//private static readonly string VssDir = @"C:\____vssMount"; private static void Main(string[] args) { ExceptionlessClient.Default.Startup("tYeWS6A5K5uItgpB44dnNy2qSb2xJxiQWRRGWebq"); SetupNLog(); _logger = LogManager.GetLogger("EvtxECmd"); _fluentCommandLineParser = new FluentCommandLineParser <ApplicationArguments> { IsCaseSensitive = false }; _fluentCommandLineParser.Setup(arg => arg.File) .As('f') .WithDescription("File to process. This or -d is required\r\n"); _fluentCommandLineParser.Setup(arg => arg.Directory) .As('d') .WithDescription("Directory to process that contains evtx files. This or -f is required"); _fluentCommandLineParser.Setup(arg => arg.CsvDirectory) .As("csv") .WithDescription( "Directory to save CSV formatted results to."); // This, --json, or --xml required _fluentCommandLineParser.Setup(arg => arg.CsvName) .As("csvf") .WithDescription( "File name to save CSV formatted results to. When present, overrides default name"); _fluentCommandLineParser.Setup(arg => arg.JsonDirectory) .As("json") .WithDescription( "Directory to save JSON formatted results to."); // This, --csv, or --xml required _fluentCommandLineParser.Setup(arg => arg.JsonName) .As("jsonf") .WithDescription( "File name to save JSON formatted results to. When present, overrides default name"); _fluentCommandLineParser.Setup(arg => arg.XmlDirectory) .As("xml") .WithDescription( "Directory to save XML formatted results to."); // This, --csv, or --json required _fluentCommandLineParser.Setup(arg => arg.XmlName) .As("xmlf") .WithDescription( "File name to save XML formatted results to. When present, overrides default name\r\n"); _fluentCommandLineParser.Setup(arg => arg.DateTimeFormat) .As("dt") .WithDescription( "The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff") .SetDefault("yyyy-MM-dd HH:mm:ss.fffffff"); _fluentCommandLineParser.Setup(arg => arg.IncludeIds) .As("inc") .WithDescription( "List of event IDs to process. All others are ignored. Overrides --exc Format is 4624,4625,5410") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.ExcludeIds) .As("exc") .WithDescription( "List of event IDs to IGNORE. All others are included. Format is 4624,4625,5410") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.StartDate) .As("sd") .WithDescription( "Start date for including events (UTC). Anything OLDER than this is dropped. Format should match --dt") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.EndDate) .As("ed") .WithDescription( "End date for including events (UTC). Anything NEWER than this is dropped. Format should match --dt") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.FullJson) .As("fj") .WithDescription( "When true, export all available data when using --json. Default is FALSE.") .SetDefault(false); _fluentCommandLineParser.Setup(arg => arg.PayloadAsJson) .As("pj") .WithDescription( "When true, include event *payload* as json. Default is TRUE.") .SetDefault(true); _fluentCommandLineParser.Setup(arg => arg.TimeDiscrepancyThreshold) .As("tdt") .WithDescription( "The number of seconds to use for time discrepancy detection. Default is 1 second") .SetDefault(1); _fluentCommandLineParser.Setup(arg => arg.Metrics) .As("met") .WithDescription( "When true, show metrics about processed event log. Default is TRUE.\r\n") .SetDefault(true); _fluentCommandLineParser.Setup(arg => arg.MapsDirectory) .As("maps") .WithDescription( "The path where event maps are located. Defaults to 'Maps' folder where program was executed\r\n ") .SetDefault(Path.Combine(BaseDirectory, "Maps")); /*_fluentCommandLineParser.Setup(arg => arg.Vss) * .As("vss") * .WithDescription( * "Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE") * .SetDefault(false);*/ _fluentCommandLineParser.Setup(arg => arg.Dedupe) .As("dedupe") .WithDescription( "Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE\r\n") .SetDefault(true); _fluentCommandLineParser.Setup(arg => arg.Sync) .As("sync") .WithDescription( "If true, the latest maps from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps are downloaded and local maps updated. Default is FALSE\r\n") .SetDefault(false); _fluentCommandLineParser.Setup(arg => arg.Debug) .As("debug") .WithDescription("Show debug information during processing").SetDefault(false); _fluentCommandLineParser.Setup(arg => arg.Trace) .As("trace") .WithDescription("Show trace information during processing\r\n").SetDefault(false); var header = $"EvtxECmd version {Assembly.GetExecutingAssembly().GetName().Version}" + "\n\nAuthor: