public void GetPropertyValues_MatchProviderIdUsingProviderMetadata_Success()
{
Dictionary <string, Guid> providerNameAndIds = new Dictionary <string, Guid>();
string logName = "Application";
string queryString = "*[System/Level=4]";
var xPathEnum = new List <string>()
{
"Event/System/EventID", "Event/System/Provider/@Name"
};
var logPropertyContext = new EventLogPropertySelector(xPathEnum);
var eventsQuery = new EventLogQuery(logName, PathType.LogName, queryString);
try
{
using (var logReader = new EventLogReader(eventsQuery))
{
for (EventLogRecord eventRecord = (EventLogRecord)logReader.ReadEvent();
eventRecord != null;
eventRecord = (EventLogRecord)logReader.ReadEvent())
{
IList <object> logEventProps;
logEventProps = eventRecord.GetPropertyValues(logPropertyContext);
int eventId;
Assert.True(int.TryParse(string.Format("{0}", logEventProps[0]), out eventId));
string providerName = (string)logEventProps[1];
if (!providerNameAndIds.ContainsKey(providerName) && eventRecord.ProviderId.HasValue)
{
providerNameAndIds.Add(providerName, eventRecord.ProviderId.Value);
}
}
}
}
catch (EventLogNotFoundException) { }
if (providerNameAndIds.Count > 0)
{
using (var session = new EventLogSession())
{
foreach (var nameAndId in providerNameAndIds)
{
ProviderMetadata providerMetadata = null;
try
{
providerMetadata = new ProviderMetadata(nameAndId.Key);
Assert.Equal(providerMetadata.Id, nameAndId.Value);
}
catch (EventLogException)
{
continue;
}
finally
{
providerMetadata?.Dispose();
}
}
}
}
}
/// <summary>
/// EndProcessing.
/// </summary>
protected override void EndProcessing()
{
if (_providerMetadata != null)
{
_providerMetadata.Dispose();
}
base.EndProcessing();
}
/// <summary>
/// Retrieves event data from the system based on event metadata.
/// </summary>
/// <returns>A list of events.</returns>
public static IList <EventData> GetEvents()
{
IList <EventData> events = new List <EventData>();
using (EventLogSession session = new EventLogSession())
{
foreach (string providerName in session.GetProviderNames())
{
ProviderMetadata provider = null;
try
{
provider = new ProviderMetadata(providerName);
string provName = providerName; // prevents "Access to foreach variable in a closure" warning
foreach (EventData eventData in provider.Events.Select(eventMetadata => new EventData(provName, eventMetadata)).Where(eventData => !events.Contains(eventData)))
{
events.Add(eventData);
}
}
catch (EventLogNotFoundException elnfe)
{
// Microsoft-Windows-TerminalServices-ServerUSBDevice = The system cannot find the file specified.
// Microsoft-Windows-WPD-MTPClassDriver = The system cannot find the file specified
// Microsoft-Windows-Sdbus-SQM = The system cannot find the files specified
Logger.Error(elnfe, CultureInfo.CurrentCulture, "Event provider '{0}' not found while processing events: {1}{2}{3}", providerName, elnfe.Message, Environment.NewLine, elnfe.StackTrace);
}
catch (EventLogException ele)
{
// Microsoft-Windows-MsiServer = The specified resource type cannot be found in the image file
// Microsoft-Windows-CAPI2 = The data is invalid
Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while processing events: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace);
}
catch (UnauthorizedAccessException uae)
{
// thrown when running as a normal user and accessing these:
// Microsoft-Windows-Security-Auditing
// Microsoft-Windows-Eventlog
Logger.Error(uae, CultureInfo.CurrentCulture, "Access denied to event provider '{0}' while processing events: {1}{2}{3}", providerName, uae.Message, Environment.NewLine, uae.StackTrace);
}
finally
{
provider?.Dispose();
}
}
}
return(events);
}
/// <summary>
/// Retrieves event provider data from the system based on event provider metadata.
/// </summary>
/// <returns></returns>
public static IList <EventProviderData> GetProviders()
{
IList <EventProviderData> providers = new List <EventProviderData>();
using (EventLogSession session = new EventLogSession())
{
foreach (string providerName in session.GetProviderNames())
{
ProviderMetadata providerMetadata = null;
try
{
providerMetadata = new ProviderMetadata(providerName);
EventProviderData providerData = new EventProviderData();
providerData.Name = providerMetadata.Name ?? string.Empty;
providerData.DisplayName = GetProviderDisplayName(providerMetadata) ?? string.Empty;
providerData.Guid = providerMetadata.Id;
providerData.FileName = GetHelpFileNameFromUri(providerMetadata.HelpLink) ?? string.Empty;
providerData.MessageFile = providerMetadata.MessageFilePath ?? string.Empty;
providerData.SubstitutionFile = providerMetadata.ParameterFilePath ?? string.Empty;
providerData.ResourceFile = providerMetadata.ResourceFilePath ?? string.Empty;
providerData.Levels = GetProviderEventLevels(providerMetadata);
providerData.SendsEventsTo = providerMetadata.LogLinks.Select(link => new EventLogData(link.LogName)).ToList();
try
{
IList <EventData> events = new List <EventData>();
string provName = providerName; // prevents "Access to foreach variable in a closure" warning
foreach (EventData eventData in providerMetadata.Events.Select(eventMetadata => new EventData(provName, eventMetadata)).Where(eventData => !events.Contains(eventData)))
{
events.Add(eventData);
}
providerData.Events = events;
}
catch (EventLogException ele)
{
providerData.Events = new List <EventData>();
Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Events field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace);
} //something is weird with Windows-MsiServer
try
{
providerData.Keywords = EventKeywordData.GetKeywords(providerMetadata.Keywords);
}
catch (EventLogException ele)
{
providerData.Keywords = new List <EventKeywordData>();
Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Keywords field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace);
} //something is weird with Windows-MsiServer
// Ntfs has 2 entries instead of 1 so make sure we don't add it twice
if (!providers.Contains(providerData))
{
providers.Add(providerData);
}
}
catch (EventLogNotFoundException elnfe)
{
// Microsoft-Windows-TerminalServices-ServerUSBDevice = The system cannot find the file specified.
// Microsoft-Windows-WPD-MTPClassDriver = The system cannot find the file specified
// Microsoft-Windows-Sdbus-SQM = The system cannot find the files specified
Logger.Error(elnfe, CultureInfo.CurrentCulture, "Event provider '{0}' not found during initial access of the provider while processing providers: {1}{2}{3}", providerName, elnfe.Message, Environment.NewLine, elnfe.StackTrace);
}
catch (UnauthorizedAccessException uae)
{
// thrown when running as a normal user and accessing these:
// Microsoft-Windows-Security-Auditing
// Microsoft-Windows-Eventlog
Logger.Error(uae, CultureInfo.CurrentCulture, "Access denied to event provider '{0}' during initial access of the provider while processing providers: {1}{2}{3}", providerName, uae.Message, Environment.NewLine, uae.StackTrace);
}
catch (EventLogException ele)
{
// unfortunately vista x64 needs this generic catch statement
Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception during initial access of the provider while processing providers: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace);
}
finally
{
providerMetadata?.Dispose();
}
}
}
return(providers);
}