예제 #1
0
        /// Event Handler for the watcher
        /// Double check Event ID and see if the access is related
        /// to the passwords.txt file we have setup
        private void logWatcher_EventRecordWritten(object sender,
                                                   EventRecordWrittenEventArgs e)
        {
            if (e.EventRecord.Id == 4656)
            {
                //Is this is for the file of interest
                if (e.EventRecord.FormatDescription().Contains("passwords.txt"))
                {
                    try
                    {
                        log.WriteLine("Honeypot file accessed");
                        log.WriteLine(e.EventRecord.FormatDescription());
                        log.WriteLine("****************************************");

                        //Send Mail
                        string email =
                            ((NetworkCredential)this.smtpClient.Credentials).UserName;
                        MailMessage mail = new MailMessage(email, email);
                        mail.Subject =
                            "[Sentinel Notification] Honeypot file accessed.";
                        mail.Body       = e.EventRecord.FormatDescription();
                        mail.Priority   = MailPriority.High;
                        mail.IsBodyHtml = false;
                        smtpClient.Send(mail);
                    }
                    catch (Exception ex)
                    {
                        log.WriteLine(
                            "Unexpected Error OnEventWritten: " + ex.ToString());
                    }
                }
            }
        }
예제 #2
0
 public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
 {
     RestartDetected  = false;
     PowerOffDetected = false;
     try
     {
         Logger.Debug("Logging event: " + arg);
         // Make sure there was no error reading the event.
         if (arg.EventRecord != null)
         {
             foreach (EventProperty x in ((EventLogRecord)arg.EventRecord).Properties)
             {
                 var strValue = x.Value.ToString();
                 Logger.Debug("Event value: " + strValue);
                 if (RestartNames.Any(n => n.Equals(strValue, StringComparison.OrdinalIgnoreCase)))
                 {
                     RestartDetected = true;
                     break;
                 }
                 if (PowerOffNames.Any(n => n.Equals(strValue, StringComparison.OrdinalIgnoreCase)))
                 {
                     PowerOffDetected = true;
                     break;
                 }
             }
         }
     }
     catch (Exception)
     {
     }
 }
예제 #3
0
 private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try {
         // (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
         foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
         {
             if (Regex.IsMatch(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}"))
             {
                 Match ipAddress            = Regex.Match(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}");
                 NotificationEventArgs args = new NotificationEventArgs();
                 args.CreateDate = e.EventRecord.TimeCreated.Value;
                 args.EventId    = e.EventRecord.Id;
                 args.IpAddress  = ipAddress.Value;
                 System.Net.IPAddress ip;
                 System.Net.IPAddress.TryParse(args.IpAddress, out ip);
                 if (ip != null && ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
                 {
                     OnAttackDetected(this, args);
                 }
             }
             //if (prop.Value.ToString().Contains("CLIENT:")) {
             //    string client = prop.Value.ToString();
             //    int start = client.IndexOf("CLIENT:") + 7;
             //    string ipAddress = client.Substring(start, client.LastIndexOf(']') - start).Trim();
             //    NotificationEventArgs args = new NotificationEventArgs();
             //    args.CreateDate = e.EventRecord.TimeCreated.Value;
             //    args.EventId = e.EventRecord.Id;
             //    args.IpAddress = ipAddress;
             //    OnAttackDetected(this, args);
             //}
         }
     } catch (Exception ex) {
         EventLog.WriteEntry("Cyberarms.Agents.FileMaker.FileMakerSecurityAgent", ex.Message);
     }
 }
예제 #4
0
        // Callback method that gets executed when an event is
        // reported to the subscription.
        public static void EventLogEventRead(object obj,
                                             EventRecordWrittenEventArgs arg)
        {
            // Make sure there was no error reading the event.
            if (arg.EventRecord != null)
            {
                //////
                // This section creates a list of XPath reference strings to select
                // the properties that we want to display
                // In this example, we will extract the User, TimeCreated, EventID and EventRecordID
                //////
                // Array of strings containing XPath references
                String[] xPathRefs = new String[4];
                xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
                xPathRefs[1] = "Event/System/Computer";
                xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
                xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
                // Place those strings in an IEnumberable object
                IEnumerable <String> xPathEnum = xPathRefs;
                // Create the property selection context using the XPath reference
                EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);

                IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);

                // Read the event description
                var description = arg.EventRecord.FormatDescription();
            }
            else
            {
                // Log the event
            }
        }
예제 #5
0
파일: EventData.cs 프로젝트: phoenixyj/F2B
        public override string Execute(EventEntry evtlog)
        {
            if (!(evtlog.LogData.GetType() == typeof(EventRecordWrittenEventArgs) ||
                  evtlog.LogData.GetType().IsSubclassOf(typeof(EventRecordWrittenEventArgs))))
            {
                return(goto_next);
            }

            EventRecordWrittenEventArgs evtarg = evtlog.LogData as EventRecordWrittenEventArgs;
            EventRecord evtrec    = evtarg.EventRecord;
            string      xmlString = evtrec.ToXml();

            evtlog.SetProcData("EventData.XML", xmlString);
            evtlog.SetProcData("EventData.Description", evtrec.FormatDescription());

            // process event XML data
            var doc        = XDocument.Parse(xmlString);
            var namespaces = new XmlNamespaceManager(new NameTable());
            var ns         = doc.Root.GetDefaultNamespace();

            namespaces.AddNamespace("ns", ns.NamespaceName);

            foreach (var element in doc.XPathSelectElements("/ns:Event/ns:System/*", namespaces))
            {
                if (!string.IsNullOrWhiteSpace(element.Value))
                {
                    evtlog.SetProcData("EventSystem." + element.Name.LocalName, element.Value);
                }
                if (element.HasAttributes)
                {
                    foreach (var attribute in element.Attributes())
                    {
                        evtlog.SetProcData("EventSystem." + element.Name.LocalName + "." + attribute.Name, attribute.Value);
                    }
                }
            }

            int dataCnt = 0;

            foreach (var element in doc.XPathSelectElements("/ns:Event/ns:EventData/ns:Data", namespaces))
            {
                var name = element.Attribute("Name");
                if (name != null)
                {
                    evtlog.SetProcData("EventData." + name.Value, element.Value);
                }
                else
                {
                    evtlog.SetProcData("EventData[" + dataCnt + "]", element.Value);
                    dataCnt++;
                }
            }

            if (dataCnt > 0)
            {
                evtlog.SetProcData("EventData", dataCnt);
            }

            return(goto_next);
        }
예제 #6
0
        void WatcherEventRecordWritten(object sender, EventRecordWrittenEventArgs e)
        {
            // This method is being invoked every time that a entry was written to the event log.
            try
            {
                using (var stream = new MemoryStream())
                {
                    // Serialize EventLog's entry as Xml
                    var writer = new StreamWriter(stream, Encoding.ASCII);
                    var xml    = e.EventRecord.ToXml();
                    writer.Write(xml);
                    stream.Seek(0, SeekOrigin.Begin);

                    // Publish a new message
                    var urlToMessage = topic.PostMessage(stream, "application/xml");

                    // Prints new message's url
                    Utils.WriteOnScrollableFrame(urlToMessage);
                }
            }
            catch (Exception ex)
            {
                // Prints any exception
                Console.WriteLine(ex.ToString());
            }
        }
 private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try
     {
         if (e != null && e.EventRecord != null)
         {
             EventRecord rec = e.EventRecord;
             string      xml = null;
             try
             {
                 xml = rec.ToXml();
             }
             catch
             {
             }
             if (xml != null)
             {
                 ProcessXml(xml);
             }
         }
     }
     catch (Exception ex)
     {
         Log.Write(LogLevel.Error, ex.ToString());
     }
 }
예제 #8
0
 private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try
     {
         if (e != null && e.EventRecord != null)
         {
             EventRecord rec = e.EventRecord;
             string      xml = null;
             try
             {
                 xml = rec.ToXml();
             }
             catch
             {
             }
             if (xml != null)
             {
                 ProcessEventViewerXml(xml);
             }
         }
     }
     catch (Exception ex)
     {
         IPBanLog.Error(ex);
     }
 }
예제 #9
0
        /// <summary>
        /// Event Handler for the watcher
        /// Double check Event ID and see if the access is related
        /// to the passwords.txt file we have setup
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        private void logWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
        {
            if (e.EventRecord.Id == 4656)
            {
                //Check if the audit Evvent is for a file we setup (avoiding false positves)
                if (e.EventRecord.FormatDescription().Contains("passwords.txt"))
                {
                    try
                    {
                        lock (SentinelConfiguration.Logfile)
                        {
                            //Write to logfile
                            log.WriteLine("Honeypot file accesssed");
                            log.WriteLine(e.EventRecord.FormatDescription());
                            log.WriteLine("*******************************************");
                        }

