private void SetCommonAttributes(dynamic record, string serviceName) { IDictionary <string, object> dictionaryRecord = record; Provider = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Provider"); EventId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventId")); TimeCreated = Convert.ToDateTime(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "TimeCreated")); Computer = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Computer"); EventRecordId = Convert.ToInt64(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventRecordId")); EventData = dictionaryRecord["EventData"]; // Newly added properties Version = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Version"); Level = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Level"); Task = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Task"); Opcode = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Opcode"); Security = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Security"); Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel"); // Variant System properties (not on all Windows Events) string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID"); if (!string.IsNullOrEmpty(processId)) { ProcessId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID")); } string threadId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID"); if (!string.IsNullOrEmpty(threadId)) { ThreadId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID")); } // Set LogFileLineage values var collectorTimestamp = DateTime.UtcNow; var logFileLineage = new Dictionary <string, object> { { "UploadMachine", Environment.MachineName }, { "CollectorTimeStamp", collectorTimestamp }, { "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() }, { "ServiceName", serviceName } }; LogFileLineage = logFileLineage; }
private void SetCommonAttributes(dynamic record) { IDictionary <string, object> dictionaryRecord = record; Provider = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Provider"); EventId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventId")); TimeCreated = Convert.ToDateTime(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "TimeCreated")); Computer = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Computer"); EventRecordId = Convert.ToInt64(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "EventRecordId")); if (dictionaryRecord.ContainsKey("EventData")) { EventData = JsonConvert.SerializeObject(dictionaryRecord["EventData"], Formatting.Indented); } // Newly added properties Version = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Version"); Level = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Level"); Task = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Task"); Opcode = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Opcode"); Security = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Security"); Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel"); Keywords = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Keywords"); Guid resultCorrelation; if (Guid.TryParse(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation"), out resultCorrelation)) { Correlation = resultCorrelation; } // Variant System properties (not on all Windows Events) string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID"); if (!string.IsNullOrEmpty(processId)) { ProcessId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID")); } string threadId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID"); if (!string.IsNullOrEmpty(threadId)) { ThreadId = Convert.ToInt32(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ThreadID")); } }
public LogRecordSentinel ToLogRecordCdoc( string eventXml, string serviceName, string level = "", string task = "", string opCode = "", int processId = 0, int threadId = 0) { try { if (string.IsNullOrWhiteSpace(eventXml)) { throw new ArgumentNullException(nameof(eventXml)); } var sanitizedXmlString = XmlVerification.VerifyAndRepairXml(eventXml); var xe = XElement.Parse(sanitizedXmlString); var eventData = xe.Element(ElementNames.EventData); var userData = xe.Element(ElementNames.UserData); var header = xe.Element(ElementNames.System); var recordId = long.Parse(header.Element(ElementNames.EventRecordId).Value); var systemPropertiesDictionary = CommonXmlFunctions.ConvertSystemPropertiesToDictionary(xe); var namedProperties = new Dictionary <string, string>(); var dataWithoutNames = new List <string>(); // Convert the EventData to named properties if (userData != null) { namedProperties = CommonXmlFunctions.ParseUserData(userData).ToDictionary(x => x.Key, x => x.Value.ToString()); } if (eventData != null) { var eventDataProperties = CommonXmlFunctions.ParseEventData(eventData); namedProperties = eventDataProperties.ToDictionary(x => x.Key, x => x.Value.ToString()); } string json; if (dataWithoutNames.Count > 0) { if (namedProperties.Count > 0) { throw new Exception("Event that has both unnamed and named data?"); } json = JsonConvert.SerializeObject(dataWithoutNames, Formatting.Indented); } else { json = JsonConvert.SerializeObject(namedProperties, Formatting.Indented); } var collectorTimestamp = DateTime.UtcNow; var logFileLineage = new Dictionary <string, object> { { "UploadMachine", Environment.MachineName }, { "CollectorTimeStamp", collectorTimestamp }, { "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() }, { "ServiceName", serviceName } }; string[] executionProcessThread; if (systemPropertiesDictionary.ContainsKey("Execution")) { executionProcessThread = systemPropertiesDictionary["Execution"].ToString() .Split(new[] { ':' }, StringSplitOptions.RemoveEmptyEntries); } else { executionProcessThread = new string[] { "0", "0" }; } return(new LogRecordSentinel() { EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]), TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]), Computer = systemPropertiesDictionary["Computer"].ToString(), ProcessId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[0]) : processId, ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId, Provider = systemPropertiesDictionary["Provider"].ToString(), EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]), Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level, Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"), Channel = systemPropertiesDictionary["Channel"].ToString(), Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"), Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task, Opcode = opCode, EventData = json, LogFileLineage = logFileLineage }); } catch (Exception ex) { Trace.TraceError($"WinLog.EventRecordConversion.ToJsonLogRecord() threw an exception: {ex}"); return(null); } }