protected override bool ReadLocal()
{
if (!callable.WaitOne(0))
{
Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE");
callable.WaitOne();
try
{
throw new Exception("Parse already been processed by another thread while this call has made");
}
finally
{
callable.ReleaseMutex();
}
}
try
{
//if (!string.IsNullOrEmpty(FileName) || !File.Exists(FileName))
//{
// return true;
//}
Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- Started with lastfile: " + lastFile);
string eventLogLocation = FileName;
string query = Position > 0 ? "*[System/EventRecordID > " + Position + "]" : null;
IntPtr handle = IntPtr.Zero;
var events = new IntPtr[] { IntPtr.Zero };
IntPtr hRenderContext = IntPtr.Zero;
IntPtr pRenderedValues = IntPtr.Zero;
var metaDict = new Dictionary<string, IntPtr>();
int dwBufferUsed = 0;
int dwPropertyCount = 0;
int dwBufferSize = 0;
int status = UnsafeNativeMethods.ERROR_SUCCESS;
try
{
handle = UnsafeNativeMethods.EvtQuery(IntPtr.Zero, eventLogLocation,
query,
(int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath);
if (handle == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error());
return false;
}
hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextSystem);
if (hRenderContext == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Creating Render Context Failed: " +
Marshal.GetLastWin32Error() + ")");
return false;
}
var sb = new StringBuilder();
int returned = 0;
var rec = new EventRecordWrapper();
isFileFinished = false;
lastLine = "-";
while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned))
{
try
{
if (!GetRenderValues(hRenderContext, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Getting Render Event Values Failed: " + status +
")");
continue;
}
string meta =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(pRenderedValues, typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (meta == null)
{
Log.Log(LogType.FILE, LogLevel.INFORM,
"Parser In ReadLocal -- Event has no meta data. Skipping");
continue;
}
rec.Reset();
rec.EventId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).UShort;
IntPtr metaPtr;
if (!metaDict.TryGetValue(meta, out metaPtr))
{
metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(IntPtr.Zero, meta, null, 0, 0);
if (metaPtr == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Getting Meta Data Failed: Meta(" + meta +
") Status(" + Marshal.GetLastWin32Error() + ")");
continue;
}
metaDict[meta] = metaPtr;
}
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status);
continue;
}
rec.Description = sb.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask, ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get TaskDisplayName failed: " + status);
continue;
}
rec.TaskDisplayName = sb.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get LevelDisplayName failed: " + status);
continue;
}
rec.LevelDisplayName = sb.ToString();
rec.MachineName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
ulong timeCreated =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).FileTime;
rec.TimeCreated = DateTime.FromFileTime((long)timeCreated);
rec.LogName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
rec.RecordId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).ULong;
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get Keywrod DisplayNames failed:" + status);
continue;
}
rec.KeywordsDisplayNames.Clear();
int s = 0, e = 0;
do
{
while (e < sb.Length && sb[e] != '\0')
++e;
if (e == s)
{
break;
}
if (e == sb.Length)
{
rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s));
break;
}
rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s));
s = ++e;
} while (true);
ParseSpecific(rec, eventLogLocation);
Position = (long)rec.RecordId;
SetRegistry();
}
finally
{
UnsafeNativeMethods.EvtClose(events[0]);
events[0] = IntPtr.Zero;
}
}
isFileFinished = true;
return true;
}
finally
{
CleanupEvtHandle(handle);
CleanupEvtHandle(events[0]);
CleanupEvtHandle(hRenderContext);
CleanupEvtHandle(metaDict);
}
}
catch (EventLogNotFoundException e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message);
}
finally
{
callable.ReleaseMutex();
}
return false;
}
public bool ParseSpecific(EventRecordWrapper eventInstance, string currentFile)
{
var r = new Rec();
r.EventId = eventInstance.EventId;
r.EventType = eventInstance.TaskDisplayName;
r.Description = eventInstance.Description;
r.EventCategory = eventInstance.LevelDisplayName;//
r.ComputerName = eventInstance.MachineName;
DateTime dtCreate = Convert.ToDateTime(eventInstance.TimeCreated);
r.Datetime = dtCreate.ToString("yyyy-MM-dd HH:mm:ss");
try
{
#region NtEventLogRecorder 2008 Parser
string[] descArr = r.Description.Split("\n".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
