers.GetBookmark("Application", PathType.LogName); var query = new EventLogQuery("Application", PathType.LogName, "*[System]") { ReverseDirection = true }; var eventLog = new EventLogReader(query, bookmarkArg); using (eventLog) { using (var record = (EventLogRecord)eventLog.ReadEvent()) { userId = record.UserId; version = record.Version; opcode = record.Opcode; providerId = record.ProviderId; processId = record.ProcessId; recordId = record.RecordId; threadId = record.ThreadId; qualifiers = record.Qualifiers; level = record.Level; keywords = record.Keywords; task = record.Task; providerName = record.ProviderName; machineName = record.MachineName; timeCreated = record.TimeCreated; containerLog = record.ContainerLog; matchedQueryIds = record.MatchedQueryIds; activityId = record.ActivityId; relatedActivityId = record.RelatedActivityId; bookmark = record.Bookmark; } } using (eventLog = new EventLogReader(query, bookmarkArg)) { using (var record = (EventLogRecord)eventLog.ReadEvent()) { Assert.Equal(userId, record.UserId); Assert.Equal(version, record.Version); Assert.Equal(opcode, record.Opcode); Assert.Equal(providerId, record.ProviderId); Assert.Equal(processId, record.ProcessId); Assert.Equal(recordId, record.RecordId); Assert.Equal(threadId, record.ThreadId); Assert.Equal(qualifiers, record.Qualifiers); Assert.Equal(level, record.Level); Assert.Equal(keywords, record.Keywords); Assert.Equal(task, record.Task); Assert.Equal(providerName, record.ProviderName); Assert.Equal(machineName, record.MachineName); Assert.Equal(timeCreated, record.TimeCreated); Assert.Equal(containerLog, record.ContainerLog); Assert.Equal(matchedQueryIds, record.MatchedQueryIds); Assert.Equal(activityId, record.ActivityId); Assert.Equal(relatedActivityId, record.RelatedActivityId); Assert.NotNull(record.Bookmark); Assert.NotEqual(bookmark, record.Bookmark); } } }
public LogRecord(dynamic record, EventBookmark bookmark) { Bookmark = bookmark; SetCommonAttributes(record); }
public LogRecordSentinel(EventBookmark bookmark) { Bookmark = bookmark; }
} //ETWTraceInBackground_Start_SYSTEM() private void ETWTraceInBackground_DoWork_SYSTEM(object sender, DoWorkEventArgs e) { // This is the background thread int count = 0; string etwclass = e.Argument as string; BackgroundWorker worker = sender as BackgroundWorker; Thread.CurrentThread.Name = "ETWReaderSYSTEM"; //Thread.CurrentThread.Priority = ThreadPriority.BelowNormal; try { string sQuery = "*[System/Level>0]"; EventLogQuery Q_Operational = new EventLogQuery(etwclass, PathType.LogName, sQuery); EventBookmark Ev_OperationalBookmark = null; EventLogReader R_Operational; R_Operational = new EventLogReader(Q_Operational); // Walk through existing list to create a bookmark R_Operational.Seek(System.IO.SeekOrigin.End, 0); for (EventRecord eventInstance = R_Operational.ReadEvent(); null != eventInstance; eventInstance = R_Operational.ReadEvent()) { Ev_OperationalBookmark = eventInstance.Bookmark; } R_Operational.Dispose(); WaitingForEventStart_SYSTEM = false; worker.ReportProgress(count++); while (!worker.CancellationPending && !PleaseStopCollecting) { Thread.Sleep(1000); R_Operational = new EventLogReader(Q_Operational, Ev_OperationalBookmark); for (EventRecord eventInstance = R_Operational.ReadEvent(); null != eventInstance; eventInstance = R_Operational.ReadEvent()) { Ev_OperationalBookmark = eventInstance.Bookmark; try { DateTime et = eventInstance.TimeCreated.GetValueOrDefault(); EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId, eventInstance.LogName, "System", eventInstance.Id.ToString(), eventInstance.LevelDisplayName, eventInstance.FormatDescription(), ""); //SYSTEM_ITEM item = new SYSTEM_ITEM(eventInstance.LevelDisplayName, eventInstance.FormatDescription(), eventInstance.ProviderName, eventInstance.Id, eventInstance.ProcessId); worker.ReportProgress(count++, eItem); } catch { // app provider might be virtual or missing string leveldisplayname = ""; string stuff = "Formatter not available. Details:"; int ProcessId = -1; int ThreadId = -1; switch (eventInstance.Level) { case 1: leveldisplayname = "Critical"; break; case 2: leveldisplayname = "Error"; break; case 3: leveldisplayname = "Warning"; break; case 4: leveldisplayname = "Information"; break; default: break; } foreach (EventProperty p in eventInstance.Properties) { stuff += p.Value.ToString() + " "; } if (eventInstance.ProcessId != null) { ProcessId = (int)eventInstance.ProcessId; } if (eventInstance.ThreadId != null) { ThreadId = (int)eventInstance.ThreadId; } DateTime et = eventInstance.TimeCreated.GetValueOrDefault(); EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId, eventInstance.LogName, "System", eventInstance.Id.ToString(), leveldisplayname, stuff, ""); worker.ReportProgress(count++, eItem); } } R_Operational.Dispose(); } } catch { WaitingForEventStart_SYSTEM = false; } } // ETWTraceInBackground_DoWork_SYSTEM()
