/// Event Handler for the watcher
/// Double check Event ID and see if the access is related
/// to the passwords.txt file we have setup
private void logWatcher_EventRecordWritten(object sender,
EventRecordWrittenEventArgs e)
{
if (e.EventRecord.Id == 4656)
{
//Is this is for the file of interest
if (e.EventRecord.FormatDescription().Contains("passwords.txt"))
{
try
{
log.WriteLine("Honeypot file accessed");
log.WriteLine(e.EventRecord.FormatDescription());
log.WriteLine("****************************************");
//Send Mail
string email =
((NetworkCredential)this.smtpClient.Credentials).UserName;
MailMessage mail = new MailMessage(email, email);
mail.Subject =
"[Sentinel Notification] Honeypot file accessed.";
mail.Body = e.EventRecord.FormatDescription();
mail.Priority = MailPriority.High;
mail.IsBodyHtml = false;
smtpClient.Send(mail);
}
catch (Exception ex)
{
log.WriteLine(
"Unexpected Error OnEventWritten: " + ex.ToString());
}
}
}
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
RestartDetected = false;
PowerOffDetected = false;
try
{
Logger.Debug("Logging event: " + arg);
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
foreach (EventProperty x in ((EventLogRecord)arg.EventRecord).Properties)
{
var strValue = x.Value.ToString();
Logger.Debug("Event value: " + strValue);
if (RestartNames.Any(n => n.Equals(strValue, StringComparison.OrdinalIgnoreCase)))
{
RestartDetected = true;
break;
}
if (PowerOffNames.Any(n => n.Equals(strValue, StringComparison.OrdinalIgnoreCase)))
{
PowerOffDetected = true;
break;
}
}
}
}
catch (Exception)
{
}
}
private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try {
// (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
{
if (Regex.IsMatch(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}"))
{
Match ipAddress = Regex.Match(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}");
NotificationEventArgs args = new NotificationEventArgs();
args.CreateDate = e.EventRecord.TimeCreated.Value;
args.EventId = e.EventRecord.Id;
args.IpAddress = ipAddress.Value;
System.Net.IPAddress ip;
System.Net.IPAddress.TryParse(args.IpAddress, out ip);
if (ip != null && ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
{
OnAttackDetected(this, args);
}
}
//if (prop.Value.ToString().Contains("CLIENT:")) {
// string client = prop.Value.ToString();
// int start = client.IndexOf("CLIENT:") + 7;
// string ipAddress = client.Substring(start, client.LastIndexOf(']') - start).Trim();
// NotificationEventArgs args = new NotificationEventArgs();
// args.CreateDate = e.EventRecord.TimeCreated.Value;
// args.EventId = e.EventRecord.Id;
// args.IpAddress = ipAddress;
// OnAttackDetected(this, args);
//}
}
} catch (Exception ex) {
EventLog.WriteEntry("Cyberarms.Agents.FileMaker.FileMakerSecurityAgent", ex.Message);
}
}
// Callback method that gets executed when an event is
// reported to the subscription.
public static void EventLogEventRead(object obj,
EventRecordWrittenEventArgs arg)
{
// Make sure there was no error reading the event.