                        //Send Mail
                        string      email = ((NetworkCredential)this.smtpClient.Credentials).UserName;
                        MailMessage mail  = new MailMessage(email, email);
                        mail.Subject    = "[Sentinel Notification] Honeypot file accessed.";
                        mail.Body       = e.EventRecord.FormatDescription();
                        mail.Priority   = MailPriority.High;
                        mail.IsBodyHtml = false;

                        smtpClient.Send(mail);
                    }
                    catch (Exception ex)
                    {
                        log.WriteLine("Unexpected Error during OnEventWritten: " + ex.ToString());
                    }
                }
            }
        }
예제 #10
0
 private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try {
         // (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
         foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
         {
             // extract ip address from event log entry
             // format: <clientname> [IP = 'x.x.x.x']
             if (prop.Value.ToString().Contains(SEARCH_PATTERN_BEGIN))
             {
                 string orig                = prop.Value.ToString();
                 int    start               = orig.IndexOf(SEARCH_PATTERN_BEGIN) + SEARCH_PATTERN_BEGIN.Length;
                 int    length              = orig.IndexOf(SEARCH_PATTERN_END) - start;
                 string ipAddress           = orig.Substring(start, length);
                 NotificationEventArgs args = new NotificationEventArgs();
                 args.CreateDate = e.EventRecord.TimeCreated.Value;
                 args.EventId    = e.EventRecord.Id;
                 args.IpAddress  = ipAddress;
                 System.Net.IPAddress probe;
                 if (System.Net.IPAddress.TryParse(ipAddress, out probe))
                 {
                     if (probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork || probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
                     {
                         OnAttackDetected(this, args);
                     }
                 }
             }
         }
     } catch (Exception ex) {
         EventLog.WriteEntry("Cyberarms.Agents.WebSecurity.WebSecurityAgent", ex.Message);
     }
 }
 private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try {
         // (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
         foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
         {
             if (Regex.IsMatch(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}"))
             {
                 Match ipAddress            = Regex.Match(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}");
                 NotificationEventArgs args = new NotificationEventArgs();
                 args.CreateDate = e.EventRecord.TimeCreated.Value;
                 args.EventId    = e.EventRecord.Id;
                 args.IpAddress  = ipAddress.Value;
                 System.Net.IPAddress probe;
                 if (System.Net.IPAddress.TryParse(ipAddress.Value, out probe))
                 {
                     if (probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork || probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
                     {
                         OnAttackDetected(this, args);
                     }
                 }
             }
         }
     } catch (Exception ex) {
         EventLog.WriteEntry("Cyberarms.Agents.SqlServer.SqlFailedLoginWatcher", ex.Message);
     }
 }
예제 #12
0
        private void OnLogEntry(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null || arg.EventRecord.Properties.Count == 0)
            {
                return;
            }

            try
            {
                LogEntry Entry = new LogEntry();
                Entry.eventID    = arg.EventRecord.Id;
                Entry.categoryID = (short)arg.EventRecord.Task;
                switch (arg.EventRecord.Level.Value)
                {
                case 2: Entry.entryType = EventLogEntryType.Error; break;

                case 3: Entry.entryType = EventLogEntryType.Warning; break;

                case 4:
                default: Entry.entryType = EventLogEntryType.Information; break;
                }
                Entry.timeGenerated = arg.EventRecord.TimeCreated.Value;
                string[] dataStr = new string[arg.EventRecord.Properties.Count];
                for (int i = 0; i < arg.EventRecord.Properties.Count; i++)
                {
                    dataStr[i] = arg.EventRecord.Properties[i].Value.ToString();
                }
                Entry.SetData(dataStr);
                //Entry.binData =

