private void initEventLog()
{
// small re-write because it got stuck going through all event logs when it found no matching event e.g. 5157
try
{
using (EventLog securityLog = new EventLog("security"))
{
// TODO: utilize EventLog#EnableRaisingEvents after initialization instead of timer
//securityLog.EnableRaisingEvents = true;
//securityLog.EntryWritten += (sender, args) => _logEntries.Add(createEventLogEntry(args.Entry));
int slCount = securityLog.Entries.Count - 1;
int eventsStored = 0;
bool isAppending = _logEntries.Any();
DateTime lastDateNew = lastDate;
for (int i = slCount; i > 0 && eventsStored < MaxEventsToLoad; i--)
{
EventLogEntry entry = securityLog.Entries[i];
if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate)
{
break;
}
// Note: instanceId == eventID
if (FirewallHelper.isEventInstanceIdAccepted(entry.InstanceId))
{
LogEntryViewModel lastEntry = _logEntries.Count > 0 ? _logEntries.Last() : null;
try
{
int pid = int.Parse(getReplacementString(entry, 0));
bool canBeIgnored = lastEntry != null &&
lastEntry.Pid == pid &&
lastEntry.Timestamp.Second == entry.TimeGenerated.Second &&
lastEntry.Timestamp.Minute == entry.TimeGenerated.Minute &&
lastEntry.TargetIP == getReplacementString(entry, 5) &&
lastEntry.TargetPort == getReplacementString(entry, 6);
if (!canBeIgnored)
{
string friendlyPath = getReplacementString(entry, 1) == "-" ? "System" : FileHelper.GetFriendlyPath(getReplacementString(entry, 1));
string fileName = System.IO.Path.GetFileName(friendlyPath);
string direction = getReplacementString(entry, 2) == @"%%14593" ? "Out" : "In";
// try to get the servicename from pid (works only if service is running)
string serviceName = services.ContainsKey(pid) ? services[pid].Name : "-";
var le = new LogEntryViewModel()
{
Pid = pid,
Timestamp = entry.TimeGenerated,
Icon = IconHelper.GetIcon(getReplacementString(entry, 1)),
Path = getReplacementString(entry, 1) == "-" ? "System" : getReplacementString(entry, 1),
FriendlyPath = friendlyPath,
ServiceName = serviceName,
FileName = fileName,
TargetIP = getReplacementString(entry, 5),
TargetPort = getReplacementString(entry, 6),
Protocol = FirewallHelper.getProtocolAsString(int.Parse(getReplacementString(entry, 7))),
Direction = direction,
FilterId = getReplacementString(entry, 8),
Reason = FirewallHelper.getEventInstanceIdAsString(entry.InstanceId),
Reason_Info = entry.Message,
};
le.ReasonColor = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue;
le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black;
_logEntries.Add(le);
eventsStored++;
}
}
catch (Exception ex)
{
LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex);
}
}
}
ICollectionView dataView = CollectionViewSource.GetDefaultView(gridLog.ItemsSource);
if (dataView.SortDescriptions.Count < 1)
{
dataView.SortDescriptions.Add(new SortDescription("Timestamp", ListSortDirection.Descending));
}
// Trim the list
while (_logEntries.Count > MaxEventsToLoad)
{
_logEntries.RemoveAt(0);
}
// Set the cut-off point for the next time this function gets called.
lastDate = lastDateNew;
}
}
catch (Exception e)
{
LogHelper.Error("Unable to load the event log", e);
}
}