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[4];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
// Place those strings in an IEnumberable object
IEnumerable <String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
// Read the event description
var description = arg.EventRecord.FormatDescription();
}
else
{
// Log the event
}
}
public override string Execute(EventEntry evtlog)
{
if (!(evtlog.LogData.GetType() == typeof(EventRecordWrittenEventArgs) ||
evtlog.LogData.GetType().IsSubclassOf(typeof(EventRecordWrittenEventArgs))))
{
return(goto_next);
}
EventRecordWrittenEventArgs evtarg = evtlog.LogData as EventRecordWrittenEventArgs;
EventRecord evtrec = evtarg.EventRecord;
string xmlString = evtrec.ToXml();
evtlog.SetProcData("EventData.XML", xmlString);
evtlog.SetProcData("EventData.Description", evtrec.FormatDescription());
// process event XML data
var doc = XDocument.Parse(xmlString);
var namespaces = new XmlNamespaceManager(new NameTable());
var ns = doc.Root.GetDefaultNamespace();
namespaces.AddNamespace("ns", ns.NamespaceName);
foreach (var element in doc.XPathSelectElements("/ns:Event/ns:System/*", namespaces))
{
if (!string.IsNullOrWhiteSpace(element.Value))
{
evtlog.SetProcData("EventSystem." + element.Name.LocalName, element.Value);
}
if (element.HasAttributes)
{
foreach (var attribute in element.Attributes())
{
evtlog.SetProcData("EventSystem." + element.Name.LocalName + "." + attribute.Name, attribute.Value);
}
}
}
int dataCnt = 0;
foreach (var element in doc.XPathSelectElements("/ns:Event/ns:EventData/ns:Data", namespaces))
{
var name = element.Attribute("Name");
if (name != null)
{
evtlog.SetProcData("EventData." + name.Value, element.Value);
}
else
{
evtlog.SetProcData("EventData[" + dataCnt + "]", element.Value);
dataCnt++;
}
}
if (dataCnt > 0)
{
evtlog.SetProcData("EventData", dataCnt);
}
return(goto_next);
}
void WatcherEventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
// This method is being invoked every time that a entry was written to the event log.
try
{
using (var stream = new MemoryStream())
{
// Serialize EventLog's entry as Xml
var writer = new StreamWriter(stream, Encoding.ASCII);
var xml = e.EventRecord.ToXml();
writer.Write(xml);
stream.Seek(0, SeekOrigin.Begin);
// Publish a new message
var urlToMessage = topic.PostMessage(stream, "application/xml");
// Prints new message's url
Utils.WriteOnScrollableFrame(urlToMessage);
}
}
catch (Exception ex)
{
// Prints any exception
Console.WriteLine(ex.ToString());
}
}
private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try
{
if (e != null && e.EventRecord != null)
{
EventRecord rec = e.EventRecord;
string xml = null;
try
{
xml = rec.ToXml();
}
catch
{
}
if (xml != null)
{
ProcessXml(xml);
}
}
}
catch (Exception ex)
{
Log.Write(LogLevel.Error, ex.ToString());
}
}
private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try
{
if (e != null && e.EventRecord != null)
{
EventRecord rec = e.EventRecord;
string xml = null;
try
{
xml = rec.ToXml();
}
catch
{
}
if (xml != null)
{
ProcessEventViewerXml(xml);
}
}
}
catch (Exception ex)
{
IPBanLog.Error(ex);
}
}
/// <summary>
/// Event Handler for the watcher
/// Double check Event ID and see if the access is related
/// to the passwords.txt file we have setup
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void logWatcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
if (e.EventRecord.Id == 4656)
{
//Check if the audit Evvent is for a file we setup (avoiding false positves)
if (e.EventRecord.FormatDescription().Contains("passwords.txt"))
{
try
{
lock (SentinelConfiguration.Logfile)
{
//Write to logfile
log.WriteLine("Honeypot file accesssed");
log.WriteLine(e.EventRecord.FormatDescription());
log.WriteLine("*******************************************");
}
//Send Mail
string email = ((NetworkCredential)this.smtpClient.Credentials).UserName;
MailMessage mail = new MailMessage(email, email);
mail.Subject = "[Sentinel Notification] Honeypot file accessed.";
mail.Body = e.EventRecord.FormatDescription();
mail.Priority = MailPriority.High;
mail.IsBodyHtml = false;
smtpClient.Send(mail);
}
catch (Exception ex)
{
log.WriteLine("Unexpected Error during OnEventWritten: " + ex.ToString());
}
}
}
}
private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try {
// (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
{
// extract ip address from event log entry
// format: <clientname> [IP = 'x.x.x.x']
if (prop.Value.ToString().Contains(SEARCH_PATTERN_BEGIN))
{
string orig = prop.Value.ToString();
int start = orig.IndexOf(SEARCH_PATTERN_BEGIN) + SEARCH_PATTERN_BEGIN.Length;
int length = orig.IndexOf(SEARCH_PATTERN_END) - start;