bool subjectMode = false;
bool objectMode = false;
bool targetMode = false;
bool accessMode = false;
bool processMode = false;
bool applMode = false;
bool networkMode = false;
bool authenMode = false;
bool dummyAccessControl = false;
bool newAccountMode = false;
for (int i = 0; i < descArr.Length; i++)
{
if (!descArr[i].Contains(":"))
{
if (accessMode)
{
r.CustomStr7 += " " + descArr[i].Trim();
if (r.CustomStr7.Length > 900)
{
r.CustomStr7 = r.CustomStr7.Substring(0, 900);
}
}
}
else
{
string[] lineArr = descArr[i].Split(":".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
//L.Log(LogType.FILE, LogLeve//L.DEBUG, "DescArr[" + i + "]:" + DescArr[i]);
if (descArr[i].Contains("Logon Type"))
{
//L.Log(LogType.FILE, LogLeve//L.DEBUG, "Logon Type Bulundu:" + DescArr[i]);
string logontypestr = descArr[i].Split(':')[1].Trim();
//L.Log(LogType.FILE, LogLeve//L.DEBUG, "Logon Type Değeri:" + logontypestr);
if (logontypestr != "")
{
r.CustomInt3 = Convert.ToInt32(logontypestr);
}
}
if (lineArr[lineArr.Length - 1].Trim() == "")
{
#region Mode
if (lineArr[0].Trim() == "Application Information")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = true;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Network Information")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = true;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Subject"
|| lineArr[0].Trim() == "New Logon"
|| lineArr[0].Trim() == "Account Whose Credentials Were Used"
|| lineArr[0].Trim() == "Credentials Which Were Replayed"
|| lineArr[0].Trim() == "Account That Was Locked Out"
|| lineArr[0].Trim() == "New Computer Account"
|| lineArr[0].Trim() == "Computer Account That Was Changed"
|| lineArr[0].Trim() == "Source Account")
{
subjectMode = true;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Target"
|| lineArr[0].Trim() == "Target Account"
|| lineArr[0].Trim() == "Target Computer"
|| lineArr[0].Trim() == "Target Server")
{
subjectMode = true;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Object")
{
subjectMode = false;
objectMode = true;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Process Information" || lineArr[0].Trim() == "Process")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = true;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Access Request Information")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = true;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "Detailed Authentication Information")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = true;
newAccountMode = false;
}
else if (lineArr[0].Trim() == "New Account")
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = true;
}
else
{
subjectMode = false;
objectMode = false;
targetMode = false;
accessMode = false;
processMode = false;
applMode = false;
networkMode = false;
authenMode = false;
newAccountMode = false;
}
#endregion
}
else
{
if (subjectMode)
{
#region SubjectMode==True
switch (lineArr[0].Trim())
{
case "User Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Account Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Client Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Group Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Group Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
//case "Security ID":
// if ( CustomStr2 == null)
// {
// CustomStr2 = appendArrayElements(lineArr);
// }
// break;
case "Logon ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt6 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt6 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt6 = 0;
}
break;
case "Client Context ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt6 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt6 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt6 = 0;
}
break;
case "Account Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Client Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (targetMode)
{
#region TargetMode==true
switch (lineArr[0].Trim())
{
case "User Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
//case "Target Server Name":
// CustomStr2 = appendArrayElements(lineArr);
// break;
case "Account Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
case "Old Account Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "New Account Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
case "Account Domain":
r.CustomStr7 = appendArrayElements(lineArr);
break;
case "Group Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
case "Group Domain":
r.CustomStr7 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (objectMode)
{
#region ObjectMode=True
switch (lineArr[0].Trim())
{
case "Object Name":
