// Callback method that gets executed when an event is // reported to the subscription. public static void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg) { // Make sure there was no error reading the event. if (arg.EventRecord != null) { switch (dataType) { case DataType.Xml: var eventXml = XmlVerification.VerifyAndRepairXml(arg.EventRecord.ToXml()); SendXml(eventXml); break; case DataType.Dictionary: var eventDynamic = LogReader.ParseEvent(arg.EventRecord); SendDictionary(eventDynamic); break; default: throw new ArgumentOutOfRangeException(); } } }
// 7/10/2020 - Russell's new version private static void SafeWriteExtendedData(XmlWriter writer, EventRecord record) { try { var xml = record.ToXml(); var cleanXml = XmlVerification.VerifyAndRepairXml(xml); var xAllData = XElement.Parse(cleanXml); var xEventData = xAllData.Element(ElementNames.EventData); var xUserData = xAllData.Element(ElementNames.UserData); if (xEventData == null && xUserData == null) { return; } // If EventData has value, add as a Data attribute the TimeCreated and EventRecordId if (xEventData != null) { XName xDataName = XName.Get("Data", xEventData.Name.Namespace.NamespaceName); // 5/13/2020 - 'time-created controversy' Workaround/fix for DSRE team; we put original record.TimeCreated here xEventData.Add(new XElement(xDataName, new XAttribute("Name", "TimeCreated"), record.TimeCreated)); // Add event record Id and RecordId data; EventRecordId is in SysData xEventData.Add(new XElement(xDataName, new XAttribute("Name", "EventRecordId"), record.RecordId)); writer.WriteRaw(xEventData.ToString()); } // If UserData has value, add as a XElement the TimeCreated and EventRecordId if (xUserData != null) { var firstLevelElements = xUserData.Elements(); var secondLevelElements = firstLevelElements.Elements(); // If there are no secondary elements, add to the root elements var levelElements = secondLevelElements as XElement[] ?? secondLevelElements.ToArray(); if (!levelElements.Any()) { xUserData.Add(new XElement("TimeCreated", record.TimeCreated)); xUserData.Add(new XElement("EventRecordId", record.RecordId)); writer.WriteRaw(xUserData.ToString()); return; } // If there are secondary elements, add to these root elements if (levelElements.Any()) { foreach (var data in xUserData.Elements()) { // Simply add above the first element, and then break. foreach (XElement element in data.Elements()) { element.AddBeforeSelf(new XElement("TimeCreated", record.TimeCreated)); element.AddBeforeSelf(new XElement("EventRecordId", record.RecordId)); break; } } writer.WriteRaw(xUserData.ToString()); } } } catch (Exception ex) { SafeWriteError(writer, ex); } }
public LogRecordSentinel ToLogRecordCdoc( string eventXml, string serviceName, string level = "", string task = "", string opCode = "", int processId = 0, int threadId = 0) { try { if (string.IsNullOrWhiteSpace(eventXml)) { throw new ArgumentNullException(nameof(eventXml)); } var sanitizedXmlString = XmlVerification.VerifyAndRepairXml(eventXml); var xe = XElement.Parse(sanitizedXmlString); var eventData = xe.Element(ElementNames.EventData); var userData = xe.Element(ElementNames.UserData); var header = xe.Element(ElementNames.System); var recordId = long.Parse(header.Element(ElementNames.EventRecordId).Value); var systemPropertiesDictionary = CommonXmlFunctions.ConvertSystemPropertiesToDictionary(xe); var namedProperties = new Dictionary <string, string>(); var dataWithoutNames = new List <string>(); // Convert the EventData to named properties if (userData != null) { namedProperties = CommonXmlFunctions.ParseUserData(userData).ToDictionary(x => x.Key, x => x.Value.ToString()); } if (eventData != null) { var eventDataProperties = CommonXmlFunctions.ParseEventData(eventData); namedProperties = eventDataProperties.ToDictionary(x => x.Key, x => x.Value.ToString()); } string json; if (dataWithoutNames.Count > 0) { if (namedProperties.Count > 0) { throw new Exception("Event that has both unnamed and named data?"); } json = JsonConvert.SerializeObject(dataWithoutNames, Formatting.Indented); } else { json = JsonConvert.SerializeObject(namedProperties, Formatting.Indented); } var collectorTimestamp = DateTime.UtcNow; var logFileLineage = new Dictionary <string, object> { { "UploadMachine", Environment.MachineName }, { "CollectorTimeStamp", collectorTimestamp }, { "CollectorUnixTimeStamp", collectorTimestamp.GetUnixTime() }, { "ServiceName", serviceName } }; string[] executionProcessThread; if (systemPropertiesDictionary.ContainsKey("Execution")) { executionProcessThread = systemPropertiesDictionary["Execution"].ToString() .Split(new[] { ':' }, StringSplitOptions.RemoveEmptyEntries); } else { executionProcessThread = new string[] { "0", "0" }; } return(new LogRecordSentinel() { EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]), TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]), Computer = systemPropertiesDictionary["Computer"].ToString(), ProcessId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[0]) : processId, ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId, Provider = systemPropertiesDictionary["Provider"].ToString(), EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]), Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level, Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"), Channel = systemPropertiesDictionary["Channel"].ToString(), Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"), Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task, Opcode = opCode, EventData = json, LogFileLineage = logFileLineage }); } catch (Exception ex) { Trace.TraceError($"WinLog.EventRecordConversion.ToJsonLogRecord() threw an exception: {ex}"); return(null); } }