private void SetCommonAttributes(dynamic record, string serviceName)
{
IDictionary <string, object> dictionaryRecord = record;
Provider = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Provider");
EventId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventId"));
TimeCreated = Convert.ToDateTime(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "TimeCreated"));
Computer = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Computer");
EventRecordId = Convert.ToInt64(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventRecordId"));
EventData = dictionaryRecord["EventData"];
// Newly added properties
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Version");
Level = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Level");
Task = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Task");
Opcode = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Opcode");
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Security");
Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel");
// Variant System properties (not on all Windows Events)
string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID");
if (!string.IsNullOrEmpty(processId))
{
ProcessId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID"));
}
string threadId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID");
if (!string.IsNullOrEmpty(threadId))
{
ThreadId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID"));
}
// Set LogFileLineage values
var collectorTimestamp = DateTime.UtcNow;
var logFileLineage = new Dictionary <string, object>
{
{ "UploadMachine", Environment.MachineName },
{ "CollectorTimeStamp", collectorTimestamp },
{ "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() },
{ "ServiceName", serviceName }
};
LogFileLineage = logFileLineage;
}
private void SetCommonAttributes(dynamic record)
{
IDictionary <string, object> dictionaryRecord = record;
Provider = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Provider");
EventId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventId"));
TimeCreated = Convert.ToDateTime(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "TimeCreated"));
Computer = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Computer");
EventRecordId = Convert.ToInt64(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventRecordId"));
if (dictionaryRecord.ContainsKey("EventData"))
{
EventData = JsonConvert.SerializeObject(dictionaryRecord["EventData"], Formatting.Indented);
}
// Newly added properties
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Version");
Level = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Level");
Task = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Task");
Opcode = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Opcode");
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Security");
Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel");
Keywords = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Keywords");
Guid resultCorrelation;
if (Guid.TryParse(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation"), out resultCorrelation))
{
Correlation = resultCorrelation;
}
// Variant System properties (not on all Windows Events)
string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID");
if (!string.IsNullOrEmpty(processId))
{
ProcessId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID"));
}
string threadId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID");
if (!string.IsNullOrEmpty(threadId))
{
ThreadId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID"));
}
}
public LogRecordSentinel ToLogRecordCdoc(
string eventXml,
string serviceName,
string level = "",
string task = "",
string opCode = "",
int processId = 0,
int threadId = 0)
{
try
{
if (string.IsNullOrWhiteSpace(eventXml))
{
throw new ArgumentNullException(nameof(eventXml));
}
var sanitizedXmlString = XmlVerification.VerifyAndRepairXml(eventXml);
var xe = XElement.Parse(sanitizedXmlString);
var eventData = xe.Element(ElementNames.EventData);
var userData = xe.Element(ElementNames.UserData);
var header = xe.Element(ElementNames.System);
var recordId = long.Parse(header.Element(ElementNames.EventRecordId).Value);
var systemPropertiesDictionary = CommonXmlFunctions.ConvertSystemPropertiesToDictionary(xe);
var namedProperties = new Dictionary <string, string>();
var dataWithoutNames = new List <string>();
// Convert the EventData to named properties
if (userData != null)
{
namedProperties = CommonXmlFunctions.ParseUserData(userData).ToDictionary(x => x.Key, x => x.Value.ToString());
}
if (eventData != null)
{
var eventDataProperties = CommonXmlFunctions.ParseEventData(eventData);
namedProperties = eventDataProperties.ToDictionary(x => x.Key, x => x.Value.ToString());
}
string json;
if (dataWithoutNames.Count > 0)
{
if (namedProperties.Count > 0)
{
throw new Exception("Event that has both unnamed and named data?");
}
json = JsonConvert.SerializeObject(dataWithoutNames, Formatting.Indented);
}
else
{
json = JsonConvert.SerializeObject(namedProperties, Formatting.Indented);
}
var collectorTimestamp = DateTime.UtcNow;
var logFileLineage = new Dictionary <string, object>
{
{ "UploadMachine", Environment.MachineName },
{ "CollectorTimeStamp", collectorTimestamp },
{ "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() },
{ "ServiceName", serviceName }
};
string[] executionProcessThread;
if (systemPropertiesDictionary.ContainsKey("Execution"))
{
executionProcessThread = systemPropertiesDictionary["Execution"].ToString()
.Split(new[]
{
':'
}, StringSplitOptions.RemoveEmptyEntries);
}
else
{
executionProcessThread = new string[]
{
"0",
"0"
};
}
return(new LogRecordSentinel()
{
EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]),
TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]),
Computer = systemPropertiesDictionary["Computer"].ToString(),
ProcessId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[0]) : processId,
ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId,
Provider = systemPropertiesDictionary["Provider"].ToString(),
EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]),
Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"),
Channel = systemPropertiesDictionary["Channel"].ToString(),
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"),
Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
Opcode = opCode,
EventData = json,
LogFileLineage = logFileLineage
});
}
catch (Exception ex)
{
Trace.TraceError($"WinLog.EventRecordConversion.ToJsonLogRecord() threw an exception: {ex}");
return(null);
}
}
