/// <summary>
/// Parse a provider input definition
/// This function can retrieve provider from Name definition or Guid definition
///
/// A name definition is associated with a manifest based provider and function will
/// check if the provider is recorded on current workstation
///
/// If name is not found we will try to parse Guid definition.
/// A Guid definition must follow :
/// TYPE{GUID}
/// When
/// TYPE: Manifest | TL | WPP
/// GUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
///
/// </summary>
/// <param name="name">provider input definition</param>
/// <param name="provider">ProviderGuid</param>
/// <returns>true if parsed succesfully</returns>
public static bool TryParse(string name, out ProviderGuid provider)
{
try
{
provider = Parse(name);
return(true);
}
catch (Exception)
{
provider = null;
return(false);
}
}
/// <summary>
/// Try to build a forwarder
/// Handle all subexception
/// </summary>
/// <param name="providerGuid">provider input definition</param>
/// <param name="forwarder">result as provider</param>
/// <returns>true if built successfully</returns>
public static bool TryBuild(ProviderGuid providerGuid, out Forwarder forwarder)
{
try
{
var result = Build(providerGuid);
forwarder = result;
return(true);
}
catch (System.ApplicationException)
{
forwarder = null;
return(false);
}
}
/// <summary>
/// Build a correct forwarder with the matched Parser
/// Follow the factory model
/// </summary>
/// <param name="provider">ProviderGuid input provider</param>
/// <returns></returns>
public static Forwarder Build(ProviderGuid provider)
{
switch (provider.Type)
{
case ProviderGuid.ProviderType.Manifest:
var xml = RegisteredTraceEventParser.GetManifestForRegisteredProvider(provider.Guid);
XmlSerializer serializer = new XmlSerializer(typeof(Manifest.Manifest));
using (TextReader reader = new StringReader(xml))
{
var manifest = (Manifest.Manifest)serializer.Deserialize(reader);
return(new Forwarder(new ManifestParser(manifest)));
}
case ProviderGuid.ProviderType.TL:
return(new Forwarder(new TraceLoggingParser()));
case ProviderGuid.ProviderType.WPP:
return(new Forwarder(new NullParser()));
}
throw new NotImplementedException();
}
/// <summary>
/// This function build an ETW usertrace from
/// a configuration INI file and a selected IETWWriter
/// </summary>
/// <param name="config">configuration that come from an ini file</param>
/// <param name="writer">how to writer etw</param>
/// <returns></returns>
public static UserTrace BuildFromConfig(IniData config, IETWWriter writer)
{
var providers = new Dictionary <Guid, Provider>();
foreach (var providerConfig in config.Sections)
{
// try to parse filtering provider
var providerDeclaration = providerConfig.SectionName.Split(new string[] { "://" }, StringSplitOptions.RemoveEmptyEntries);
if (providerDeclaration.Length > 2)
{
continue;
}
string providerName = providerDeclaration[0];
// Try to parse provider name
ProviderGuid providerGuid = null;
if (!ProviderGuid.TryParse(providerName, out providerGuid))
{
continue;
}
Forwarder forwarder = null;
if (!Forwarder.TryBuild(providerGuid, out forwarder))
{
continue;
}
UInt16?eventId = null;
if (providerDeclaration.Length == 2)
{
UInt16 tmp = 0;
if (!UInt16.TryParse(providerDeclaration[1], out tmp))
{
continue;
}
eventId = tmp;
}
if (!providers.ContainsKey(providerGuid.Guid))
{
providers.Add(providerGuid.Guid, new Provider(providerGuid.Guid));
}
var provider = providers[providerGuid.Guid];
var predicate = Filter.AnyEvent();
if (eventId != null)
{
predicate = Filter.EventIdIs(eventId.Value);
}
var filter = new EventFilter(predicate);
foreach (var keyValue in providerConfig.Keys)
{
forwarder.AddFilter(keyValue.KeyName, keyValue.Value);
}
filter.OnEvent += (IEventRecord record) =>
{
try
{
forwarder.Forward(record, writer).Wait();
}
catch (System.AggregateException) { } // Some event ae not documented even for Microsoft
};
provider.AddFilter(filter);
}
if (providers.Count == 0)
{
throw new Exception("Unable to create a trace without provider");
}
UserTrace trace = new UserTrace(String.Format("Splunk-ETW-{0}", Guid.NewGuid().ToString()));
foreach (var provider in providers.Values)
{
trace.Enable(provider);
}
return(trace);
}