r.CustomStr8 = appendArrayElements(lineArr);
break;
case "Object Type":
r.CustomStr9 = appendArrayElements(lineArr);
break;
case "Operation Type":
r.CustomStr9 = appendArrayElements(lineArr);
break;
case "Handle ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt7 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt7 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt7 = 0;
}
break;
case "Primary User Name":
if (r.CustomStr1 == null)
{
r.CustomStr1 = appendArrayElements(lineArr);
}
break;
case "Client User Name":
if (r.CustomStr2 == null)
{
r.CustomStr2 = appendArrayElements(lineArr);
}
break;
default:
break;
}
#endregion
}
else if (accessMode)
{
#region AccessMode==True
switch (lineArr[0].Trim())
{
case "Accesses":
if (r.CustomStr7 == null)
{
r.CustomStr7 = appendArrayElements(lineArr);
if (r.CustomStr7.Length > 900)
{
r.CustomStr7 = r.CustomStr7.Substring(0, 900);
}
dummyAccessControl = true;
}
break;
case "Access Mask":
if (dummyAccessControl)
{
r.CustomStr7 += " " + appendArrayElements(lineArr);
if (r.CustomStr7.Length > 900)
{
r.CustomStr7 = r.CustomStr7.Substring(0, 900);
}
}
break;
case "Operation Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (processMode)
{
#region ProcessMode==True
switch (lineArr[0].Trim())
{
case "Duration":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt2 = 0;
}
break;
case "Process ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "PID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Image File Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Logon Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (applMode)
{
#region ApplMode==True
switch (lineArr[0].Trim())
{
case "Logon Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Duration":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt2 = 0;
}
break;
case "Process ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "Application Instance ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Application Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Image File Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (networkMode)
{
////L.Log(LogType.FILE, LogLeve//L.DEBUG, "lineArr[0]:" + lineArr[0]);
#region NetworkMode==True
switch (lineArr[0].Trim())
{
case "Client Address":
r.CustomStr3 = lineArr[lineArr.Length - 1];
break;
case "Source Network Address":
r.CustomStr3 = appendArrayElements(lineArr);
break;
case "Network Address":
r.CustomStr3 = appendArrayElements(lineArr);
break;
case "Source Address":
r.CustomStr3 = appendArrayElements(lineArr);
break;
case "Source Port":
try
{
r.CustomInt4 = int.Parse(appendArrayElements(lineArr));
}
catch (Exception)
{
r.CustomInt4 = 0;
}
break;
case "Port":
try
{
r.CustomInt4 = int.Parse(appendArrayElements(lineArr));
}
catch (Exception)
{
r.CustomInt4 = 0;
}
break;
case "Workstation Name":
r.CustomStr4 = appendArrayElements(lineArr);
break;
//case "ffff":
// CustomStr3 = appendArrayElements(lineArr);
// break;
default:
break;
}
#endregion
}
else if (authenMode)
{
#region AuthenMode==True
switch (lineArr[0].Trim())
{
case "Authentication Package":
string authenPack = appendArrayElements(lineArr);
if (authenPack.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack.Contains("Kerberos"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
case "Pre-Authentication Type":
string authenPack3 = appendArrayElements(lineArr);
if (authenPack3.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack3.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack3.Contains("Kerberos"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
case "Logon Process":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Logon Account":
r.CustomStr1 = appendArrayElements(lineArr);
break;
default:
break;
}
#endregion
}
else if (newAccountMode)
{
#region NewAccountMode==True
switch (lineArr[0].Trim())
{
case "Account Name":
if (r.CustomStr1 != null)
{
r.CustomStr2 = r.CustomStr1;
r.CustomStr1 = appendArrayElements(lineArr);
}
else
{
r.CustomStr1 = appendArrayElements(lineArr);
}
break;
default:
break;
}
#endregion
}
else
{
#region Other
switch (lineArr[0].Trim())
{
case "Logon Type":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt3 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt3 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt3 = 0;
}
break;
case "Error Code":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt1 = 0;
}
break;
case "Status Code":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt1 = 0;
}
break;
case "Failure Code":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt1 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt1 = 0;
}
break;
case "Caller Workstation":
r.CustomStr4 = appendArrayElements(lineArr);
break;