public LogRecord(EventBookmark bookmark) { Bookmark = bookmark; }
public static IEnumerable <EventLogRecord> FromLogQuery(string logName, string xpathQuery, EventBookmark bookmark) { long eventCount = 0; // for debugging EventLogQuery query = new EventLogQuery(logName, PathType.LogName, xpathQuery); using (var reader = new EventLogReader(query, bookmark)) { for (; ;) { if (!(reader.ReadEvent() is EventLogRecord record)) { yield break; } eventCount++; yield return(record); } } }
private async Task ReaderRoutine() { var delay = MinReaderDelayMs; EventRecord entry = null; EventBookmark eventBookmark = null; using (var eventLogReader = new EventLogReader(new EventLogQuery(_logName, PathType.LogName, _query))) { if (eventBookmark == null) { eventLogReader.Seek(SeekOrigin.Begin, 0); // now, for some odd reason, Seek to End will set the reader BEFORE the last record, // so we do a random read here var last = DoRead(eventLogReader); eventBookmark = last?.Bookmark; last?.Dispose(); } } await Task.Yield(); _logger?.LogInformation("{0} Id {1} started reading", nameof(WindowsEventPollingSource), Id); while (!_cts.Token.IsCancellationRequested) { int batchCount = 0; try { // setting batch size is pretty important for performance, as the .NET wrapper will attempt to query events in batches // see https://referencesource.microsoft.com/#system.core/System/Diagnostics/Eventing/Reader/EventLogReader.cs,149 using (var eventLogReader = new EventLogReader(new EventLogQuery(_logName, PathType.LogName, _query), eventBookmark) { BatchSize = 128 }) { while ((entry = DoRead(eventLogReader)) != null) { batchCount++; #if DEBUG Interlocked.Increment(ref _total); #endif eventBookmark = entry.Bookmark; this.LastEventLatency = DateTime.Now.Subtract(entry.TimeCreated ?? DateTime.Now); OnEventRecord(entry); if (batchCount == BatchSize) { this._logger?.LogDebug($"Read max possible number of events: {BatchSize}"); break; } _cts.Token.ThrowIfCancellationRequested(); } if (entry is null) { _logger?.LogDebug("Read {0} events", batchCount); } } delay = GetNextReaderDelayMs(delay, batchCount, this._logger); batchCount = 0; _logger?.LogDebug("Delaying {0}ms", delay); await Task.Delay(delay, _cts.Token); } catch (OperationCanceledException ex) { _logger?.LogWarning(0, ex, "Error reading events, operation was canceled."); break; } catch (Exception ex) { _logger?.LogError(0, ex, "Error reading events"); } } _logger?.LogInformation("{0} Id {1} stopped reading", nameof(WindowsEventPollingSource), Id); }
// Token: 0x06000FBD RID: 4029 RVA: 0x000444D8 File Offset: 0x000426D8 private bool ProcessRecord(EventRecord rec) { bool flag = false; int num = 0; EventRecord suppressUntilRecord = null; EventBookmark bookmark = null; TagHandler tagHandler = null; this.m_suppressUntilRecord = null; try { this.Trace("Processing Record# {0}", new object[] { rec.RecordId }); bookmark = rec.Bookmark; DatabaseFailureItem databaseFailureItem = DatabaseFailureItem.Parse(rec); if (databaseFailureItem != null) { if (databaseFailureItem.Tag == FailureTag.Remount) { DatabaseFailureItem databaseFailureItem2 = FailureItemWatcher.FindMostRecentIdenticalFailureItem(databaseFailureItem, out num, out suppressUntilRecord); if (num > 0) { this.Trace("Skipped {0} identical failure items of tag {1}", new object[] { num, databaseFailureItem.Tag }); databaseFailureItem = databaseFailureItem2; } } bookmark = databaseFailureItem.Bookmark; this.Trace("Starting to process failure item: {0}", new object[] { databaseFailureItem }); tagHandler = TagHandler.GetInstance(this, databaseFailureItem); if (tagHandler != null) { ExTraceGlobals.FaultInjectionTracer.TraceTest(2640719165U); flag = tagHandler.Execute(); if (flag) { this.Trace("Finished processing failure item for database '{0}'", new object[] { this.m_database.Name }); } else { this.Trace("Could not process failure item for database '{0}'", new object[] { this.m_database.Name }); } } else { this.Trace("Failed to process failure item since there is no handler found (failureitem:{0})", new object[] { databaseFailureItem }); flag = true; } this.Trace("Finished processing failure item", new object[0]); } } catch (InvalidFailureItemException ex) { this.Trace("Ignoring the invalid failure item. (error={0}, eventxml={1})", new object[] { ex, rec.ToXml() }); flag = true; } if (flag) { this.Bookmarker.Write(bookmark); if (num > 0) { this.m_suppressUntilRecord = suppressUntilRecord; } if (tagHandler != null && tagHandler.PostProcessingAction != null) { tagHandler.PostProcessingAction(); } } return(flag); }
public void Bookmark(EventBookmark bookmark, string bookmarkName) { latest = bookmark; onBookmark?.Invoke(); }
/// <summary> /// Seeks the specified bookmark. /// </summary> /// <param name="bookmark">The bookmark.</param> /// <param name="offset">The offset.</param> public void Seek(EventBookmark bookmark, long offset = 0L) { log.Seek(bookmark, offset); }