string ipAddress = orig.Substring(start, length);
NotificationEventArgs args = new NotificationEventArgs();
args.CreateDate = e.EventRecord.TimeCreated.Value;
args.EventId = e.EventRecord.Id;
args.IpAddress = ipAddress;
System.Net.IPAddress probe;
if (System.Net.IPAddress.TryParse(ipAddress, out probe))
{
if (probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork || probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
{
OnAttackDetected(this, args);
}
}
}
}
} catch (Exception ex) {
EventLog.WriteEntry("Cyberarms.Agents.WebSecurity.WebSecurityAgent", ex.Message);
}
}
private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try {
// (new System.Collections.Generic.Mscorlib_CollectionDebugView<System.Diagnostics.Eventing.Reader.EventProperty>(e.EventRecord.Properties)).Items[0]
foreach (System.Diagnostics.Eventing.Reader.EventProperty prop in e.EventRecord.Properties)
{
if (Regex.IsMatch(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}"))
{
Match ipAddress = Regex.Match(prop.Value.ToString(), "(?:[0-9]{1,3}.){3}[0-9]{1,3}");
NotificationEventArgs args = new NotificationEventArgs();
args.CreateDate = e.EventRecord.TimeCreated.Value;
args.EventId = e.EventRecord.Id;
args.IpAddress = ipAddress.Value;
System.Net.IPAddress probe;
if (System.Net.IPAddress.TryParse(ipAddress.Value, out probe))
{
if (probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork || probe.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
{
OnAttackDetected(this, args);
}
}
}
}
} catch (Exception ex) {
EventLog.WriteEntry("Cyberarms.Agents.SqlServer.SqlFailedLoginWatcher", ex.Message);
}
}
private void OnLogEntry(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null || arg.EventRecord.Properties.Count == 0)
{
return;
}
try
{
LogEntry Entry = new LogEntry();
Entry.eventID = arg.EventRecord.Id;
Entry.categoryID = (short)arg.EventRecord.Task;
switch (arg.EventRecord.Level.Value)
{
case 2: Entry.entryType = EventLogEntryType.Error; break;
case 3: Entry.entryType = EventLogEntryType.Warning; break;
case 4:
default: Entry.entryType = EventLogEntryType.Information; break;
}
Entry.timeGenerated = arg.EventRecord.TimeCreated.Value;
string[] dataStr = new string[arg.EventRecord.Properties.Count];
for (int i = 0; i < arg.EventRecord.Properties.Count; i++)
{
dataStr[i] = arg.EventRecord.Properties[i].Value.ToString();
}
Entry.SetData(dataStr);
//Entry.binData =
AddToLog(Entry);
}
catch { }
}
private void OnEventRecordWritten(object sender, EventRecordWrittenEventArgs args)
{
try
{
if (args.EventException != null)
{
_recordSubject.OnError(args.EventException);
}
else
{
EventRecord eventRecord = args.EventRecord;
if (eventRecord != null)
{
_latency = DateTime.Now.Subtract(eventRecord.TimeCreated ?? DateTime.Now);
ProcessRecord(eventRecord);
}
}
}
catch (Exception recordEx)
{
_logger?.LogError($"EventLogSource id {this.Id} logging {_logName} EventLog with query {_query} has record error {recordEx}.");
_metrics?.PublishCounter(this.Id, MetricsConstants.CATEGORY_SOURCE, CounterTypeEnum.Increment,
MetricsConstants.EVENTLOG_SOURCE_EVENTS_ERROR, 1, MetricUnit.Count);
}
}
static void SendMessage(EventRecordWrittenEventArgs e)
{
lock (monitor)
{
try {
String message = e.EventRecord.ToXml();
ISyslogMessageSerializer serializer = (ISyslogMessageSerializer) new SyslogRfc5424MessageSerializer();
//: options.SyslogVersion == "3164"
// ? (ISyslogMessageSerializer)new SyslogRfc3164MessageSerializer()
// : (ISyslogMessageSerializer)new SyslogLocalMessageSerializer();
SyslogMessage msg1 = CreateSyslogMessage(e);
// System.Diagnostics.Trace.WriteLine(e.EventRecord.ToXml());
Console.WriteLine("New Event " + e.EventRecord.Id + "\n");
//msg1=
if (client == null)
{
client = (ISyslogMessageSender) new SyslogTcpSender(syslogServerHostname, port);
}
client.Send(msg1, serializer);
}
catch (Exception ex)
{
// monitor = "0";
Console.WriteLine("Eroare 10 " + ex.Message);
}
}
}
private void OnEventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try
{
string[] propertyQueries = new string[] { "Event/EventData/Data[@Name=\"IpAddress\"]" };
EventLogPropertySelector propertySelector = new EventLogPropertySelector(propertyQueries);
string str = ((EventLogRecord)e.EventRecord).GetPropertyValues(propertySelector)[0].ToString();
NegotiationdEventArgs data = new NegotiationdEventArgs
{
IpAddress = str,
EventId = e.EventRecord.Id,
EventName = e.EventRecord.LogName,
EventMessageXml = e.EventRecord.ToXml(),
CreateDate = e.EventRecord.TimeCreated.Value
};
if (Negotiated != null)
{
Negotiated(this, data);
}
}
catch (Exception exception)
{
WriteEntry(exception.Message);
}
}
// This function get triggered every time an event get writen to a hooked log.