case "Workstation Name":
r.CustomStr4 = appendArrayElements(lineArr);
break;
case "Source Workstation":
r.CustomStr4 = appendArrayElements(lineArr);
break;
case "User Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Account Name":
if (r.CustomStr1 != null)
{
r.CustomStr2 = r.CustomStr1;
r.CustomStr1 = appendArrayElements(lineArr);
}
else
{
r.CustomStr1 = appendArrayElements(lineArr);
}
break;
case "Client Name":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Logon Account":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Caller User Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
case "Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Account Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Client Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Group Name":
r.CustomStr9 = appendArrayElements(lineArr);
break;
case "Group Domain":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Caller Domain":
r.CustomStr7 = appendArrayElements(lineArr);
break;
case "Target Domain":
r.CustomStr7 = appendArrayElements(lineArr);
break;
case "Target User Name":
r.CustomStr2 = appendArrayElements(lineArr);
break;
case "Source Network Address":
r.CustomStr3 = appendArrayElements(lineArr);
break;
case "Client Address":
r.CustomStr3 = lineArr[lineArr.Length - 1];
// CustomStr3 = appendArrayElements(lineArr);dali
break;
case "Source Port":
try
{
r.CustomInt4 = int.Parse(appendArrayElements(lineArr));
}
catch (Exception)
{
r.CustomInt4 = 0;
}
break;
case "Authentication Package":
string authenPack = appendArrayElements(lineArr);
if (authenPack.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack.Contains("Kerberos") || authenPack.Contains("KDS"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
case "Pre-Authentication Type":
string authenPack2 = appendArrayElements(lineArr);
if (authenPack2.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack2.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack2.Contains("Kerberos"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
case "Caller Process ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "PID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "Logon Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Logon Process":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Process Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Image File Name":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Duration":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt2 = int.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt2 = 0;
}
break;
case "Object Name":
r.CustomStr8 = appendArrayElements(lineArr);
break;
case "Object Type":
r.CustomStr9 = appendArrayElements(lineArr);
break;
case "Operation Type":
r.CustomStr9 = appendArrayElements(lineArr);
break;
case "Handle ID":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt7 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt7 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt7 = 0;
}
break;
case "Primary User Name":
if (r.CustomStr1 == null)
{
r.CustomStr1 = appendArrayElements(lineArr);
}
break;
case "Client User Name":
if (r.CustomStr2 == null)
{
r.CustomStr2 = appendArrayElements(lineArr);
}
break;
//case "ffff":
// CustomStr3 = appendArrayElements(lineArr);
// break;
//D.Ali Türkce Gelen Loglar İçin
case "Kullanıcı Adı":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "İş İstasyonu Adı":
r.CustomStr4 = appendArrayElements(lineArr);
break;
case "Oturum Açma işlemi":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Oturum Açma Türü":
if (string.IsNullOrEmpty(appendArrayElements(lineArr)) == false)
r.CustomInt5 = int.Parse(appendArrayElements(lineArr));
else
r.CustomInt5 = -1;
break;
case "Etki Alanı":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Kaynak Ağ Adresi":
r.CustomStr3 = appendArrayElements(lineArr);
break;
case "Oturum Hesabı":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Kaynak İş İstasyonu":
r.CustomStr4 = appendArrayElements(lineArr);
break;
case "Share Name":
r.CustomStr8 = appendArrayElements(lineArr);
break;
case "Hesap Adı":
if (string.IsNullOrEmpty(r.CustomStr1))
r.CustomStr1 = appendArrayElements(lineArr);
else
r.CustomStr2 = appendArrayElements(lineArr);
break;
/////////
case "Güvenlik Kimliği":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Hesap Etki Alanı":
r.CustomStr5 = appendArrayElements(lineArr);
break;
case "Oturum Açma Kimliği":
r.CustomStr1 = appendArrayElements(lineArr);
break;
case "Oturum Türü":
if (string.IsNullOrEmpty(appendArrayElements(lineArr)) == false)
r.CustomInt5 = int.Parse(appendArrayElements(lineArr));
else
r.CustomInt5 = -1;
break;
case "İşlem Kimliği":
if (!lineArr[1].Contains("-"))
