private static void ProcessFile(string file)
{
if (File.Exists(file) == false)
{
_logger.Warn($"'{file}' does not exist! Skipping");
return;
}
_logger.Warn($"\r\nProcessing '{file}'...");
Stream fileS;
try
{
fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
}
catch (Exception)
{
//file is in use
if (Helper.IsAdministrator() == false)
{
_logger.Fatal("\r\nAdministrator privileges not found! Exiting!!\r\n");
Environment.Exit(0);
}
_logger.Warn($"\r\n'{file}' is in use. Rerouting...");
var files = new List <string>();
files.Add(file);
var rawFiles = Helper.GetFiles(files);
fileS = rawFiles.First().FileStream;
}
try
{
var evt = new EventLog(fileS);
var seenRecords = 0;
foreach (var eventRecord in evt.GetEventRecords())
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains(eventRecord.EventId) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains(eventRecord.EventId))
{
//it IS in the list, so skip
continue;
}
}
eventRecord.SourceFile = file;
try
{
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
var xml = string.Empty;
if (_swXml != null)
{
xml = eventRecord.ConvertPayloadToXml();
_swXml.WriteLine(xml);
}
if (_swJson != null)
{
JsConfig.IncludeNullValues = true;
JsConfig.DateHandler = DateHandler.ISO8601;
var jsOut = eventRecord.ToJson();
if (_fluentCommandLineParser.Object.FullJson)
{
if (xml.IsNullOrEmpty())
{
xml = eventRecord.ConvertPayloadToXml();
}
var xd = new XmlDocument();
xd.LoadXml(xml);
jsOut = JsonConvert.SerializeXmlNode(xd);
}
_swJson.WriteLine(jsOut);
}
seenRecords += 1;
}
catch (Exception e)
{
_logger.Error($"Error processing record #{eventRecord.RecordNumber}: {e.Message}");
}
}
if (evt.ErrorRecords.Count > 0)
{
_errorFiles.Add(file, evt.ErrorRecords.Count);
}
_fileCount += 1;
_logger.Info("");
_logger.Fatal("Event log details");
_logger.Info(evt);
_logger.Info($"Records processed: {seenRecords:N0} Errors: {evt.ErrorRecords.Count:N0}");
if (evt.ErrorRecords.Count > 0)
{
_logger.Warn("\r\nErrors");
foreach (var evtErrorRecord in evt.ErrorRecords)
{
_logger.Info($"Record #{evtErrorRecord.Key}: Error: {evtErrorRecord.Value}");
}
}
if (_fluentCommandLineParser.Object.Metrics && evt.EventIdMetrics.Count > 0)
{
_logger.Fatal("\r\nMetrics");
_logger.Warn("Event Id\tCount");
foreach (var esEventIdMetric in evt.EventIdMetrics.OrderBy(t => t.Key))
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains((int)esEventIdMetric.Key) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains((int)esEventIdMetric.Key))
{
//it IS in the list, so skip
continue;
}
}
_logger.Info($"{esEventIdMetric.Key}\t\t{esEventIdMetric.Value:N0}");
}
}
}
catch (Exception e)
{
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
_logger.Info($"'{file}' is not an evtx file! Message: {e.Message} Skipping...");
}
else
{
_logger.Error($"Error processing '{file}'! Message: {e.Message}");
}
}
fileS?.Close();
}
private static void ProcessFile(string file)
{
if (File.Exists(file) == false)
{
_logger.Warn($"'{file}' does not exist! Skipping");
return;
}
if (file.StartsWith(VssDir))
{
_logger.Warn($"\r\nProcessing 'VSS{file.Replace($"{VssDir}\\", "")}'");
}
else
{
_logger.Warn($"\r\nProcessing '{file}'...");
}
Stream fileS;
try
{
fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
}
catch (Exception)
{
//file is in use
if (Helper.IsAdministrator() == false)
{
_logger.Fatal("\r\nAdministrator privileges not found! Exiting!!\r\n");
