public void EvtxReader() { var parser = EvtxEnumerable.FromFiles(FileName); int count = parser.Count(); Assert.AreEqual(2041, count); // in ETW there is one more event with system information }
static void Main() { IEnumerable <EventRecord> evtx = EvtxEnumerable.FromFiles(@"HTTP_Server.evtx"); Console.WriteLine(evtx.Count()); Console.ReadLine(); }
static void LinqOperators() { IEnumerable <EventRecord> all = EvtxEnumerable.ReadLog("Security"); var processStart = all.Filter(e => e.Id == 4688).Take(10); foreach (var ps in processStart) { Console.WriteLine(ps.Properties[5].Value); } }
private static void UploadEntireFileInBatches(string fileFullName, X509Certificate2 cert, XmlCreationMechanism creationMechanism, int batchCount = 200) { var payload = GetNewPayloadObject(); var useEventIngest = false; // Set the ResourceId for upload ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId); var fileStopwatch = new Stopwatch(); var uploaderStopwatch = Stopwatch.StartNew(); try { fileStopwatch.Start(); var log = EvtxEnumerable.ReadEvtxFile(fileFullName); Parallel.ForEach(log, new ParallelOptions { MaxDegreeOfParallelism = 8 }, eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); }); fileStopwatch.Stop(); Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}"); var output = $"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"; Console.WriteLine(output); // Split into upload chunks var splitLIsts = payload.SplitListIntoChunks <string>(batchCount); fileStopwatch.Restart(); Parallel.ForEach(splitLIsts, new ParallelOptions { MaxDegreeOfParallelism = 8 }, singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), cert); }); fileStopwatch.Stop(); Console.WriteLine( $"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"); } catch (Exception e) { GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008); } }
static void RxOperators() { // This sample illustrates how Push LINQ works, // using IObservable<T> as interface to compose pipelines IObservable <EventRecord> all = EvtxEnumerable.ReadLog("Security").ToObservable(); var result = all .Where(e => e.Id == 4688) .Select(e => e.ToXml()) .Select(xml => Xml2Dynamic(xml)) .Select(d => Dynamic2Csv(d)); result.Subscribe(csv => Console.WriteLine(csv)); }
public static IObservable <IDictionary <string, object> > FromLog(string log) { var enumerable = EvtxEnumerable.FromLogQuery(log, null, null); var observable = Observable.Create <EventLogRecord>(x => { foreach (var item in enumerable) { x.OnNext(item); } return(Disposable.Create(() => { })); }); return(observable.Select(e => e.Deserialize())); }
public static IObservable <IDictionary <string, object> > FromFiles(params string[] logFiles) { var enumerable = EvtxEnumerable.FromFiles(logFiles); var observable = Observable.Create <EventLogRecord>(x => { foreach (var item in enumerable) { x.OnNext(item); } x.OnCompleted(); return(Disposable.Create(() => { })); }); return(observable.Select(e => e.Deserialize())); }
static void LinqToObjects() { // building a pipeline by using extension methods IEnumerable <string> pipeline = EvtxEnumerable.ReadLog("Security") .Take(1000) .Where(e => e.Id == 4688) .Select(e => e.ToXml()) .ToArray(); // the same query, using comprehension syntax IEnumerable <string> query = ( from e in EvtxEnumerable.ReadLog("Security").Take(1000) where e.Id == 4688 select e.ToXml() ).ToArray(); // Stop on a breakpoint in the following line and inspect // the variables "pipeline" and "query" }
static void PushInsidePull() { // This sample shows running Rx pipeline inside pull environment // It is a stepping stone to build Cosmos Extractor that can host Rx rules IEnumerable <string> all = EvtxEnumerable.ReadLog("Security") .Take(1000) .Select(e => e.ToXml()) .ToArray(); // mouse-hover on the following .Where to see that it is // push (real-time) implementation var result = all.ReplayRealTimeRule( o => o.Where(e => e.Contains("4688")) ); foreach (var xml in result) { Console.WriteLine(xml); } }
private static void UploadEntireFileInBatches(string fileFullName, XmlCreationMechanism creationMechanism, int batchCount = 200) { WindowsEventPayload payload = GetNewPayloadObject(); bool useEventIngest = false; // Set the ResourceId for upload ResourceId = payload.GetLogAnalyticsResourceId(SentinelApiConfig.WorkspaceId); Stopwatch fileStopwatch = new Stopwatch(); Stopwatch uploaderStopwatch = Stopwatch.StartNew(); try { fileStopwatch.Start(); var log = EvtxEnumerable.ReadEvtxFile(fileFullName); Parallel.ForEach(log, new ParallelOptions { MaxDegreeOfParallelism = 8, }, eventRecord => { payload.AddEvent(eventRecord, useEventIngest, creationMechanism); }); fileStopwatch.Stop(); if (useEventIngest) { //Console.WriteLine($"\tRecordCount: {payload.Uploader.ItemCount:N0}"); //Console.WriteLine( // $"\tEPS for Conversion: {payload.Uploader.ItemCount / fileStopwatch.Elapsed.TotalSeconds:N3}"); //// Wait for upload to complete, and report //payload.Uploader.OnCompleted(); //uploaderStopwatch.Stop(); //Console.WriteLine($"Upload Completed..."); //Console.WriteLine($"\tEPS for Upload with Event.Ingest to MMA-API: {payload.Uploader.ItemCount / uploaderStopwatch.Elapsed.TotalSeconds:N3}"); //Console.WriteLine($"\t Average for batch with Event.Ingest to MMA-API: {payload.BatchItemCount / payload.BatchTimeSpan.TotalSeconds:N3}"); } else { Console.WriteLine($"\tRecordCount: {payload.DataItems.Count:N0}"); string output = $"\tEPS for Conversion: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"; Console.WriteLine(output); } // Split into upload chunks var splitLIsts = payload.SplitListIntoChunks <string>(batchCount); fileStopwatch.Restart(); Parallel.ForEach(splitLIsts, new ParallelOptions { MaxDegreeOfParallelism = 8, }, singleBatch => { UploadBatchToLogAnalytics(payload.GetUploadBatch(singleBatch), AuthX509Certificate2); }); fileStopwatch.Stop(); Console.WriteLine($"\tEPS for Upload to MMA-API: {payload.DataItems.Count / fileStopwatch.Elapsed.TotalSeconds:N3}"); } catch (Exception e) { GlobalLog.WriteToStringBuilderLog(e.ToString(), 14008); } }