/// <summary> /// Creates event data associated with a specific provider with the specified event metadata. /// </summary> /// <param name="providerName">The name of the provider.</param> /// <param name="metadata">The event metadata.</param> public EventData(string providerName, EventMetadata metadata) { if (metadata != null) { Provider = string.IsNullOrEmpty(providerName) ? string.Empty : providerName; Id = new EventId(metadata.Id); Level = new EventLevelData(metadata.Level.DisplayName, metadata.Level.Value); Version = metadata.Version; Task = new EventTaskData(metadata.Task.Name, metadata.Task.DisplayName, metadata.Task.Value, metadata.Task.EventGuid); Opcode = new EventOpcodeData(metadata.Opcode.DisplayName, metadata.Opcode.Value); Keywords = EventKeywordData.GetKeywords(metadata.Keywords); LoggedTo = string.IsNullOrEmpty(metadata.LogLink.LogName) ? new EventLogData() : new EventLogData(metadata.LogLink.LogName); Message = metadata.Description ?? string.Empty; // only check the template for parameters if the event has an actual message string //Parameters = string.IsNullOrEmpty(metadata.Description) ? new OrderedDictionary() : GetEventParametersFromXmlTemplate(metadata.Template); Parameters = string.IsNullOrEmpty(metadata.Template) ? new OrderedDictionary() : GetEventParametersFromXmlTemplate(metadata.Template); // use the officially defined level information when it exists, otherwise we try to guess the level from Id.Severity which may or may not be accurate // previously, there was a question mark added to the end of the level name to denote this case but it was removed since it seems like a valid guess if (string.IsNullOrEmpty(Level.Name)) { Level = new EventLevelData(string.Format(CultureInfo.CurrentCulture, "{0}", Id.Severity), (int)Enum.Parse(typeof(NtSeverity), Id.Severity)); } // odd case but fairly common if (string.IsNullOrEmpty(metadata.Description) && !string.IsNullOrEmpty(metadata.Template)) { Logger.Debug(CultureInfo.CurrentCulture, "Event did not have a message but had message parameters defined. {0}", this); } // another odd case but seems to be normal for "Classic" events so log only the non-classic instances if (!string.IsNullOrEmpty(metadata.Description) && metadata.Description.Contains("%1") && string.IsNullOrEmpty(metadata.Template) && (Keywords.Count(keyword => keyword.Name.Equals("Classic")) == 0)) { Logger.Debug(CultureInfo.CurrentCulture, "Event had a message with a parameter but no message parameters were defined. {0}", this); } } else { Provider = string.Empty; Id = new EventId(); Level = new EventLevelData(); Version = 0; Task = new EventTaskData(); Opcode = new EventOpcodeData(); Keywords = new List <EventKeywordData>(); LoggedTo = new EventLogData(); Message = string.Empty; Parameters = new OrderedDictionary(); } }
/// <summary> /// Retrieves event provider data from the system based on event provider metadata. /// </summary> /// <returns></returns> public static IList <EventProviderData> GetProviders() { IList <EventProviderData> providers = new List <EventProviderData>(); using (EventLogSession session = new EventLogSession()) { foreach (string providerName in session.GetProviderNames()) { ProviderMetadata providerMetadata = null; try { providerMetadata = new ProviderMetadata(providerName); EventProviderData providerData = new EventProviderData(); providerData.Name = providerMetadata.Name ?? string.Empty; providerData.DisplayName = GetProviderDisplayName(providerMetadata) ?? string.Empty; providerData.Guid = providerMetadata.Id; providerData.FileName = GetHelpFileNameFromUri(providerMetadata.HelpLink) ?? string.Empty; providerData.MessageFile = providerMetadata.MessageFilePath ?? string.Empty; providerData.SubstitutionFile = providerMetadata.ParameterFilePath ?? string.Empty; providerData.ResourceFile = providerMetadata.ResourceFilePath ?? string.Empty; providerData.Levels = GetProviderEventLevels(providerMetadata); providerData.SendsEventsTo = providerMetadata.LogLinks.Select(link => new EventLogData(link.LogName)).ToList(); try { IList <EventData> events = new List <EventData>(); string provName = providerName; // prevents "Access to foreach variable in a closure" warning foreach (EventData eventData in providerMetadata.Events.Select(eventMetadata => new EventData(provName, eventMetadata)).Where(eventData => !events.Contains(eventData))) { events.Add(eventData); } providerData.Events = events; } catch (EventLogException ele) { providerData.Events = new List <EventData>(); Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Events field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } //something is weird with Windows-MsiServer try { providerData.Keywords = EventKeywordData.GetKeywords(providerMetadata.Keywords); } catch (EventLogException ele) { providerData.Keywords = new List <EventKeywordData>(); Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception while accessing the event provider Keywords field: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } //something is weird with Windows-MsiServer // Ntfs has 2 entries instead of 1 so make sure we don't add it twice if (!providers.Contains(providerData)) { providers.Add(providerData); } } catch (EventLogNotFoundException elnfe) { // Microsoft-Windows-TerminalServices-ServerUSBDevice = The system cannot find the file specified. // Microsoft-Windows-WPD-MTPClassDriver = The system cannot find the file specified // Microsoft-Windows-Sdbus-SQM = The system cannot find the files specified Logger.Error(elnfe, CultureInfo.CurrentCulture, "Event provider '{0}' not found during initial access of the provider while processing providers: {1}{2}{3}", providerName, elnfe.Message, Environment.NewLine, elnfe.StackTrace); } catch (UnauthorizedAccessException uae) { // thrown when running as a normal user and accessing these: // Microsoft-Windows-Security-Auditing // Microsoft-Windows-Eventlog Logger.Error(uae, CultureInfo.CurrentCulture, "Access denied to event provider '{0}' during initial access of the provider while processing providers: {1}{2}{3}", providerName, uae.Message, Environment.NewLine, uae.StackTrace); } catch (EventLogException ele) { // unfortunately vista x64 needs this generic catch statement Logger.Error(ele, CultureInfo.CurrentCulture, "Event provider '{0}' threw a generic event log exception during initial access of the provider while processing providers: {1}{2}{3}", providerName, ele.Message, Environment.NewLine, ele.StackTrace); } finally { providerMetadata?.Dispose(); } } } return(providers); }