Environment.Exit(0);
}
_logger.Warn($"\r\n'{file}' is in use. Rerouting...");
var files = new List <string>();
files.Add(file);
var rawFiles = Helper.GetFiles(files);
fileS = rawFiles.First().FileStream;
}
try
{
if (_fluentCommandLineParser.Object.Dedupe)
{
var sha = Helper.GetSha1FromStream(fileS, 0);
if (_seenHashes.Contains(sha))
{
_logger.Debug($"Skipping '{file}' as a file with SHA-1 '{sha}' has already been processed");
return;
}
_seenHashes.Add(sha);
}
var evt = new EventLog(fileS);
var seenRecords = 0;
foreach (var eventRecord in evt.GetEventRecords())
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains(eventRecord.EventId) == false)
{
//it is NOT in the list, so skip
_droppedEvents += 1;
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains(eventRecord.EventId))
{
//it IS in the list, so skip
_droppedEvents += 1;
continue;
}
}
if (_startDate.HasValue)
{
if (eventRecord.TimeCreated < _startDate.Value)
{
//too old
_logger.Debug($"Dropping record Id '{eventRecord.EventRecordId}' with timestamp '{eventRecord.TimeCreated.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}' as its too old.");
_droppedEvents += 1;
continue;
}
}
if (_endDate.HasValue)
{
if (eventRecord.TimeCreated > _endDate.Value)
{
//too new
_logger.Debug($"Dropping record Id '{eventRecord.EventRecordId}' with timestamp '{eventRecord.TimeCreated.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}' as its too new.");
_droppedEvents += 1;
continue;
}
}
if (file.StartsWith(VssDir))
{
eventRecord.SourceFile = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
else
{
eventRecord.SourceFile = file;
}
try
{
if (_fluentCommandLineParser.Object.PayloadAsJson)
{
var xdo = new XmlDocument();
xdo.LoadXml(eventRecord.Payload);
var payOut = JsonConvert.SerializeXmlNode(xdo);
eventRecord.Payload = payOut;
}
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
var xml = string.Empty;
if (_swXml != null)
{
xml = eventRecord.ConvertPayloadToXml();
_swXml.WriteLine(xml);
}
if (_swJson != null)
{
var jsOut = eventRecord.ToJson();
if (_fluentCommandLineParser.Object.FullJson)
{
if (xml.IsNullOrEmpty())
{
xml = eventRecord.ConvertPayloadToXml();
}
jsOut = GetPayloadAsJson(xml);
}
_swJson.WriteLine(jsOut);
}
seenRecords += 1;
}
catch (Exception e)
{
_logger.Error($"Error processing record #{eventRecord.RecordNumber}: {e.Message}");
evt.ErrorRecords.Add(21, e.Message);
}
}
if (evt.ErrorRecords.Count > 0)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
_errorFiles.Add(fn, evt.ErrorRecords.Count);
}
_fileCount += 1;
_logger.Info("");
_logger.Fatal("Event log details");
_logger.Info(evt);
_logger.Info($"Records included: {seenRecords:N0} Errors: {evt.ErrorRecords.Count:N0} Events dropped: {_droppedEvents:N0}");
if (evt.ErrorRecords.Count > 0)
{
_logger.Warn("\r\nErrors");
foreach (var evtErrorRecord in evt.ErrorRecords)
{
_logger.Info($"Record #{evtErrorRecord.Key}: Error: {evtErrorRecord.Value}");
}
}
if (_fluentCommandLineParser.Object.Metrics && evt.EventIdMetrics.Count > 0)
{
_logger.Fatal("\r\nMetrics (including dropped events)");
_logger.Warn("Event Id\tCount");
foreach (var esEventIdMetric in evt.EventIdMetrics.OrderBy(t => t.Key))
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains((int)esEventIdMetric.Key) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains((int)esEventIdMetric.Key))
{
//it IS in the list, so skip
continue;
}
}