                AddToLog(Entry);
            }
            catch { }
        }
 private void OnEventRecordWritten(object sender, EventRecordWrittenEventArgs args)
 {
     try
     {
         if (args.EventException != null)
         {
             _recordSubject.OnError(args.EventException);
         }
         else
         {
             EventRecord eventRecord = args.EventRecord;
             if (eventRecord != null)
             {
                 _latency = DateTime.Now.Subtract(eventRecord.TimeCreated ?? DateTime.Now);
                 ProcessRecord(eventRecord);
             }
         }
     }
     catch (Exception recordEx)
     {
         _logger?.LogError($"EventLogSource id {this.Id} logging {_logName} EventLog with query {_query} has record error {recordEx}.");
         _metrics?.PublishCounter(this.Id, MetricsConstants.CATEGORY_SOURCE, CounterTypeEnum.Increment,
                                  MetricsConstants.EVENTLOG_SOURCE_EVENTS_ERROR, 1, MetricUnit.Count);
     }
 }
예제 #14
0
        static void SendMessage(EventRecordWrittenEventArgs e)
        {
            lock (monitor)
            {
                try {
                    String message = e.EventRecord.ToXml();
                    ISyslogMessageSerializer serializer = (ISyslogMessageSerializer) new SyslogRfc5424MessageSerializer();
                    //: options.SyslogVersion == "3164"
                    //    ? (ISyslogMessageSerializer)new SyslogRfc3164MessageSerializer()
                    //    : (ISyslogMessageSerializer)new SyslogLocalMessageSerializer();
                    SyslogMessage msg1 = CreateSyslogMessage(e);

                    // System.Diagnostics.Trace.WriteLine(e.EventRecord.ToXml());
                    Console.WriteLine("New Event " + e.EventRecord.Id + "\n");
                    //msg1=
                    if (client == null)
                    {
                        client = (ISyslogMessageSender) new SyslogTcpSender(syslogServerHostname, port);
                    }
                    client.Send(msg1, serializer);
                }
                catch (Exception ex)
                {
                    // monitor = "0";
                    Console.WriteLine("Eroare 10 " + ex.Message);
                }
            }
        }
예제 #15
0
 private void OnEventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try
     {
         string[] propertyQueries = new string[] { "Event/EventData/Data[@Name=\"IpAddress\"]" };
         EventLogPropertySelector propertySelector = new EventLogPropertySelector(propertyQueries);
         string str = ((EventLogRecord)e.EventRecord).GetPropertyValues(propertySelector)[0].ToString();
         NegotiationdEventArgs data = new NegotiationdEventArgs
         {
             IpAddress       = str,
             EventId         = e.EventRecord.Id,
             EventName       = e.EventRecord.LogName,
             EventMessageXml = e.EventRecord.ToXml(),
             CreateDate      = e.EventRecord.TimeCreated.Value
         };
         if (Negotiated != null)
         {
             Negotiated(this, data);
         }
     }
     catch (Exception exception)
     {
         WriteEntry(exception.Message);
     }
 }
예제 #16
0
        // This function get triggered every time an event get writen to a hooked log.
        private void OnEntryWritten(object sender, EventRecordWrittenEventArgs e)
        {
            EventRecord entry = e.EventRecord;

            Events.Add(entry);
            DataGridViewRow row = (DataGridViewRow)table.Rows[0].Clone();

            row.Cells[0].Value = entry.TimeCreated;
            row.Cells[1].Value = entry.LogName;
            row.Cells[2].Value = entry.ProviderName;
            row.Cells[3].Value = entry.Id;
            // The following code beautify the XML.
            XmlDocument xmlDoc = new XmlDocument();

            xmlDoc.LoadXml(entry.ToXml());
            StringWriter sw = new StringWriter();

            xmlDoc.Save(sw);

            row.Cells[4].Value       = sw.ToString();
            row.Cells[4].ToolTipText = sw.ToString();

