private void EventWatcher(object ploc) { string location = ploc.ToString(); LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready"); // Instantiate the Event Log Input Format object var iFmt = new EventLogInputFormat() { binaryFormat = _arguments.BinaryFormat.ToString(), direction = _arguments.Direction.ToString(), formatMsg = _arguments.FormatMsg, fullEventCode = _arguments.FullEventCode, fullText = _arguments.FullText, msgErrorMode = _arguments.MsgErrorMode.ToString(), stringsSep = _arguments.StringsSep, resolveSIDs = _arguments.ResolveSIDS }; var logFileMaxRecords = new Dictionary <string, Int64>(); using (var syncHandle = new ManualResetEventSlim()) { // Execute the query while (!Stop) { // Execute the query if (!CancelToken.IsCancellationRequested) { try { var oLogQuery = new LogQuery(); var qfiles = string.Format("SELECT Distinct [EventLog] FROM {0}", location); var rsfiles = oLogQuery.Execute(qfiles, iFmt); for (; !rsfiles.atEnd(); rsfiles.moveNext()) { var record = rsfiles.getRecord(); string logName = record.getValue("EventLog") as string; if (!logFileMaxRecords.ContainsKey(logName)) { var qcount = string.Format("SELECT max(RecordNumber) as MaxRecordNumber FROM {0}", logName); var rcount = oLogQuery.Execute(qcount, iFmt); var qr = rcount.getRecord(); var lrn = (Int64)qr.getValueEx("MaxRecordNumber"); logFileMaxRecords[logName] = lrn; } } foreach (string fileName in logFileMaxRecords.Keys.ToList()) { var lastRecordNumber = logFileMaxRecords[fileName]; var query = string.Format("SELECT * FROM {0} where RecordNumber > {1}", location, lastRecordNumber); var rs = oLogQuery.Execute(query, iFmt); // Browse the recordset for (; !rs.atEnd(); rs.moveNext()) { var record = rs.getRecord(); var json = new JObject(); foreach (var field in _arguments.Fields) { object v = record.getValue(field.Name); if (field.Name == "Data") { v = ToPrintable(v.ToString()); } if ((field.Name == "TimeGenerated" || field.Name == "TimeWritten") && field.DataType == typeof(DateTime)) { v = ((DateTime)v).ToUniversalTime(); } json.Add(new JProperty(field.Name, v)); } var lrn = (Int64)record.getValueEx("RecordNumber"); logFileMaxRecords[fileName] = lrn; ProcessJson(json); _receivedMessages++; } // Close the recordset rs.close(); GC.Collect(); } if (!Stop) { syncHandle.Wait(TimeSpan.FromSeconds(_pollingIntervalInSeconds), CancelToken); } } catch (OperationCanceledException) { break; } catch (Exception ex) { LogManager.GetCurrentClassLogger().Error(ex); } } } Finished(); } }
private void EventWatcher(object ploc) { string location = ploc.ToString(); LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready"); // Instantiate the Event Log Input Format object var iFmt = new EventLogInputFormat() { binaryFormat = _arguments.BinaryFormat.ToString(), direction = _arguments.Direction.ToString(), formatMsg = _arguments.FormatMsg, fullEventCode = _arguments.FullEventCode, fullText = _arguments.FullText, msgErrorMode = _arguments.MsgErrorMode.ToString(), stringsSep = _arguments.StringsSep, resolveSIDs = _arguments.ResolveSIDS }; var logFileMaxRecords = new Dictionary<string, Int64>(); using (var syncHandle = new ManualResetEventSlim()) { // Execute the query while (!Stop) { // Execute the query if (!CancelToken.IsCancellationRequested) { try { var oLogQuery = new LogQuery(); var qfiles = string.Format("SELECT Distinct [EventLog] FROM {0}", location); var rsfiles = oLogQuery.Execute(qfiles, iFmt); for (; !rsfiles.atEnd(); rsfiles.moveNext()) { var record = rsfiles.getRecord(); string logName = record.getValue("EventLog") as string; if (!logFileMaxRecords.ContainsKey(logName)) { var qcount = string.Format("SELECT max(RecordNumber) as MaxRecordNumber FROM {0}", logName); var rcount = oLogQuery.Execute(qcount, iFmt); var qr = rcount.getRecord(); var lrn = (Int64)qr.getValueEx("MaxRecordNumber"); logFileMaxRecords[logName] = lrn; } } foreach (string fileName in logFileMaxRecords.Keys.ToList()) { var lastRecordNumber = logFileMaxRecords[fileName]; var query = string.Format("SELECT * FROM {0} where RecordNumber > {1}", location, lastRecordNumber); var rs = oLogQuery.Execute(query, iFmt); // Browse the recordset for (; !rs.atEnd(); rs.moveNext()) { var record = rs.getRecord(); var json = new JObject(); foreach (var field in _arguments.Fields) { object v = record.getValue(field.Name); if (field.Name == "Data") v = ToPrintable(v.ToString()); if ((field.Name == "TimeGenerated" || field.Name == "TimeWritten") && field.DataType == typeof (DateTime)) v = ((DateTime) v).ToUniversalTime(); json.Add(new JProperty(field.Name, v)); } var lrn = (Int64)record.getValueEx("RecordNumber"); logFileMaxRecords[fileName] = lrn; ProcessJson(json); _receivedMessages++; } // Close the recordset rs.close(); GC.Collect(); } if (!Stop) syncHandle.Wait(TimeSpan.FromSeconds(_pollingIntervalInSeconds), CancelToken); } catch (OperationCanceledException) { break; } catch (Exception ex) { LogManager.GetCurrentClassLogger().Error(ex); } } } Finished(); } }