_logger.Info($"{esEventIdMetric.Key}\t\t{esEventIdMetric.Value:N0}");
}
}
}
catch (Exception e)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
_logger.Info($"'{fn}' is not an evtx file! Message: {e.Message} Skipping...");
}
else
{
_logger.Error($"Error processing '{fn}'! Message: {e.Message}");
}
}
fileS?.Close();
}
private static void ProcessFile(string file)
{
if (File.Exists(file) == false)
{
_logger.Warn($"'{file}' does not exist! Skipping");
return;
}
_logger.Warn($"\r\nProcessing '{file}'...");
Stream fileS;
try
{
fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
}
catch (Exception)
{
//file is in use
if (Helper.IsAdministrator() == false)
{
_logger.Fatal("\r\nAdministrator privileges not found! Exiting!!\r\n");
Environment.Exit(0);
}
_logger.Warn($"\r\n'{file}' is in use. Rerouting...");
var files = new List <string>();
files.Add(file);
var rawFiles = Helper.GetFiles(files);
fileS = rawFiles.First().FileStream;
}
try
{
var evt = new EventLog(fileS);
var seenRecords = 0;
foreach (var eventRecord in evt.GetEventRecords())
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains(eventRecord.EventId) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains(eventRecord.EventId))
{
//it IS in the list, so skip
continue;
}
}
// If not between start and stop we do not print
if (_from.ToString() != "01/01/0001 00:00:00" && _to.ToString() != "01/01/0001 00:00:00")
{
if (eventRecord.TimeCreated.DateTime < _from || eventRecord.TimeCreated.DateTime > _to)
{
continue;
}
}
// If before start we do not print
if (_from.ToString() != "01/01/0001 00:00:00")
{
if (eventRecord.TimeCreated.DateTime < _from)
{
continue;
}
}
if (_to.ToString() != "01/01/0001 00:00:00")
{
if (eventRecord.TimeCreated.DateTime > _to)
{
continue;
}
}
eventRecord.SourceFile = file;
try
{
var xdo = new XmlDocument();
xdo.LoadXml(eventRecord.Payload);
var payOut = JsonConvert.SerializeXmlNode(xdo);
eventRecord.Payload = payOut.Replace("\"#text\":", "").Replace("\"@Name\":", "").Replace("\",\"", ": ").Replace("\"\"}", "}").Replace("{\"\"", "").Replace("\"},{\"", ", ").Replace("{\"EventData\":{\"Data\":[{\"", "").Replace("\"}]}}", "").Replace("\":\"", ": ").Replace("\"}}}", "").Replace("\":{\"", ": ").Replace("{\"", "");
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
seenRecords += 1;
}
catch (Exception e)
{
_logger.Error($"Error processing record #{eventRecord.RecordNumber}: {e.Message}");
}
}
_csvWriter?.Flush();
_swCsv?.Flush();
if (evt.ErrorRecords.Count > 0)
{
_errorFiles.Add(file, evt.ErrorRecords.Count);
}
_fileCount += 1;
_logger.Info("");
_logger.Fatal("Event log details");
_logger.Info(evt);
_logger.Info($"Records processed: {seenRecords:N0} Errors: {evt.ErrorRecords.Count:N0}");
if (evt.ErrorRecords.Count > 0)
{
_logger.Warn("\r\nErrors");
foreach (var evtErrorRecord in evt.ErrorRecords)
{
_logger.Info($"Record #{evtErrorRecord.Key}: Error: {evtErrorRecord.Value}");
}
}
if (_fluentCommandLineParser.Object.Metrics && evt.EventIdMetrics.Count > 0)
{
_logger.Fatal("\r\nMetrics");
_logger.Warn("Event Id\tCount");
foreach (var esEventIdMetric in evt.EventIdMetrics.OrderBy(t => t.Key))
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains((int)esEventIdMetric.Key) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains((int)esEventIdMetric.Key))
{
//it IS in the list, so skip
continue;
}
}
_logger.Info($"{esEventIdMetric.Key}\t\t{esEventIdMetric.Value:N0}");
