public dynamic CreateDynamic(EventRecord record) { var obj = new ExpandoObject(); IDictionary<string, object> underObject = obj; underObject["Source"] = "WindowsEventLog"; underObject["Devicename"] = record.MachineName.ToUpper(); underObject["EventTime"] = record.TimeCreated.Value.ToUniversalTime().ToString("o"); underObject["EventId"] = record.Id.ToString(); underObject["Level"] = record.Level.HasValue ? ((int)record.Level.Value).ToString() : string.Empty; underObject["User"] = record.UserId != null ? record.UserId.Translate(typeof(NTAccount)).ToString() : "N/A"; underObject["ProviderName"] = record.ProviderName; // if SQL Audit Event if (record.Id == 33205) { var entries = record.FormatDescription().Replace("Audit event: ", "").Split(new[] {'\n'}); foreach (var entry in entries) { var colon = entry.IndexOf(':'); if (colon != -1) { underObject.Add(entry.Substring(0, colon), entry.Substring(colon + 1, entry.Length - colon - 1)); } } } else { underObject["Description"] = record.FormatDescription(); var root = XElement.Parse(record.ToXml()); XNamespace x = "http://schemas.microsoft.com/win/2004/08/events/event"; var dataNodes = root.Descendants(x + "Data") .Where(e => e.HasAttributes && e.Attributes().Any(a => a.Name == "Name")); foreach (var node in dataNodes) { var key = node.Attributes().First(a => a.Name == "Name").Value; if (!underObject.ContainsKey(key)) { underObject.Add(key, node.Value); } } } return underObject; }
// ReadLocal public EventRecord DisplayEventAndLogInformation(EventRecord eventInstance, string fileName, EventLogReader logReader) { //EventRecord eventInstance = null; //for (eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent()) //{ // #region Gerçek // //_eventId = eventInstance.Id; // //_eventType = eventInstance.TaskDisplayName; // //_description = eventInstance.FormatDescription(); // //_eventCategory = eventInstance.LevelDisplayName; // //_computerName = eventInstance.MachineName; // //DateTime dtCreate = Convert.ToDateTime(eventInstance.TimeCreated); // //_dateTimeCreate = dtCreate.ToString(DateFormat); // //DateTime dtNow = DateTime.Now; // //_dateTimeNow = dtNow.ToString(DateFormat); // #endregion //} eventInstance = logReader.ReadEvent(); return eventInstance; }
public static ApplicationError ParseEntry(EventRecord eventRecord) { try { var iisIdRegex = new Regex(@"/LM/W3SVC/(\d{1,9}).+", RegexOptions.IgnoreCase | RegexOptions.Compiled); // Entries kan forekomme uden et IIS id. var iisIdString = eventRecord.Properties[8].Value.ToString(); var iisIdMatch = iisIdRegex.Match(iisIdString); var iisIdResult = (iisIdMatch.Groups.Count > 1 && !string.IsNullOrEmpty(iisIdMatch.Groups[1].Value)) ? Convert.ToInt32(iisIdMatch.Groups[1].Value) : 0; if (iisIdResult == 0) return null; var fullMessage = eventRecord.Properties[18].Value.ToString(); var error = new ApplicationError { Id = (int)eventRecord.RecordId, SiteIisId = iisIdResult, DateTime = eventRecord.TimeCreated.Value.ToUniversalTime(), ExceptionType = eventRecord.Properties[17].Value.ToString(), Message = eventRecord.Properties[1].Value.ToString(), FullMessage = fullMessage.Replace(Environment.NewLine, "<br />").Trim(), ThreadInformation = eventRecord.Properties[29].Value.ToString().Replace(Environment.NewLine, "<br />").Trim(), Url = eventRecord.Properties[19].Value.ToString(), ClientIpAddress = eventRecord.Properties[21].Value.ToString() }; var indexOfBreak = fullMessage.IndexOf("\n ", System.StringComparison.InvariantCulture); var description = fullMessage.Substring(0, indexOfBreak); error.Description = description; return error; } catch (Exception ex) { EventLog.WriteEntry("Servant for IIS", "Error parsing entry: " + ex.Message + Environment.NewLine + ex.StackTrace + Environment.NewLine + Environment.NewLine + Environment.NewLine + "EventRecord: " + Environment.NewLine + eventRecord.ToXml()); return null; } }
