private static void READ_WindowsEventLog_API(string Eventlog_FullName, long RecordID_From_Last_Read) { try { EventLogQuery eventsQuery = new EventLogQuery(Eventlog_FullName, PathType.LogName); EventLogReader EventLogtoReader = new EventLogReader(eventsQuery); EventLog_Entry SWELF_Eventlog; while (GET_EventLogEntry_From_API(EventLogtoReader) != null) { try { SWELF_Eventlog = new EventLog_Entry(); if (Windows_EventLog_from_API.RecordId.Value > RecordID_From_Last_Read) { SWELF_Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value; //if this doesnt work we have issues that we cant fix SWELF_Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value; //if this doesnt work we have issues that we cant fix SWELF_Eventlog.EventID = Windows_EventLog_from_API.Id; //if this doesnt work we have issues that we cant fix SWELF_Eventlog.LogName = Windows_EventLog_from_API.LogName; try { SWELF_Eventlog.ComputerName = Windows_EventLog_from_API.MachineName; } catch (Exception e) { SWELF_Eventlog.ComputerName = Settings.ComputerName; } try { SWELF_Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName; } catch (Exception e) { try { SWELF_Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName; } catch { SWELF_Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix } } try { SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName; } catch (Exception e) { SWELF_Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName;//if this doesnt work we have issues that we cant fix } try { if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16])) { SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.FormatDescription().ToLower(); } else { SWELF_Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower(); } } catch (Exception e) { if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[16])) { SWELF_Eventlog.EventData = "CreationDate=" + SWELF_Eventlog.CreatedTime + "\r\nEventLog_Seq_Number=" + SWELF_Eventlog.EventLog_Seq_num + "\r\nEventID=" + SWELF_Eventlog.EventID + "\r\nSeverity=" + SWELF_Eventlog.Severity + "\r\nEventLogName=" + SWELF_Eventlog.LogName + "\r\n\r\n" + Windows_EventLog_from_API.ToXml(); } else { SWELF_Eventlog.EventData = Windows_EventLog_from_API.ToXml();//if this doesnt work we have issues that we cant fix } } try { SWELF_Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml(); if (string.IsNullOrEmpty(SWELF_Eventlog.GET_XML_of_Log)) { SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml()"; } } catch (Exception e) { SWELF_Eventlog.GET_XML_of_Log = "ERROR READING. Windows_EventLog_from_API.ToXml() Exception Thrown"; } try { SWELF_Eventlog.GET_FileHash(); } catch (Exception e) { //unable to get file hashs from log } try { SWELF_Eventlog.GET_IP_FromLogFile(); } catch (Exception e) { //unable to get IP values from log } //try //{ // EventLogName.EventlogMissing = Sec_Checks.CHECK_If_EventLog_Missing(EventLogName, SWELF_Eventlog); //} //catch (Exception e) //{ // EventLogName.EventlogMissing = true; //} //try //{ // EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = Windows_EventLog_from_API.RecordId.Value; //} //catch (Exception e) //{ // EventLogName.ID_Number_Of_Individual_log_Entry_EVENTLOG = 0; //} Data_Store.contents_of_EventLog.Enqueue(SWELF_Eventlog); } } catch (Exception e) { Error_Operation.Log_Error("INDEX_Record_FROM_API() Missing Event Log(s) Due To Exception with log format while reading in eventlogs.", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); MissingLogInFileDueToException = true; } } try { if (Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[12]) || Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[11])) { Settings.IP_List_EVT_Logs.AddRange(Settings.IP_List_EVT_Logs.Distinct().ToList()); Settings.Hashs_From_EVT_Logs.AddRange(Settings.Hashs_From_EVT_Logs.Distinct().ToList()); } } catch (Exception e) { Error_Operation.Log_Error("Settings.IP_List_EVT_Logs.AddRange() OR Settings.Hashs_From_EVT_Logs.AddRange()", e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning); } MissingLogInFileDueToException = false; } catch (Exception e) { Error_Operation.Log_Error("READ_WindowsEventLog_API() Missing All Event Log(s) Due To Exception. ", "EventLog='" + Eventlog_FullName + "' " + e.Message.ToString() + " " + Eventlog_FullName + " " + RecordID_From_Last_Read, e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit); MissingLogInFileDueToException = true; } }
internal void READ_EVTX_File(string FilePath) { using (var reader = new EventLogReader(FilePath, PathType.FilePath)) { while ((Windows_EventLog_from_API = reader.ReadEvent()) != null) { try { EventLog_Entry Eventlog = new EventLog_Entry(); using (Windows_EventLog_from_API) { Eventlog.EventLog_Seq_num = Windows_EventLog_from_API.RecordId.Value; Eventlog.ComputerName = Windows_EventLog_from_API.MachineName; Eventlog.EventID = Windows_EventLog_from_API.Id; Eventlog.CreatedTime = Windows_EventLog_from_API.TimeCreated.Value; try { Eventlog.LogName = Windows_EventLog_from_API.LogName; } catch { Eventlog.LogName = Settings.SWELF_EventLog_Name; } try { Eventlog.Severity = Windows_EventLog_from_API.LevelDisplayName; } catch (Exception e) { try { Eventlog.Severity = Windows_EventLog_from_API.OpcodeDisplayName; } catch { Eventlog.Severity = Windows_EventLog_from_API.Level.Value.ToString();//if this doesnt work we have issues that we cant fix } } try { Eventlog.TaskDisplayName = Windows_EventLog_from_API.TaskDisplayName; } catch { Eventlog.TaskDisplayName = Windows_EventLog_from_API.ProviderName; } try { Eventlog.EventData = Windows_EventLog_from_API.FormatDescription().ToLower(); Eventlog.GET_FileHash(); Eventlog.GET_IP_FromLogFile(); Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml(); } catch { Eventlog.GET_XML_of_Log = Windows_EventLog_from_API.ToXml(); Eventlog.EventData = Windows_EventLog_from_API.ToXml(); } } Data_Store.EVTX_File_Logs.Enqueue(Eventlog); } catch (Exception e) { Error_Operation.Log_Error("READ_EVTX_File()", e.Message.ToString() + "Event Log Missing due to improper format. Possible tampering or invalid format.", e.StackTrace.ToString(), Error_Operation.LogSeverity.FailureAudit); } } } }