}
}
}
catch (Exception e)
{
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
_logger.Info($"'{file}' is not an evtx file! Message: {e.Message} Skipping...");
}
else
{
_logger.Error($"Error processing '{file}'! Message: {e.Message}");
}
}
fileS?.Close();
}
private static void ProcessFile(string file)
{
if (File.Exists(file) == false)
{
_logger.Warn($"'{file}' does not exist! Skipping");
return;
}
_logger.Warn($"\r\nProcessing '{file}'...");
using (var fs = new FileStream(file, FileMode.Open))
{
try
{
var evt = new EventLog(fs);
var seenRecords = 0;
foreach (var eventRecord in evt.GetEventRecords())
{
eventRecord.SourceFile = file;
try
{
if (_fluentCommandLineParser.Object.ShowXml)
{
_logger.Info(eventRecord.ConvertPayloadToXml());
}
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
seenRecords += 1;
}
catch (Exception e)
{
_logger.Error($"Error processing record #{eventRecord.RecordNumber}: {e.Message}");
}
}
if (evt.ErrorRecords.Count > 0)
{
_errorFiles.Add(file, evt.ErrorRecords.Count);
}
_fileCount += 1;
_logger.Info("");
_logger.Fatal("Event log details");
_logger.Info(evt);
_logger.Info($"Records processed: {seenRecords:N0} Errors: {evt.ErrorRecords.Count:N0}");
if (evt.ErrorRecords.Count > 0)
{
_logger.Warn("\r\nErrors");
}
foreach (var evtErrorRecord in evt.ErrorRecords)
{
_logger.Info($"Record #{evtErrorRecord.Key}: Error: {evtErrorRecord.Value}");
}
}
catch (Exception e)
{
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
_logger.Info($"'{file}' is not an evtx file! Message: {e.Message} Skipping...");
}
else
{
_logger.Error($"Error processing '{file}'! Message: {e.Message}");
}
}
}
}
private static void ProcessFile(string file, bool dedupe, bool fj, bool met)
{
if (File.Exists(file) == false)
{
Log.Warning("{File} does not exist! Skipping", file);
return;
}
if (file.StartsWith(VssDir))
{
Console.WriteLine();
Log.Information("Processing {Vss}", $"VSS{file.Replace($"{VssDir}\\", "")}");
}
else
{
Console.WriteLine();
Log.Information("Processing {File}...", file);
}
Stream fileS;
try
{
fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
}
catch (Exception)
{
//file is in use
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Console.WriteLine();
Log.Fatal("Raw disk reads not supported on non-Windows platforms! Exiting!!");
Console.WriteLine();
Environment.Exit(0);
}
if (Helper.IsAdministrator() == false)
{
Console.WriteLine();
Log.Fatal("Administrator privileges not found! Exiting!!");
Console.WriteLine();
Environment.Exit(0);
}
if (file.StartsWith("\\\\"))
{
Log.Fatal($"Raw access across UNC shares is not supported! Run locally on the system or extract logs via other means and try again. Exiting");
Environment.Exit(0);
}
Console.WriteLine();
Log.Warning("{File} is in use. Rerouting...", file);
var files = new List <string>
{
file
};
var rawFiles = Helper.GetRawFiles(files);
fileS = rawFiles.First().FileStream;
}
try
{
if (dedupe)
{
var sha = Helper.GetSha1FromStream(fileS, 0);
fileS.Seek(0, SeekOrigin.Begin);
if (SeenHashes.Contains(sha))
{
Log.Debug("Skipping {File} as a file with SHA-1 {Sha} has already been processed", file, sha);
return;
}
SeenHashes.Add(sha);
}
EventLog.LastSeenTicks = 0;
var evt = new EventLog(fileS);
Log.Information("Chunk count: {ChunkCount:N0}, Iterating records...", evt.ChunkCount);
var seenRecords = 0;
var fsw = new Stopwatch();
fsw.Start();