{
if (lineArr[1].Contains("0x"))
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr).TrimStart("0".ToCharArray()).TrimStart("x".ToCharArray()), System.Globalization.NumberStyles.HexNumber);
}
else
{
r.CustomInt8 = long.Parse(appendArrayElements(lineArr));
}
}
else
{
r.CustomInt8 = 0;
}
break;
case "İşlem Adı":
r.CustomStr6 = appendArrayElements(lineArr);
break;
case "Kaynak Bağlantı Noktası":
try
{
r.CustomInt4 = int.Parse(appendArrayElements(lineArr));
}
catch (Exception)
{
r.CustomInt4 = 0;
}
break;
case "Kimlik Doğrulama Paketi":
string authenPack4 = appendArrayElements(lineArr);
if (authenPack4.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack4.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack4.Contains("Kerberos"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
case "Paket Adı (yalnızca NTLM)":
string authenPack3 = appendArrayElements(lineArr);
if (authenPack3.Contains("Negotiate"))
{
r.CustomInt5 = 0;
}
else if (authenPack3.Contains("NTLM"))
{
r.CustomInt5 = 1;
}
else if (authenPack3.Contains("Kerberos") || authenPack3.Contains("KDS"))
{
r.CustomInt5 = 2;
}
else
{
r.CustomInt5 = 3;
}
break;
default:
break;
}
#endregion
}
}
}
}
//Encoding.ASCII.GetByteCount(r.Description)>4000
if (r.Description.Length > 900)
{
if (r.Description.Length > 1800)
{
r.CustomStr10 = r.Description.Substring(900, 900);
}
else
{
r.CustomStr10 = r.Description.Substring(900, r.Description.Length - 900);
}
r.Description = r.Description.Substring(0, 900);
}
#endregion
}
catch (Exception ex)
{
//Log.Log(LogType.FILE, LogLevel.ERROR, "ParseSpecific, Error: " + ex.Message);
}
r.CustomStr9 = currentFile;
lastFile = currentFile;
r.EventCategory = r.EventType;
if (eventInstance.KeywordsDisplayNames.Count > 0)
{
r.EventType = eventInstance.KeywordsDisplayNames[0];
}
if (!string.IsNullOrEmpty(r.EventType))
{
if (r.EventType.Contains(" "))
{
r.EventType = r.EventType.Split(' ')[1];
}
}
r.LogName = "NT-" + eventInstance.LogName;//
SetRecordData(r);
return true;
}
//
protected bool ReadLocal(string fileName)
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started.");
if (!callable.WaitOne(0))
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE");
callable.WaitOne();
try
{
throw new Exception("Parse already been processed by another thread while this call has made");
}
finally
{
callable.ReleaseMutex();
}
}
try
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started with lastfile: " + lastFile);
var eventLogLocation = fileName;
var query = last_recordnum > 0 ? "*[System/EventRecordID > " + last_recordnum + "]" : null;
var handle = IntPtr.Zero;
var events = new[] { IntPtr.Zero };
var hRenderContext = IntPtr.Zero;
var pRenderedValues = IntPtr.Zero;
var hRenderContextEvtData = IntPtr.Zero;
var metaDict = new Dictionary<string, IntPtr>();
var dwBufferUsed = 0;
var dwPropertyCount = 0;
var dwBufferSize = 0;
var status = UnsafeNativeMethods.ERROR_SUCCESS;
var session = IntPtr.Zero;
try
{
var info = user == null ? null : user.Split('\\');
if (info != null && info.Length == 3)
{
string domain = string.IsNullOrEmpty(info[0]) ? null : info[0];
ip = string.IsNullOrEmpty(info[1]) ? null : info[1];
string userName = string.IsNullOrEmpty(info[2]) ? null : info[2];
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Remote Logger: " + user);
var login = new UnsafeNativeMethods.EvtRpcLogin()
{
Domain = domain,
User = userName,
Password = CoTaskMemUnicodeSafeHandle.Zero,
Server = ip
};
var secureString = new SecureString();
if (!string.IsNullOrEmpty(password))
{
foreach (var ch in password)
{
secureString.AppendChar(ch);
}
}
login.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(secureString));
session = UnsafeNativeMethods.EvtOpenSession(UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin, ref login, 0, 0);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath);
}
/*
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath);
}
else
{
*/
int flags;
if (location.Contains("\\"))
{
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryFilePath");
}
else
{
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryChannelPath");
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- " + session + " - " + eventLogLocation + " - " + query + " - " + flags);
handle = UnsafeNativeMethods.EvtQuery(session, eventLogLocation, query, flags);
var code = Marshal.GetLastWin32Error();
Console.WriteLine("Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + code);
if (handle == IntPtr.Zero)
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error());
return false;
}
hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextSystem);
var hRenderContextUser = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextUser);