private void OnEntryWritten(object sender, EventRecordWrittenEventArgs e)
{
EventRecord entry = e.EventRecord;
Events.Add(entry);
DataGridViewRow row = (DataGridViewRow)table.Rows[0].Clone();
row.Cells[0].Value = entry.TimeCreated;
row.Cells[1].Value = entry.LogName;
row.Cells[2].Value = entry.ProviderName;
row.Cells[3].Value = entry.Id;
// The following code beautify the XML.
XmlDocument xmlDoc = new XmlDocument();
xmlDoc.LoadXml(entry.ToXml());
StringWriter sw = new StringWriter();
xmlDoc.Save(sw);
row.Cells[4].Value = sw.ToString();
row.Cells[4].ToolTipText = sw.ToString();
// Add the new row with the event entry data to the table.
table.Invoke((MethodInvoker) delegate {
table.Rows.Add(row);
});
}
private async void OnEventDetectedAsync(object sender, EventRecordWrittenEventArgs e)
{
var message = e.EventRecord.FormatDescription();
log.LogInformation("SENDING: {message}", e.EventRecord.FormatDescription());
await remote.Warn(message);
}
/// <summary>
/// AppLocker event
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void OnApplockEventWritten(object sender, EventRecordWrittenEventArgs e)
{
if (e.EventRecord != null && idAppLock.Contains(e.EventRecord.Id))
{
OnAppLockMatchEvent?.Invoke();
ShowBlockPopup(e.EventRecord.FormatDescription());
}
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
EventRecord eventInstance = arg.EventRecord;
String eventMessage = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
String eventMessageXMLFmt = eventInstance.ToXml(); // Getting event information in xml format
}
}
public static void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[8];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/System/EventRecordID";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[4] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
xPathRefs[5] = "Event/UserData/EventXML/User";
xPathRefs[6] = "Event/UserData/EventXML/Address";
xPathRefs[7] = "Event/System/EventID";
IEnumerable <String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
StreamWriterExtention.WriteToFile(logEventProps);
DbOperationExtentions.WriteToDb(logEventProps);
#if (DEBUG)
{
Console.WriteLine("U1 Time: {0}", logEventProps[0]);
Console.WriteLine("Computer: {0}", logEventProps[1]);
Console.WriteLine("EventRecordId: {0}", logEventProps[2]);
Console.WriteLine("TargetUserName: {0}", logEventProps[3]);
Console.WriteLine("TargetDomainName: {0}", logEventProps[4]);
Console.WriteLine("User: {0}", logEventProps[5]);
Console.WriteLine("IP: {0}", logEventProps[6]);
Console.WriteLine("EventType: {0}", logEventProps[7]);
Console.WriteLine("---------------------------------------");
Console.WriteLine("Description: {0}", arg.EventRecord.FormatDescription());
}
#endif
}
else
{
#if (DEBUG)
{
Console.WriteLine("The event instance was null.");
}
#endif
}
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
try
{
if (arg.EventRecord != null)
{
// check on keywords in the General Description and send message to the Nagios server
if (supressedIDs != null && supressedIDs.Contains(arg.EventRecord.Id))
{
return;
}
