コード例 #1
0
ファイル: EvtxTest.cs プロジェクト: xornand/Tx 
        public void EvtxReader()
        {
            var parser = EvtxEnumerable.FromFiles(FileName);
            int count  = parser.Count();

            Assert.AreEqual(2041, count); // in ETW there is one more event with system information
        }
コード例 #2
0
        static void Main()
        {
            IEnumerable <EventRecord> evtx = EvtxEnumerable.FromFiles(@"HTTP_Server.evtx");

            Console.WriteLine(evtx.Count());

            Console.ReadLine();
        }
コード例 #3
0
ファイル: Program.cs プロジェクト: yyjdelete/Tx 
        static void LinqOperators()
        {
            IEnumerable <EventRecord> all = EvtxEnumerable.ReadLog("Security");
            var processStart = all.Filter(e => e.Id == 4688).Take(10);

            foreach (var ps in processStart)
            {
                Console.WriteLine(ps.Properties[5].Value);
            }
        }
コード例 #4
0
ファイル: EvtxLogSample.cs プロジェクト: rbiles/prototypes 
        private static void UploadEntireFileInBatches(string fileFullName, X509Certificate2 cert,
                                                      XmlCreationMechanism creationMechanism, int batchCount = 200)
        {
            var payload        = GetNewPayloadObject();
            var useEventIngest = false;

            // Set the ResourceId for upload
            ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId);

            var fileStopwatch     = new Stopwatch();
            var uploaderStopwatch = Stopwatch.StartNew();

            try
            {
                fileStopwatch.Start();
                var log = EvtxEnumerable.ReadEvtxFile(fileFullName);

                Parallel.ForEach(log, new ParallelOptions
                {
                    MaxDegreeOfParallelism = 8
                },
                                 eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); });

                fileStopwatch.Stop();

                Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}");
                var output =
                    $"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}";
                Console.WriteLine(output);

                // Split into upload chunks
                var splitLIsts = payload.SplitListIntoChunks <string>(batchCount);
                fileStopwatch.Restart();

                Parallel.ForEach(splitLIsts, new ParallelOptions
                {
                    MaxDegreeOfParallelism = 8
                },
                                 singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), cert); });

                fileStopwatch.Stop();
                Console.WriteLine(
                    $"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}");
            }
            catch (Exception e)
            {
                GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008);
            }
        }
コード例 #5
0
ファイル: Program.cs プロジェクト: yyjdelete/Tx 
        static void RxOperators()
        {
            // This sample illustrates how Push LINQ works,
            // using IObservable<T> as interface to compose pipelines

            IObservable <EventRecord> all = EvtxEnumerable.ReadLog("Security").ToObservable();

            var result = all
                         .Where(e => e.Id == 4688)
                         .Select(e => e.ToXml())
                         .Select(xml => Xml2Dynamic(xml))
                         .Select(d => Dynamic2Csv(d));

            result.Subscribe(csv => Console.WriteLine(csv));
        }
コード例 #6
0
        public static IObservable <IDictionary <string, object> > FromLog(string log)
        {
            var enumerable = EvtxEnumerable.FromLogQuery(log, null, null);
            var observable = Observable.Create <EventLogRecord>(x =>
            {
                foreach (var item in enumerable)
                {
                    x.OnNext(item);
                }

                return(Disposable.Create(() => { }));
            });

            return(observable.Select(e => e.Deserialize()));
        }
コード例 #7
0
        public static IObservable <IDictionary <string, object> > FromFiles(params string[] logFiles)
        {
            var enumerable = EvtxEnumerable.FromFiles(logFiles);
            var observable = Observable.Create <EventLogRecord>(x =>
            {
                foreach (var item in enumerable)
                {
                    x.OnNext(item);
                }

                x.OnCompleted();

                return(Disposable.Create(() => { }));
            });

            return(observable.Select(e => e.Deserialize()));
        }
コード例 #8
0
ファイル: Program.cs プロジェクト: yyjdelete/Tx 
        static void LinqToObjects()
        {
            // building a pipeline by using extension methods
            IEnumerable <string> pipeline = EvtxEnumerable.ReadLog("Security")
                                            .Take(1000)
                                            .Where(e => e.Id == 4688)
                                            .Select(e => e.ToXml())
                                            .ToArray();

            // the same query, using comprehension syntax
            IEnumerable <string> query = (
                from e in EvtxEnumerable.ReadLog("Security").Take(1000)
                where e.Id == 4688
                select e.ToXml()
                ).ToArray();

            // Stop on a breakpoint in the following line and inspect
            // the variables "pipeline" and "query"
        }
コード例 #9
0
ファイル: Program.cs プロジェクト: yyjdelete/Tx 
        static void PushInsidePull()
        {
            // This sample shows running Rx pipeline inside pull environment
            // It is a stepping stone to build Cosmos Extractor that can host Rx rules
            IEnumerable <string> all = EvtxEnumerable.ReadLog("Security")
                                       .Take(1000)
                                       .Select(e => e.ToXml())
                                       .ToArray();

            // mouse-hover on the following .Where to see that it is
            // push (real-time) implementation
            var result = all.ReplayRealTimeRule(
                o => o.Where(e => e.Contains("4688"))
                );

            foreach (var xml in result)
            {
                Console.WriteLine(xml);
            }
        }
コード例 #10
0
        private static void UploadEntireFileInBatches(string fileFullName, XmlCreationMechanism creationMechanism, int batchCount = 200)
        {
            WindowsEventPayload payload = GetNewPayloadObject();
            bool useEventIngest         = false;

            // Set the ResourceId for upload
            ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId);

            Stopwatch fileStopwatch     = new Stopwatch();
            Stopwatch uploaderStopwatch = Stopwatch.StartNew();

            try
            {
                fileStopwatch.Start();
                var log = EvtxEnumerable.ReadEvtxFile(fileFullName);

                Parallel.ForEach(log, new ParallelOptions
                {
                    MaxDegreeOfParallelism = 8,
                },
                                 eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); });

                fileStopwatch.Stop();

                if (useEventIngest)
                {
                    //Console.WriteLine($"\tRecordCount: {payload.Uploader.ItemCount:N0}");
                    //Console.WriteLine(
                    //    $"\tEPS for Conversion: {payload.Uploader.ItemCount / fileStopwatch.Elapsed.TotalSeconds:N3}");

                    //// Wait for upload to complete, and report
                    //payload.Uploader.OnCompleted();
                    //uploaderStopwatch.Stop();

                    //Console.WriteLine($"Upload Completed...");
                    //Console.WriteLine($"\tEPS for Upload with Event.Ingest to MMA-API: {payload.Uploader.ItemCount / uploaderStopwatch.Elapsed.TotalSeconds:N3}");
                    //Console.WriteLine($"\t Average for batch with Event.Ingest to MMA-API: {payload.BatchItemCount / payload.BatchTimeSpan.TotalSeconds:N3}");
                }
                else
                {
                    Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}");
                    string output =
                        $"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}";
                    Console.WriteLine(output);
                }

                // Split into upload chunks
                var splitLIsts = payload.SplitListIntoChunks <string>(batchCount);
                fileStopwatch.Restart();

                Parallel.ForEach(splitLIsts, new ParallelOptions
                {
                    MaxDegreeOfParallelism = 8,
                },
                                 singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), AuthX509Certificate2); });

                fileStopwatch.Stop();
                Console.WriteLine($"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}");
            }
            catch (Exception e)
            {
                GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008);
            }
        }