            // Add the new row with the event entry data to the table.
            table.Invoke((MethodInvoker) delegate {
                table.Rows.Add(row);
            });
        }
        private async void OnEventDetectedAsync(object sender, EventRecordWrittenEventArgs e)
        {
            var message = e.EventRecord.FormatDescription();

            log.LogInformation("SENDING: {message}", e.EventRecord.FormatDescription());

            await remote.Warn(message);
        }
예제 #18
0
        /// <summary>
        ///     AppLocker event
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        private void OnApplockEventWritten(object sender, EventRecordWrittenEventArgs e)
        {
            if (e.EventRecord != null && idAppLock.Contains(e.EventRecord.Id))
            {
                OnAppLockMatchEvent?.Invoke();

                ShowBlockPopup(e.EventRecord.FormatDescription());
            }
        }
 public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
 {
     if (arg.EventRecord != null)
     {
         EventRecord eventInstance      = arg.EventRecord;
         String      eventMessage       = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
         String      eventMessageXMLFmt = eventInstance.ToXml();             // Getting event information in xml format
     }
 }
        public static void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord != null)
            {
                //////
                // This section creates a list of XPath reference strings to select
                // the properties that we want to display
                // In this example, we will extract the User, TimeCreated, EventID and EventRecordID
                //////
                // Array of strings containing XPath references
                String[] xPathRefs = new String[8];
                xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
                xPathRefs[1] = "Event/System/Computer";
                xPathRefs[2] = "Event/System/EventRecordID";
                xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
                xPathRefs[4] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
                xPathRefs[5] = "Event/UserData/EventXML/User";
                xPathRefs[6] = "Event/UserData/EventXML/Address";
                xPathRefs[7] = "Event/System/EventID";


                IEnumerable <String> xPathEnum = xPathRefs;

                // Create the property selection context using the XPath reference
                EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);

                IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
                StreamWriterExtention.WriteToFile(logEventProps);
                DbOperationExtentions.WriteToDb(logEventProps);

#if (DEBUG)
                {
                    Console.WriteLine("U1 Time: {0}", logEventProps[0]);
                    Console.WriteLine("Computer: {0}", logEventProps[1]);
                    Console.WriteLine("EventRecordId: {0}", logEventProps[2]);
                    Console.WriteLine("TargetUserName: {0}", logEventProps[3]);
                    Console.WriteLine("TargetDomainName: {0}", logEventProps[4]);
                    Console.WriteLine("User: {0}", logEventProps[5]);
                    Console.WriteLine("IP: {0}", logEventProps[6]);
                    Console.WriteLine("EventType: {0}", logEventProps[7]);

                    Console.WriteLine("---------------------------------------");

                    Console.WriteLine("Description: {0}", arg.EventRecord.FormatDescription());
                }
#endif
            }
            else
            {
#if (DEBUG)
                {
                    Console.WriteLine("The event instance was null.");
                }
#endif
            }
        }
예제 #21
0
        public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
        {
            try
            {
                if (arg.EventRecord != null)
                {
                    // check on keywords in the General Description and send message to the Nagios server
                    if (supressedIDs != null && supressedIDs.Contains(arg.EventRecord.Id))
                    {
                        return;
                    }

                    if (EventRaised != null)
                    {
                        Thread.CurrentThread.CurrentCulture = new CultureInfo("en-US"); // need to fix MS bug

                        EventLogRecord r     = (EventLogRecord)arg.EventRecord;
                        string         msg   = r.FormatDescription();
                        string         mPath = "";

                        if (string.IsNullOrWhiteSpace(msg))
                        {
                            using (var eln = new System.Diagnostics.EventLog(r.LogName, r.MachineName))
                            {
                                System.Diagnostics.EventLogEntryCollection eCollection = eln.Entries;
                                int cnt = eCollection.Count;
                                for (int i = cnt - 1; i >= Math.Max(0, cnt - 200); i--)
                                {
                                    var xe = eCollection[i];
                                    if (xe.Index == r.RecordId)
                                    {
                                        msg   = xe.Message;
                                        mPath = " s";
                                        break;
                                    }
                                }
                            }
                        }

                        if (_rxFilter != null && string.IsNullOrWhiteSpace(msg) == false && !_rxFilter.IsMatch(msg))
                        {
                            return;
                        }

