예제 #1
0
        private void initEventLog()
        {
            // small re-write because it got stuck going through all event logs when it found no matching event e.g. 5157
            try
            {
                using (EventLog securityLog = new EventLog("security"))
                {
                    // TODO: utilize EventLog#EnableRaisingEvents after initialization instead of timer
                    //securityLog.EnableRaisingEvents = true;
                    //securityLog.EntryWritten += (sender, args) => _logEntries.Add(createEventLogEntry(args.Entry));

                    int      slCount      = securityLog.Entries.Count - 1;
                    int      eventsStored = 0;
                    bool     isAppending  = _logEntries.Any();
                    DateTime lastDateNew  = lastDate;

                    for (int i = slCount; i > 0 && eventsStored < MaxEventsToLoad; i--)
                    {
                        EventLogEntry entry = securityLog.Entries[i];

                        if (lastDate != DateTime.MinValue && entry.TimeWritten <= lastDate)
                        {
                            break;
                        }

                        // Note: instanceId == eventID
                        if (FirewallHelper.isEventInstanceIdAccepted(entry.InstanceId))
                        {
                            LogEntryViewModel lastEntry = _logEntries.Count > 0 ? _logEntries.Last() : null;
                            try
                            {
                                int  pid          = int.Parse(getReplacementString(entry, 0));
                                bool canBeIgnored = lastEntry != null &&
                                                    lastEntry.Pid == pid &&
                                                    lastEntry.Timestamp.Second == entry.TimeGenerated.Second &&
                                                    lastEntry.Timestamp.Minute == entry.TimeGenerated.Minute &&
                                                    lastEntry.TargetIP == getReplacementString(entry, 5) &&
                                                    lastEntry.TargetPort == getReplacementString(entry, 6);

                                if (!canBeIgnored)
                                {
                                    string friendlyPath = getReplacementString(entry, 1) == "-" ? "System" : FileHelper.GetFriendlyPath(getReplacementString(entry, 1));
                                    string fileName     = System.IO.Path.GetFileName(friendlyPath);
                                    string direction    = getReplacementString(entry, 2) == @"%%14593" ? "Out" : "In";

                                    // try to get the servicename from pid (works only if service is running)
                                    string serviceName = services.ContainsKey(pid) ? services[pid].Name : "-";

                                    var le = new LogEntryViewModel()
                                    {
                                        Pid          = pid,
                                        Timestamp    = entry.TimeGenerated,
                                        Icon         = IconHelper.GetIcon(getReplacementString(entry, 1)),
                                        Path         = getReplacementString(entry, 1) == "-" ? "System" : getReplacementString(entry, 1),
                                        FriendlyPath = friendlyPath,
                                        ServiceName  = serviceName,
                                        FileName     = fileName,
                                        TargetIP     = getReplacementString(entry, 5),
                                        TargetPort   = getReplacementString(entry, 6),
                                        Protocol     = FirewallHelper.getProtocolAsString(int.Parse(getReplacementString(entry, 7))),
                                        Direction    = direction,
                                        FilterId     = getReplacementString(entry, 8),
                                        Reason       = FirewallHelper.getEventInstanceIdAsString(entry.InstanceId),
                                        Reason_Info  = entry.Message,
                                    };
                                    le.ReasonColor    = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue;
                                    le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black;
                                    _logEntries.Add(le);
                                    eventsStored++;
                                }
                            }
                            catch (Exception ex)
                            {
                                LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex);
                            }
                        }
                    }

                    ICollectionView dataView = CollectionViewSource.GetDefaultView(gridLog.ItemsSource);
                    if (dataView.SortDescriptions.Count < 1)
                    {
                        dataView.SortDescriptions.Add(new SortDescription("Timestamp", ListSortDirection.Descending));
                    }

                    // Trim the list
                    while (_logEntries.Count > MaxEventsToLoad)
                    {
                        _logEntries.RemoveAt(0);
                    }

                    // Set the cut-off point for the next time this function gets called.
                    lastDate = lastDateNew;
                }
            }
            catch (Exception e)
            {
                LogHelper.Error("Unable to load the event log", e);
            }
        }