if (EventRaised != null)
{
Thread.CurrentThread.CurrentCulture = new CultureInfo("en-US"); // need to fix MS bug
EventLogRecord r = (EventLogRecord)arg.EventRecord;
string msg = r.FormatDescription();
string mPath = "";
if (string.IsNullOrWhiteSpace(msg))
{
using (var eln = new System.Diagnostics.EventLog(r.LogName, r.MachineName))
{
System.Diagnostics.EventLogEntryCollection eCollection = eln.Entries;
int cnt = eCollection.Count;
for (int i = cnt - 1; i >= Math.Max(0, cnt - 200); i--)
{
var xe = eCollection[i];
if (xe.Index == r.RecordId)
{
msg = xe.Message;
mPath = " s";
break;
}
}
}
}
if (_rxFilter != null && string.IsNullOrWhiteSpace(msg) == false && !_rxFilter.IsMatch(msg))
{
return;
}
string fMsg = string.Format("{0}, EventID = {1}{2}{3}", arg.EventRecord.TimeCreated.HasValue ? arg.EventRecord.TimeCreated : DateTime.Now, r.Id & 0xFFFF, System.Environment.NewLine, msg);
EventRaised.Invoke(this, new EventWatcherArgs(this.EventDescription.NagiosServiceName, this.EventDescription.MessageLevel,
fMsg));
}
}
}
catch (Exception ex)
{
Nagios.Net.Client.Log.WriteLog(ex.Message + "\n" + ex.StackTrace, true);
}
}
private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
try
{
int processId = MiscFunc.parseInt(arg.EventRecord.Properties[0].Value.ToString());
string path = arg.EventRecord.Properties[1].Value.ToString();
Actions action = Actions.Undefined;
if (arg.EventRecord.Id == (int)EventIDs.Blocked)
{
action = Actions.Block;
}
else if (arg.EventRecord.Id == (int)EventIDs.Allowed)
{
action = Actions.Allow;
}
string direction_str = arg.EventRecord.Properties[2].Value.ToString();
Directions direction = Directions.Unknown;
if (direction_str == "%%14592")
{
direction = Directions.Inbound;
}
else if (direction_str == "%%14593")
{
direction = Directions.Outboun;
}
string src_ip = arg.EventRecord.Properties[3].Value.ToString();
int src_port = MiscFunc.parseInt(arg.EventRecord.Properties[4].Value.ToString());
string dest_ip = arg.EventRecord.Properties[5].Value.ToString();
int dest_port = MiscFunc.parseInt(arg.EventRecord.Properties[6].Value.ToString());
int protocol = MiscFunc.parseInt(arg.EventRecord.Properties[7].Value.ToString());
ProgramList.ID id = GetIDforEntry(path, processId);
if (id == null)
{
return;
}
Program.LogEntry entry = new Program.LogEntry(id, action, direction, src_ip, src_port, dest_ip, dest_port, protocol, processId, DateTime.Now);
entry.Profile = GetCurrentProfiles();
App.engine.LogActivity(entry);
}
catch (Exception err)
{
AppLog.Line("Error in {0}: {1}", MiscFunc.GetCurrentMethod(), err.Message);
}
}
private void Watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
if (e.EventRecord == null)
{
InvalidState = true;
return;
}
outputAction(e.EventRecord);
//eventLog.OnNext(e.EventRecord as EventLogRecord);
}
void OnEntryWritten(object source, EventRecordWrittenEventArgs evt)
{
EventLogRecord e = (EventLogRecord)evt.EventRecord;
using (var loginEventPropertySelector = new EventLogPropertySelector(new[]
{
// (The XPath expression evaluates to null if no Data element exists with the specified name.)