private static bool HasEntryType(EventRecord eventRecord, EventLogEntryType entryType) { var keywords = (StandardEventKeywords)(eventRecord.Keywords ?? 0); var level = (StandardEventLevel)(eventRecord.Level ?? 0); bool isClassicEvent = keywords.HasFlag(StandardEventKeywords.EventLogClassic); switch (entryType) { case EventLogEntryType.Error: return isClassicEvent && level == StandardEventLevel.Error; case EventLogEntryType.Warning: return isClassicEvent && level == StandardEventLevel.Warning; case EventLogEntryType.Information: return isClassicEvent && level == StandardEventLevel.Informational; case EventLogEntryType.SuccessAudit: return keywords.HasFlag(StandardEventKeywords.AuditSuccess); case EventLogEntryType.FailureAudit: return keywords.HasFlag(StandardEventKeywords.AuditFailure); } return false; }
private log_entry_line to_log_entry(EventRecord rec, string log_name) { log_entry_line entry = new log_entry_line(); try { entry.add("Log", log_name); entry.add("EventID", "" + rec.Id); entry.add("level", event_level((StandardEventLevel) rec.Level)); entry.add("date", rec.TimeCreated.Value.ToString("dd-MM-yyyy")); entry.add("time", rec.TimeCreated.Value.ToString("HH:mm:ss.fff")); try { var task = rec.Task != 0 ? rec.TaskDisplayName : ""; entry.add("Category", task ?? ""); } catch { entry.add("Category", ""); } entry.add("Machine Name", rec.MachineName); entry.add("Source", "" + rec.ProviderName); entry.add("User Name", rec.UserId != null ? rec.UserId.Value : ""); /* 1.5.14+ this generates waaaay too many errors - just ignore for now try { var keywords = rec.KeywordsDisplayNames; entry.add("Keywords", keywords != null ? util.concatenate(keywords, ",") : ""); } catch { entry.add("Keywords", ""); }*/ // note: this throws a lot of exceptions; however, we don't have much of a choice here - just showing the raw properties is rather useless try { var desc = rec.FormatDescription(); entry.add("msg", desc ?? ""); } catch { try { string desc = util.concatenate( rec.Properties.Select(x => x.Value.ToString()), "\r\n"); entry.add("msg", desc); } catch { entry.add("msg", ""); } } } catch (Exception e) { logger.Fatal("can't convert EventRectord to entry " + e.Message); } return entry; }
internal EventRecordWrittenEventArgs(EventLogRecord record) { this.record = record; }
private static string SerializeEventRecord(EventRecord e) { string logstashEvent = string.Empty; using (StringWriter sw = new StringWriter(CultureInfo.InvariantCulture)) using (JsonTextWriter writer = new JsonTextWriter(sw)) { writer.WriteStartObject(); AddEventProperty(writer, "@version", 1); string normalisedDate = ((DateTime)e.TimeCreated).ToString("o", CultureInfo.InvariantCulture); AddEventProperty(writer, "@timestamp", normalisedDate); AddEventProperty(writer, "type", "eventlog"); try { AddEventProperty(writer, "SourceName", e.ProviderName); } catch {} try { AddEventProperty(writer, "EventIdentifier", e.Id); } catch {} try { AddEventProperty(writer, "ComputerName", e.MachineName); } catch {} try { AddEventProperty(writer, "@message", e.FormatDescription()); } catch {} try { AddEventProperty(writer, "TaskName", e.TaskDisplayName); } catch {} try { AddEventProperty(writer, "host", Environment.MachineName); } catch {} try { AddEventProperty(writer, "path", e.LogName); } catch {} try { AddEventProperty(writer, "LogFile", e.LogName); } catch {} try { AddEventProperty(writer, "SourceIdentifier", e.ProviderId); } catch {} try { AddEventProperty(writer, "Type", System.Enum.GetName(typeof(StandardEventLevel), e.Level)); } catch {} try { AddEventProperty(writer, "EventType", e.Level); } catch {} try { if (!IsNull(e.UserId)) { AddEventProperty(writer, "User", ResolveSIDtoUsername(e.UserId.Value)); } } catch {} try { AddEventProperty(writer, "RecordNumber", e.RecordId); } catch {} try { AddEventProperty(writer, "ActivityIdentifier", e.ActivityId); } catch {} try { AddEventProperty(writer, "RelatedActivityIdentifier", e.RelatedActivityId); } catch {} try { AddEventProperty(writer, "Opcode", e.Opcode); } catch {} try { AddEventProperty(writer, "OpcodeName", e.OpcodeDisplayName); } catch {} try { AddEventProperty(writer, "pid", e.ProcessId); } catch {} try { AddEventProperty(writer, "ThreadId", e.ThreadId); } catch {} try { SerializeEventProperties(writer, e.Properties); } catch {} try { AddEventProperty(writer, "Qualifiers", e.Qualifiers); } catch {} try { AddEventProperty(writer, "Task", e.Task); } catch {} try { AddEventProperty(writer, "EventVersion", e.Version); } catch {} writer.WriteEndObject(); logstashEvent = sw.ToString(); } return logstashEvent; }
