public void GetPropertyValues_MatchProviderIdUsingProviderMetadata_Success() { Dictionary <string, Guid> providerNameAndIds = new Dictionary <string, Guid>(); string logName = "Application"; string queryString = "*[System/Level=4]"; var xPathEnum = new List <string>() { "Event/System/EventID", "Event/System/Provider/@Name" }; var logPropertyContext = new EventLogPropertySelector(xPathEnum); var eventsQuery = new EventLogQuery(logName, PathType.LogName, queryString); try { using (var logReader = new EventLogReader(eventsQuery)) { for (EventLogRecord eventRecord = (EventLogRecord)logReader.ReadEvent(); eventRecord != null; eventRecord = (EventLogRecord)logReader.ReadEvent()) { IList <object> logEventProps; logEventProps = eventRecord.GetPropertyValues(logPropertyContext); int eventId; Assert.True(int.TryParse(string.Format("{0}", logEventProps[0]), out eventId)); string providerName = (string)logEventProps[1]; if (!providerNameAndIds.ContainsKey(providerName) && eventRecord.ProviderId.HasValue) { providerNameAndIds.Add(providerName, eventRecord.ProviderId.Value); } } } } catch (EventLogNotFoundException) { } if (providerNameAndIds.Count > 0) { using (var session = new EventLogSession()) { foreach (var nameAndId in providerNameAndIds) { ProviderMetadata providerMetadata = null; try { providerMetadata = new ProviderMetadata(nameAndId.Key); Assert.Equal(providerMetadata.Id, nameAndId.Value); } catch (EventLogException) { continue; } finally { providerMetadata?.Dispose(); } } } } }
/// <summary> /// EndProcessing. /// </summary> protected override void EndProcessing() { if (_providerMetadata != null) { _providerMetadata.Dispose(); } base.EndProcessing(); }
/// <summary> /// Retrieves event data from the system based on event metadata. /// </summary> /// <returns>A list of events.</returns> public static IList <EventData> GetEvents() { IList <EventData> events = new List <EventData>(); using (EventLogSession session = new EventLogSession()) { foreach (string providerName in session.GetProviderNames()) { ProviderMetadata provider = null; try { provider = new ProviderMetadata(providerName); string provName = providerName; // prevents "Access to foreach variable in a closure" warning foreach (EventData eventData in provider.Events.Select(eventMetadata => new EventData(provName, eventMetadata)).Where(eventData => !events.Contains(eventData))) { events.Add(eventData); } } catch (EventLogNotFoundException elnfe) { // Microsoft-Windows-TerminalServices-ServerUSBDevice = The system cannot find the file specified. // Microsoft-Windows-WPD-MTPClassDriver = The system cannot find the file specified // Microsoft-Windows-Sdbus-SQM = The system cannot find the files specified Logger.Error(elnfe, CultureInfo.CurrentCulture, "Event provider '{0}' not found while processing events: {1}{2}{3}", providerName, elnfe.Message, Environment.NewLine, elnfe.StackTrace); } catch (EventLogException ele) { // Microsoft-Windows-MsiServer = The specified resource type cannot be found in the image file // Microsoft-Windows-CAPI2 = The data is invalid Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while processing events: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } catch (UnauthorizedAccessException uae) { // thrown when running as a normal user and accessing these: // Microsoft-Windows-Security-Auditing // Microsoft-Windows-Eventlog Logger.Error(uae, CultureInfo.CurrentCulture, "Access denied to event provider '{0}' while processing events: {1}{2}{3}", providerName, uae.Message, Environment.NewLine, uae.StackTrace); } finally { provider?.Dispose(); } } } return(events); }
/// <summary> /// Retrieves event provider data from the system based on event provider metadata. /// </summary> /// <returns></returns> public static IList <EventProviderData> GetProviders() { IList <EventProviderData> providers = new List <EventProviderData>(); using (EventLogSession session = new EventLogSession()) { foreach (string providerName in session.GetProviderNames()) { ProviderMetadata providerMetadata = null; try { providerMetadata = new ProviderMetadata(providerName); EventProviderData providerData = new EventProviderData(); providerData.Name = providerMetadata.Name ?? string.Empty; providerData.DisplayName = GetProviderDisplayName(providerMetadata) ?? string.Empty; providerData.Guid = providerMetadata.Id; providerData.FileName = GetHelpFileNameFromUri(providerMetadata.HelpLink) ?? string.Empty; providerData.MessageFile = providerMetadata.MessageFilePath ?? string.Empty; providerData.SubstitutionFile = providerMetadata.ParameterFilePath ?? string.Empty; providerData.ResourceFile = providerMetadata.ResourceFilePath ?? string.Empty; providerData.Levels = GetProviderEventLevels(providerMetadata); providerData.SendsEventsTo = providerMetadata.LogLinks.Select(link => new EventLogData(link.LogName)).ToList(); try { IList <EventData> events = new List <EventData>(); string provName = providerName; // prevents "Access to foreach variable in a closure" warning foreach (EventData eventData in providerMetadata.Events.Select(eventMetadata => new EventData(provName, eventMetadata)).Where(eventData => !events.Contains(eventData))) { events.Add(eventData); } providerData.Events = events; } catch (EventLogException ele) { providerData.Events = new List <EventData>(); Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Events field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } //something is weird with Windows-MsiServer try { providerData.Keywords = EventKeywordData.GetKeywords(providerMetadata.Keywords); } catch (EventLogException ele) { providerData.Keywords = new List <EventKeywordData>(); Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Keywords field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } //something is weird with Windows-MsiServer // Ntfs has 2 entries instead of 1 so make sure we don't add it twice if (!providers.Contains(providerData)) { providers.Add(providerData); } } catch (EventLogNotFoundException elnfe) { // Microsoft-Windows-TerminalServices-ServerUSBDevice = The system cannot find the file specified. // Microsoft-Windows-WPD-MTPClassDriver = The system cannot find the file specified // Microsoft-Windows-Sdbus-SQM = The system cannot find the files specified Logger.Error(elnfe, CultureInfo.CurrentCulture, "Event provider '{0}' not found during initial access of the provider while processing providers: {1}{2}{3}", providerName, elnfe.Message, Environment.NewLine, elnfe.StackTrace); } catch (UnauthorizedAccessException uae) { // thrown when running as a normal user and accessing these: // Microsoft-Windows-Security-Auditing // Microsoft-Windows-Eventlog Logger.Error(uae, CultureInfo.CurrentCulture, "Access denied to event provider '{0}' during initial access of the provider while processing providers: {1}{2}{3}", providerName, uae.Message, Environment.NewLine, uae.StackTrace); } catch (EventLogException ele) { // unfortunately vista x64 needs this generic catch statement Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception during initial access of the provider while processing providers: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } finally { providerMetadata?.Dispose(); } } } return(providers); }