                        string fMsg = string.Format("{0}, EventID = {1}{2}{3}", arg.EventRecord.TimeCreated.HasValue ? arg.EventRecord.TimeCreated : DateTime.Now, r.Id & 0xFFFF, System.Environment.NewLine, msg);
                        EventRaised.Invoke(this, new EventWatcherArgs(this.EventDescription.NagiosServiceName, this.EventDescription.MessageLevel,
                                                                      fMsg));
                    }
                }
            }
            catch (Exception ex)
            {
                Nagios.Net.Client.Log.WriteLog(ex.Message + "\n" + ex.StackTrace, true);
            }
        }
예제 #22
0
        private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null)
            {
                return;
            }
            try
            {
                int    processId = MiscFunc.parseInt(arg.EventRecord.Properties[0].Value.ToString());
                string path      = arg.EventRecord.Properties[1].Value.ToString();

                Actions action = Actions.Undefined;
                if (arg.EventRecord.Id == (int)EventIDs.Blocked)
                {
                    action = Actions.Block;
                }
                else if (arg.EventRecord.Id == (int)EventIDs.Allowed)
                {
                    action = Actions.Allow;
                }

                string     direction_str = arg.EventRecord.Properties[2].Value.ToString();
                Directions direction     = Directions.Unknown;
                if (direction_str == "%%14592")
                {
                    direction = Directions.Inbound;
                }
                else if (direction_str == "%%14593")
                {
                    direction = Directions.Outboun;
                }
                string src_ip    = arg.EventRecord.Properties[3].Value.ToString();
                int    src_port  = MiscFunc.parseInt(arg.EventRecord.Properties[4].Value.ToString());
                string dest_ip   = arg.EventRecord.Properties[5].Value.ToString();
                int    dest_port = MiscFunc.parseInt(arg.EventRecord.Properties[6].Value.ToString());
                int    protocol  = MiscFunc.parseInt(arg.EventRecord.Properties[7].Value.ToString());

                ProgramList.ID id = GetIDforEntry(path, processId);
                if (id == null)
                {
                    return;
                }

                Program.LogEntry entry = new Program.LogEntry(id, action, direction, src_ip, src_port, dest_ip, dest_port, protocol, processId, DateTime.Now);

                entry.Profile = GetCurrentProfiles();

                App.engine.LogActivity(entry);
            }
            catch (Exception err)
            {
                AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
            }
        }
예제 #23
0
        private void Watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
        {
            if (e.EventRecord == null)
            {
                InvalidState = true;
                return;
            }

            outputAction(e.EventRecord);
            //eventLog.OnNext(e.EventRecord as EventLogRecord);
        }
예제 #24
0
        void OnEntryWritten(object source, EventRecordWrittenEventArgs evt)
        {
            EventLogRecord e = (EventLogRecord)evt.EventRecord;

            using (var loginEventPropertySelector = new EventLogPropertySelector(new[]
            {
                // (The XPath expression evaluates to null if no Data element exists with the specified name.)
                "Event/EventData/Data[@Name='TargetUserSid']",
                "Event/EventData/Data[@Name='TargetLogonId']",
                "Event/EventData/Data[@Name='LogonType']",
                "Event/EventData/Data[@Name='ElevatedToken']",
                "Event/EventData/Data[@Name='WorkstationName']",
                "Event/EventData/Data[@Name='ProcessName']",
                "Event/EventData/Data[@Name='IpAddress']",
                "Event/EventData/Data[@Name='IpPort']",
                "Event/EventData/Data[@Name='TargetUserName']"
            }))

                using (var logoffEventPropertySelector = new EventLogPropertySelector(new[]
                {
                    "Event/EventData/Data[@Name='TargetUserSid']",
                    "Event/EventData/Data[@Name='TargetLogonId']"
                }))

                    switch (e.Id)
                    {
                    case 4624:
                        var loginPropertyValues = ((EventLogRecord)e).GetPropertyValues(loginEventPropertySelector);
                        var sid             = loginPropertyValues[0];
                        var logonId         = loginPropertyValues[1];
                        var logonType       = loginPropertyValues[2];
                        var elevatedToken   = loginPropertyValues[3];
                        var workstationName = loginPropertyValues[4];
                        var processName     = loginPropertyValues[5];
                        var ipAddress       = loginPropertyValues[6];
                        var ipPort          = loginPropertyValues[7];
                        var userName        = loginPropertyValues[8];