private bool IsKnownRecord(Options options, EventRecord record) { AzureTableStorage table = new AzureTableStorage(options.TableStorageConnectionString, options.KnownLogsTableName); return table.IsKnownLog(record.LevelDisplayName, record.FormatDescription()); }
// ReadLocal public EventRecord DisplayEventAndLogInformation(EventRecord eventInstance, string fileName, EventLogReader logReader) { eventInstance = logReader.ReadEvent(); return eventInstance; }
private String FormatterEventRecord(EventRecord monER) { String Resultat = Environment.NewLine + "===" + Environment.NewLine ; Resultat = Resultat + "Quand:" + monER.TimeCreated.ToString() + Environment.NewLine ; Resultat = Resultat + monER.FormatDescription(); Resultat = Resultat + FormatterPropriete(monER.Properties); return Resultat ; }
/// <summary> /// Takes an event record, and writes the properties into a string builder. /// This assumes that the event is a .Net Runtime Provider EventID 1026, which only has one property /// that is a Crash Report for Visual Studio. /// </summary> /// <param name="events">StringBuilder to write the properties to.</param> /// <param name="eventLogEntry">EventRecord to extract properties from</param> private void WriteCrashReport(StringBuilder events, EventRecord eventLogEntry) { if (eventLogEntry == null) return; // We assume that this .Net Runtime Provider EventID 1026, which only has one property EventProperty eventProperty = eventLogEntry.Properties.FirstOrDefault(); if (eventProperty != null) { int stringBuildInitialLength = events.Length; if (eventLogEntry.TimeCreated.HasValue) { events.Append("Event Log Time: "); events.AppendLine(eventLogEntry.TimeCreated.Value.ToLocalTime().ToString()); } String crashReport = eventProperty.Value.ToString(); crashReport = crashReport.Replace(" at ", Environment.NewLine + " at "); crashReport = crashReport.Replace("Framework Version:", Environment.NewLine + "Framework Version:"); crashReport = crashReport.Replace("Description:", Environment.NewLine + "Description:"); crashReport = crashReport.Replace("Exception Info:", Environment.NewLine + "Exception Info:" + Environment.NewLine); crashReport = crashReport.Replace("Stack:", Environment.NewLine + "Stack:"); events.AppendLine(crashReport); } }
private log_entry_line to_log_entry(EventRecord rec, string log_name) { log_entry_line entry = new log_entry_line(); try { try { var task = rec.Task != 0 ? rec.TaskDisplayName : ""; entry.add("Category", task ?? ""); } catch { entry.add("Category", ""); } entry.add("Log", log_name); entry.add("Machine Name", rec.MachineName); entry.add("level", event_level((StandardEventLevel) rec.Level)); entry.add("EventID", "" + rec.Id); entry.add("Source", "" + rec.ProviderName); entry.add("date", rec.TimeCreated.Value.ToString("dd-MM-yyyy")); entry.add("time", rec.TimeCreated.Value.ToString("hh:mm:ss.fff")); entry.add("User Name", rec.UserId != null ? rec.UserId.Value : ""); try { var keywords = rec.KeywordsDisplayNames; entry.add("Keywords", keywords != null ? util.concatenate(keywords, ",") : ""); } catch { entry.add("Keywords", ""); } /* try { var desc = rec.FormatDescription(); entry.add("msg", desc ?? ""); } catch { entry.add("msg", ""); }*/ // 1.5.7+ seems FormatDescription() throws a lot of exceptions, prety sure there's a bug in .net // just make it easy try { string desc = util.concatenate( rec.Properties.Select(x => x.Value.ToString()), "\r\n"); entry.add("msg", desc); } catch { entry.add("msg", ""); } } catch (Exception e) { logger.Fatal("can't convert EventRectord to entry " + e.Message); } return entry; }