if (hRenderContext == IntPtr.Zero)
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Creating Render Context Failed: " +
Marshal.GetLastWin32Error() + ")");
return false;
}
var buffer = new StringBuilder();
var lineBuffer = new StringBuilder();
var tmpBuffer = new StringBuilder();
var domainBuffer = new StringBuilder();
var usernameBuffer = new StringBuilder();
var returned = 0;
var rec = new EventRecordWrapper();
isFileFinished = false;
lastLine = "-";
try
{
while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned))
{
try
{
rec.Reset();
if (userData)
{
if (GetRenderValues(hRenderContextUser, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
buffer.Remove(0, buffer.Length);
for (var i = 0; i < dwPropertyCount; i++)
{
var v = Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
i *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (v != null && (v = v.Trim()).Length > 0)
buffer.AppendLine(v);
}
rec.Description = buffer.ToString();
}
buffer.Remove(0, buffer.Length);
}
if (!GetRenderValues(hRenderContext, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Getting Render Event Values Failed: " +
status +
")");
continue;
}
var meta =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(pRenderedValues,
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (meta == null)
{
L.Log(LogType.FILE, LogLevel.INFORM,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Event has no meta data. Skipping");
continue;
}
rec.EventId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).UShort;
L.Log(LogType.FILE, LogLevel.DEBUG, "EventId: " + rec.EventId);
IntPtr metaPtr;
if (!metaDict.TryGetValue(meta, out metaPtr))
{
metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(session,
meta, flags == (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath ? eventLogLocation : null, LangId, 0);
if (metaPtr != IntPtr.Zero)
metaDict[meta] = metaPtr;
}
if (!userData || string.IsNullOrEmpty(rec.Description))
{
rec.Description = string.Empty;
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags
.EvtFormatMessageEvent,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
L.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status);
}
rec.Description = buffer.ToString();
}
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
}
rec.TaskDisplayName = buffer.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
}
rec.LevelDisplayName = buffer.ToString();
rec.MachineName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
ulong timeCreated =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).FileTime;
rec.TimeCreated = DateTime.FromFileTime((long)timeCreated);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- TimeCreated: " + rec.TimeCreated);
rec.LogName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
rec.RecordId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)
UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).ULong;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords");
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword,
ref buffer,
out dwBufferUsed, ref status))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords FAILED:" + status);
buffer.Remove(0, buffer.Length);
}
else
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords SUCCESS:[" + buffer + "]");
rec.KeywordsDisplayNames.Clear();
int s = 0, e = 0;
do
{
while (e < buffer.Length && buffer[e] != '\0')
++e;
if (e == s)
{
break;
}
if (e == buffer.Length)
{
rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s));
break;
}
rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s));
s = ++e;
} while (true);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Description: " + rec.Description);
ParseSpecific(rec, eventLogLocation);
last_recordnum = (long)rec.RecordId;
//SetRegistry();
}
finally
{
UnsafeNativeMethods.EvtClose(events[0]);
events[0] = IntPtr.Zero;
}
}
}
finally
{
try
{
var customServiceBase = GetInstanceService("Security Manager Remote Recorder");
L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry.");
customServiceBase.SetReg(Id, last_recordnum.ToString(CultureInfo.InvariantCulture), "-", lastFile, "", LastRecordDate);
L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Registry Set.");
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry Error." + exception.Message);
}
}
isFileFinished = true;
return true;
}
finally
{
CleanupEvtHandle(handle);
CleanupEvtHandle(events[0]);
CleanupEvtHandle(hRenderContext);
CleanupEvtHandle(hRenderContextEvtData);
CleanupEvtHandle(metaDict);
}
}
catch (EventLogNotFoundException e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message);
}
finally
{
callable.ReleaseMutex();
}
return false;
}