public void Should_Parse_Logs()
{
try
{
// Instantiate the LogQuery object
LogQuery oLogQuery = new LogQuery();
// Instantiate the Event Log Input Format object
EventLogInputFormat oEVTInputFormat = new EventLogInputFormat();
// Set its "direction" parameter to "BW"
oEVTInputFormat.direction = "BW";
// Create the query
string query = @"SELECT TOP 50 SourceName, EventID, Message FROM System";
// Execute the query
LogRecordSet oRecordSet = oLogQuery.Execute(query, oEVTInputFormat);
// Browse the recordset
for (; !oRecordSet.atEnd(); oRecordSet.moveNext())
{
//Console.WriteLine(oRecordSet.getRecord().toNativeString(","));
}
// Close the recordset
oRecordSet.close();
}
catch (System.Runtime.InteropServices.COMException exc)
{
Console.WriteLine("Unexpected error: " + exc.Message);
}
}
private void EventWatcher(object ploc)
{
string location = ploc.ToString();
LogQuery oLogQuery = new LogQuery();
LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready");
// Instantiate the Event Log Input Format object
var iFmt = new EventLogInputFormat()
{
binaryFormat = _arguments.BinaryFormat.ToString(),
direction = _arguments.Direction.ToString(),
formatMsg = _arguments.FormatMsg,
fullEventCode = _arguments.FullEventCode,
fullText = _arguments.FullText,
msgErrorMode = _arguments.MsgErrorMode.ToString(),
stringsSep = _arguments.StringsSep,
resolveSIDs = _arguments.ResolveSIDS
};
oLogQuery = null;
Dictionary <string, Int64> logFileMaxRecords = new Dictionary <string, Int64>();
// Execute the query
while (!CancelToken.IsCancellationRequested)
{
try
{
Thread.CurrentThread.Priority = ThreadPriority.BelowNormal;
oLogQuery = new LogQuery();
var qfiles = string.Format("SELECT Distinct [EventLog] FROM {0}", location);
var rsfiles = oLogQuery.Execute(qfiles, iFmt);
for (; !rsfiles.atEnd(); rsfiles.moveNext())
{
var record = rsfiles.getRecord();
string logName = record.getValue("EventLog") as string;
if (!logFileMaxRecords.ContainsKey(logName))
{
var qcount = string.Format("SELECT max(RecordNumber) as MaxRecordNumber FROM {0}", logName);
var rcount = oLogQuery.Execute(qcount, iFmt);
var qr = rcount.getRecord();
var lrn = (Int64)qr.getValueEx("MaxRecordNumber");
logFileMaxRecords[logName] = lrn;
}
}
foreach (string fileName in logFileMaxRecords.Keys.ToList())
{
var lastRecordNumber = logFileMaxRecords[fileName];
var query = string.Format("SELECT * FROM {0} where RecordNumber > {1}", location, lastRecordNumber);
var rs = oLogQuery.Execute(query, iFmt);
// Browse the recordset
for (; !rs.atEnd(); rs.moveNext())
{
var record = rs.getRecord();
var json = new JObject();
foreach (var field in _arguments.Fields)
{
object v = record.getValue(field.Name);
if (field.Name == "Data")
{
v = ToPrintable(v.ToString());
}
json.Add(new JProperty(field.Name, v));
}
var lrn = (Int64)record.getValueEx("RecordNumber");
logFileMaxRecords[fileName] = lrn;
record = null;
ProcessJson(json);
_receivedMessages++;
json = null;
}
// Close the recordset
rs.close();
rs = null;
GC.Collect();
}
}
catch (System.Threading.ThreadAbortException tex)
{
Thread.ResetAbort();
break;
}
catch (Exception ex)
{
LogManager.GetCurrentClassLogger().Error(ex);
}
try
{
Thread.CurrentThread.Priority = ThreadPriority.Normal;
System.Threading.Thread.Sleep(_pollingIntervalInSeconds * 1000);
}
catch (System.Threading.ThreadAbortException tex)
{
Thread.ResetAbort();
break;
}
catch (Exception ex)
{
LogManager.GetCurrentClassLogger().Error(ex);
}
}
Finished();
}