foreach (var eventRecord in evt.GetEventRecords())
{
if (seenRecords % 10 == 0)
{
Console.Title = $"Processing chunk {eventRecord.ChunkNumber:N0} of {evt.ChunkCount} % complete: {(eventRecord.ChunkNumber / (double)evt.ChunkCount):P} Records found: {seenRecords:N0}";
}
if (_includeIds.Count > 0)
{
if (_includeIds.Contains(eventRecord.EventId) == false)
{
//it is NOT in the list, so skip
_droppedEvents += 1;
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains(eventRecord.EventId))
{
//it IS in the list, so skip
_droppedEvents += 1;
continue;
}
}
if (_startDate.HasValue)
{
if (eventRecord.TimeCreated < _startDate.Value)
{
//too old
Log.Debug("Dropping record Id {EventRecordId} with timestamp {TimeCreated} as its too old", eventRecord.EventRecordId, eventRecord.TimeCreated);
_droppedEvents += 1;
continue;
}
}
if (_endDate.HasValue)
{
if (eventRecord.TimeCreated > _endDate.Value)
{
//too new
Log.Debug("Dropping record Id {EventRecordId} with timestamp {TimeCreated} as its too new", eventRecord.EventRecordId, eventRecord.TimeCreated);
_droppedEvents += 1;
continue;
}
}
if (file.StartsWith(VssDir))
{
eventRecord.SourceFile = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
else
{
eventRecord.SourceFile = file;
}
try
{
var xdo = new XmlDocument();
xdo.LoadXml(eventRecord.Payload);
var payOut = JsonConvert.SerializeXmlNode(xdo);
eventRecord.Payload = payOut;
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
var xml = string.Empty;
if (_swXml != null)
{
xml = eventRecord.ConvertPayloadToXml();
_swXml.WriteLine(xml);
}
if (_swJson != null)
{
var jsOut = eventRecord.ToJson();
if (fj)
{
if (xml.IsNullOrEmpty())
{
xml = eventRecord.ConvertPayloadToXml();
}
jsOut = GetPayloadAsJson(xml);
}
_swJson.WriteLine(jsOut);
}
seenRecords += 1;
}
catch (Exception e)
{
Log.Error("Error processing record #{RecordNumber}: {Message}", eventRecord.RecordNumber, e.Message);
evt.ErrorRecords.Add(21, e.Message);
}
}
fsw.Stop();
if (evt.ErrorRecords.Count > 0)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
_errorFiles.Add(fn, evt.ErrorRecords.Count);
}
_fileCount += 1;
Console.WriteLine();
Log.Information("Event log details");
Log.Information("{Evt}", evt);
Log.Information("Records included: {SeenRecords:N0} Errors: {ErrorRecordsCount:N0} Events dropped: {DroppedEvents:N0}", seenRecords, evt.ErrorRecords.Count, _droppedEvents);
if (evt.ErrorRecords.Count > 0)
{
Console.WriteLine();
Log.Information("Errors");
foreach (var evtErrorRecord in evt.ErrorRecords)
{
Log.Information("Record #{Key}: Error: {Value}", evtErrorRecord.Key, evtErrorRecord.Value);
}
}
if (met && evt.EventIdMetrics.Count > 0)
{
Console.WriteLine();
Log.Information("Metrics (including dropped events)");
Log.Information("Event ID\tCount");
foreach (var esEventIdMetric in evt.EventIdMetrics.OrderBy(t => t.Key))
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains((int)esEventIdMetric.Key) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains((int)esEventIdMetric.Key))
{
//it IS in the list, so skip
continue;
}
}
Log.Information("{Key}\t\t{Value:N0}", esEventIdMetric.Key, esEventIdMetric.Value);
}
}
}
catch (Exception e)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
Log.Information("{Fn} is not an evtx file! Message: {Message} Skipping...", fn, e.Message);
}
else
{
Log.Error("Error processing {Fn}! Message: {Message}", fn, e.Message);
}
}
fileS?.Close();
}