// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
switch (dataType)
{
case DataType.Xml:
var eventXml = XmlVerification.VerifyAndRepairXml(arg.EventRecord.ToXml());
SendXml(eventXml);
break;
case DataType.Dictionary:
var eventDynamic = LogReader.ParseEvent(arg.EventRecord);
SendDictionary(eventDynamic);
break;
default:
throw new ArgumentOutOfRangeException();
}
}
}
// 7/10/2020 - Russell's new version
private static void SafeWriteExtendedData(XmlWriter writer, EventRecord record)
{
try
{
var xml = record.ToXml();
var cleanXml = XmlVerification.VerifyAndRepairXml(xml);
var xAllData = XElement.Parse(cleanXml);
var xEventData = xAllData.Element(ElementNames.EventData);
var xUserData = xAllData.Element(ElementNames.UserData);
if (xEventData == null && xUserData == null)
{
return;
}
// If EventData has value, add as a Data attribute the TimeCreated and EventRecordId
if (xEventData != null)
{
XName xDataName = XName.Get("Data", xEventData.Name.Namespace.NamespaceName);
// 5/13/2020 - 'time-created controversy' Workaround/fix for DSRE team; we put original record.TimeCreated here
xEventData.Add(new XElement(xDataName, new XAttribute("Name", "TimeCreated"), record.TimeCreated));
// Add event record Id and RecordId data; EventRecordId is in SysData
xEventData.Add(new XElement(xDataName, new XAttribute("Name", "EventRecordId"), record.RecordId));
writer.WriteRaw(xEventData.ToString());
}
// If UserData has value, add as a XElement the TimeCreated and EventRecordId
if (xUserData != null)
{
var firstLevelElements = xUserData.Elements();
var secondLevelElements = firstLevelElements.Elements();
// If there are no secondary elements, add to the root elements
var levelElements = secondLevelElements as XElement[] ?? secondLevelElements.ToArray();
if (!levelElements.Any())
{
xUserData.Add(new XElement("TimeCreated", record.TimeCreated));
xUserData.Add(new XElement("EventRecordId", record.RecordId));
writer.WriteRaw(xUserData.ToString());
return;
}
// If there are secondary elements, add to these root elements
if (levelElements.Any())
{
foreach (var data in xUserData.Elements())
{
// Simply add above the first element, and then break.
foreach (XElement element in data.Elements())
{
element.AddBeforeSelf(new XElement("TimeCreated", record.TimeCreated));
element.AddBeforeSelf(new XElement("EventRecordId", record.RecordId));
break;
}
}
writer.WriteRaw(xUserData.ToString());
}
}
}
catch (Exception ex)
{
SafeWriteError(writer, ex);
}
}
public LogRecordSentinel ToLogRecordCdoc(
string eventXml,
string serviceName,
string level = "",
string task = "",
string opCode = "",
int processId = 0,
int threadId = 0)
{
try
{
if (string.IsNullOrWhiteSpace(eventXml))
{
throw new ArgumentNullException(nameof(eventXml));
}
var sanitizedXmlString = XmlVerification.VerifyAndRepairXml(eventXml);
var xe = XElement.Parse(sanitizedXmlString);
var eventData = xe.Element(ElementNames.EventData);
var userData = xe.Element(ElementNames.UserData);
var header = xe.Element(ElementNames.System);
var recordId = long.Parse(header.Element(ElementNames.EventRecordId).Value);
var systemPropertiesDictionary = CommonXmlFunctions.ConvertSystemPropertiesToDictionary(xe);
var namedProperties = new Dictionary <string, string>();
var dataWithoutNames = new List <string>();
// Convert the EventData to named properties
if (userData != null)
{
namedProperties = CommonXmlFunctions.ParseUserData(userData).ToDictionary(x => x.Key, x => x.Value.ToString());
}
if (eventData != null)
{
var eventDataProperties = CommonXmlFunctions.ParseEventData(eventData);
namedProperties = eventDataProperties.ToDictionary(x => x.Key, x => x.Value.ToString());
}
string json;
if (dataWithoutNames.Count > 0)
{
if (namedProperties.Count > 0)
{
throw new Exception("Event that has both unnamed and named data?");
}
json = JsonConvert.SerializeObject(dataWithoutNames, Formatting.Indented);
}
else
{
json = JsonConvert.SerializeObject(namedProperties, Formatting.Indented);
}
var collectorTimestamp = DateTime.UtcNow;
var logFileLineage = new Dictionary <string, object>
{
{ "UploadMachine", Environment.MachineName },
{ "CollectorTimeStamp", collectorTimestamp },
{ "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() },
{ "ServiceName", serviceName }
};
string[] executionProcessThread;
if (systemPropertiesDictionary.ContainsKey("Execution"))
{
executionProcessThread = systemPropertiesDictionary["Execution"].ToString()
.Split(new[]
{
':'
}, StringSplitOptions.RemoveEmptyEntries);
}
else
{
executionProcessThread = new string[]
{
"0",
"0"
};
}
return(new LogRecordSentinel()
{
EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]),
TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]),
Computer = systemPropertiesDictionary["Computer"].ToString(),
ProcessId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[0]) : processId,
ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId,
Provider = systemPropertiesDictionary["Provider"].ToString(),
EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]),
Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"),
Channel = systemPropertiesDictionary["Channel"].ToString(),
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"),
Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
Opcode = opCode,
EventData = json,
LogFileLineage = logFileLineage
});
}
catch (Exception ex)
{
Trace.TraceError($"WinLog.EventRecordConversion.ToJsonLogRecord() threw an exception: {ex}");
return(null);
}
}