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='LogonType']",
"Event/EventData/Data[@Name='ElevatedToken']",
"Event/EventData/Data[@Name='WorkstationName']",
"Event/EventData/Data[@Name='ProcessName']",
"Event/EventData/Data[@Name='IpAddress']",
"Event/EventData/Data[@Name='IpPort']",
"Event/EventData/Data[@Name='TargetUserName']"
}))
using (var logoffEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetLogonId']"
}))
switch (e.Id)
{
case 4624:
var loginPropertyValues = ((EventLogRecord)e).GetPropertyValues(loginEventPropertySelector);
var sid = loginPropertyValues[0];
var logonId = loginPropertyValues[1];
var logonType = loginPropertyValues[2];
var elevatedToken = loginPropertyValues[3];
var workstationName = loginPropertyValues[4];
var processName = loginPropertyValues[5];
var ipAddress = loginPropertyValues[6];
var ipPort = loginPropertyValues[7];
var userName = loginPropertyValues[8];
Console.WriteLine("got eventId={0} sid={1} logonId={2} logonType={3} token={4} workstation={5} process={6} ip={7} port={8} user={9}",
e.Id, sid, logonId, logonType, elevatedToken, workstationName, processName, ipAddress, ipPort, userName);
break;
case 4634:
var logoffPropertyValues = ((EventLogRecord)e).GetPropertyValues(logoffEventPropertySelector);
var sid1 = logoffPropertyValues[0];
var logoffId = logoffPropertyValues[1];
Console.WriteLine("got eventId={0} sid={1} logonId={2}",
e.Id, sid1, logoffId);
break;
}
}
private void EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try
{
EventRecord rec = e.EventRecord;
string xml = rec.ToXml();
ProcessXml(xml);
}
catch (Exception ex)
{
Log.Write(LogLevel.Error, ex.ToString());
}
}
private void PnPEventWritten(Object obj, EventRecordWrittenEventArgs arg)
{
string Description = arg.EventRecord.FormatDescription();
if (Description.IndexOf("VID_045E&PID_9006", 0, StringComparison.OrdinalIgnoreCase) >= 0)
{
LogFile.Log("Event " + arg.EventRecord.Id.ToString() + ": " + Description, LogType.FileOnly);
LogFile.Log("Phone switched to Mass Storage mode, but the driver on the PC did not start correctly", LogType.FileAndConsole);
CurrentInterface = PhoneInterfaces.Lumia_BadMassStorage;
CurrentModel = null;
NewDeviceArrived(new ArrivalEventArgs((PhoneInterfaces)CurrentInterface, CurrentModel));
}
}
private void OnRuleChanged(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
RuleChangedEvent args = ReadFirewallEvent(arg.EventRecord);
if (args != null)
{
ChangeEvent?.Invoke(this, args);
}
}
private void OnConnection(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord == null)
{
return;
}
FirewallEvent args = ReadFirewallEvent(arg.EventRecord);
if (args != null)
{
FirewallEvent?.Invoke(this, args);
}
}
private void SystemErrorHandler(object sender, EventRecordWrittenEventArgs e)
{
if (!e.EventRecord.Properties.Any())
{
throw new ArgumentException(nameof(e.EventRecord.Properties));
}
var eventLevel = e.EventRecord.Level;
if (eventLevel <= EventLevel.Error)
{
Notifier.ShowNotification(e.EventRecord.ProviderName, e.EventRecord.FormatDescription(), e.EventRecord.LogName);
}
}
private void EventArrivedHandler(object sender, EventRecordWrittenEventArgs arg)
{
this.TraceEntryExit("Entering EventArrived handler", new object[0]);
EventRecord eventRecord = arg.EventRecord;
bool flag = false;
do
{
if (!this.m_isEventProcessingEnabled)
{
if (!ExTraceGlobals.FailureItemTracer.IsTraceEnabled(TraceType.DebugTrace))
{
break;
}
try
{
this.Trace("Ignoring Record# {0} since event processing not enabled!!", new object[]
{
(eventRecord != null) ? eventRecord.RecordId.ToString() : "<null>"
});
break;
}
catch (EventLogException)
{
break;
}
}
try
{
flag = Monitor.TryEnter(this.m_locker, 1000);
if (flag)
{
this.ProcessEvent(eventRecord, arg.EventException);
}
}
finally
{
if (flag)
{
Monitor.Exit(this.m_locker);
}
else
{
this.Trace("Unable to acquire lock in EventArrivedHandler - retrying", new object[0]);
}
}
}while (!flag);
this.TraceEntryExit("Exiting EventArrived handler", new object[0]);
}