                        Console.WriteLine("got eventId={0} sid={1} logonId={2} logonType={3} token={4} workstation={5} process={6} ip={7} port={8} user={9}",
                                          e.Id, sid, logonId, logonType, elevatedToken, workstationName, processName, ipAddress, ipPort, userName);

                        break;

                    case 4634:
                        var logoffPropertyValues = ((EventLogRecord)e).GetPropertyValues(logoffEventPropertySelector);
                        var sid1     = logoffPropertyValues[0];
                        var logoffId = logoffPropertyValues[1];

                        Console.WriteLine("got eventId={0} sid={1} logonId={2}",
                                          e.Id, sid1, logoffId);

                        break;
                    }
        }
 private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
 {
     try
     {
         EventRecord rec = e.EventRecord;
         string      xml = rec.ToXml();
         ProcessXml(xml);
     }
     catch (Exception ex)
     {
         Log.Write(LogLevel.Error, ex.ToString());
     }
 }
예제 #26
0
        private void PnPEventWritten(Object obj, EventRecordWrittenEventArgs arg)
        {
            string Description = arg.EventRecord.FormatDescription();

            if (Description.IndexOf("VID_045E&PID_9006", 0, StringComparison.OrdinalIgnoreCase) >= 0)
            {
                LogFile.Log("Event " + arg.EventRecord.Id.ToString() + ": " + Description, LogType.FileOnly);
                LogFile.Log("Phone switched to Mass Storage mode, but the driver on the PC did not start correctly", LogType.FileAndConsole);
                CurrentInterface = PhoneInterfaces.Lumia_BadMassStorage;
                CurrentModel     = null;
                NewDeviceArrived(new ArrivalEventArgs((PhoneInterfaces)CurrentInterface, CurrentModel));
            }
        }
예제 #27
0
        private void OnRuleChanged(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null)
            {
                return;
            }

            RuleChangedEvent args = ReadFirewallEvent(arg.EventRecord);

            if (args != null)
            {
                ChangeEvent?.Invoke(this, args);
            }
        }
예제 #28
0
        private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
        {
            if (arg.EventRecord == null)
            {
                return;
            }

            FirewallEvent args = ReadFirewallEvent(arg.EventRecord);

            if (args != null)
            {
                FirewallEvent?.Invoke(this, args);
            }
        }
        private void SystemErrorHandler(object sender, EventRecordWrittenEventArgs e)
        {
            if (!e.EventRecord.Properties.Any())
            {
                throw new ArgumentException(nameof(e.EventRecord.Properties));
            }

            var eventLevel = e.EventRecord.Level;

            if (eventLevel <= EventLevel.Error)
            {
                Notifier.ShowNotification(e.EventRecord.ProviderName, e.EventRecord.FormatDescription(), e.EventRecord.LogName);
            }
        }
예제 #30
0
        private void EventArrivedHandler(object sender, EventRecordWrittenEventArgs arg)
        {
            this.TraceEntryExit("Entering EventArrived handler", new object[0]);
            EventRecord eventRecord = arg.EventRecord;
            bool        flag        = false;

            do
            {
                if (!this.m_isEventProcessingEnabled)
                {
                    if (!ExTraceGlobals.FailureItemTracer.IsTraceEnabled(TraceType.DebugTrace))
                    {
                        break;
                    }
                    try
                    {
                        this.Trace("Ignoring Record# {0} since event processing not enabled!!", new object[]
                        {
                            (eventRecord != null) ? eventRecord.RecordId.ToString() : "<null>"
                        });
                        break;
                    }
                    catch (EventLogException)
                    {
                        break;
                    }
                }
                try
                {
                    flag = Monitor.TryEnter(this.m_locker, 1000);
                    if (flag)
                    {
                        this.ProcessEvent(eventRecord, arg.EventException);
                    }
                }
                finally
                {
                    if (flag)
                    {
                        Monitor.Exit(this.m_locker);
                    }
                    else
                    {
                        this.Trace("Unable to acquire lock in EventArrivedHandler - retrying", new object[0]);
                    }
                }
            }while (!flag);
            this.TraceEntryExit("Exiting EventArrived handler", new object[0]);
        }