Eric Zimmerman ([email protected])" + "\nhttps://github.com/EricZimmerman/evtx" + "\nLinux Port : Scott Dermott ([email protected])" + "\nhttps://github.com/ScottDermott/evtx"; var footer = @"Examples: EvtxECmd -f ""/Temp/Application.evtx"" --csv ""/temp/out"" --csvf MyOutputFile.csv" + "\r\n\t " + @" EvtxECmd -f ""/Temp/Application.evtx"" --csv ""/temp/out""" + "\r\n\t " + @" EvtxECmd -f ""/Temp/Application.evtx"" --json ""/temp/jsonout""" + "\r\n\t " + "\r\n\t" + " Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes\r\n"; _fluentCommandLineParser.SetupHelp("?", "help") .WithHeader(header) .Callback(text => _logger.Info(text + "\r\n" + footer)); var result = _fluentCommandLineParser.Parse(args); if (result.HelpCalled) { return; } if (result.HasErrors) { _logger.Error(""); _logger.Error(result.ErrorText); _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options); return; } if (_fluentCommandLineParser.Object.Sync) { try { _logger.Info(header); UpdateFromRepo(); } catch (Exception e) { _logger.Error(e, $"There was an error checking for updates: {e.Message}"); } Environment.Exit(0); } if (_fluentCommandLineParser.Object.File.IsNullOrEmpty() && _fluentCommandLineParser.Object.Directory.IsNullOrEmpty()) { _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options); _logger.Warn("-f or -d is required. Exiting"); return; } _logger.Info(header); _logger.Info(""); _logger.Info($"Command line: {string.Join(" ", Environment.GetCommandLineArgs().Skip(1))}\r\n"); /* if (IsAdministrator() == false) * { * _logger.Fatal("Warning: Administrator privileges not found!\r\n"); * }*/ if (_fluentCommandLineParser.Object.Debug) { LogManager.Configuration.LoggingRules.First().EnableLoggingForLevel(LogLevel.Debug); } if (_fluentCommandLineParser.Object.Trace) { LogManager.Configuration.LoggingRules.First().EnableLoggingForLevel(LogLevel.Trace); } LogManager.ReconfigExistingLoggers(); /* if (_fluentCommandLineParser.Object.Vss & (IsAdministrator() == false)) * { * _logger.Error("--vss is present, but administrator rights not found. Exiting\r\n"); * return; * }*/ var sw = new Stopwatch(); sw.Start(); var ts = DateTimeOffset.UtcNow; _errorFiles = new Dictionary <string, int>(); if (_fluentCommandLineParser.Object.JsonDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.JsonDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.JsonDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.JsonDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.JsonDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.json"; if (_fluentCommandLineParser.Object.JsonName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.JsonName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.JsonDirectory, outName); _logger.Warn($"json output will be saved to '{outFile}'\r\n"); try { _swJson = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } JsConfig.DateHandler = DateHandler.ISO8601; } if (_fluentCommandLineParser.Object.XmlDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.XmlDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.XmlDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.XmlDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.XmlDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.xml"; if (_fluentCommandLineParser.Object.XmlName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.XmlName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.XmlDirectory, outName); _logger.Warn($"XML output will be saved to '{outFile}'\r\n"); try { _swXml = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } } if (_fluentCommandLineParser.Object.StartDate.IsNullOrEmpty() == false) { if (DateTimeOffset.TryParse(_fluentCommandLineParser.Object.StartDate, null, DateTimeStyles.AssumeUniversal, out var dt)) { _startDate = dt; _logger.Info($"Setting Start date to '{_startDate.Value.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}'"); } else { _logger.Warn($"Could not parse '{_fluentCommandLineParser.Object.StartDate}' to a valud datetime! Events will not be filtered by Start date!"); } } if (_fluentCommandLineParser.Object.EndDate.IsNullOrEmpty() == false) { if (DateTimeOffset.TryParse(_fluentCommandLineParser.Object.EndDate, null, DateTimeStyles.AssumeUniversal, out var dt)) { _endDate = dt; _logger.Info($"Setting End date to '{_endDate.Value.ToUniversalTime().ToString(_fluentCommandLineParser.Object.DateTimeFormat)}'"); } else { _logger.Warn($"Could not parse '{_fluentCommandLineParser.Object.EndDate}' to a valud datetime! Events will not be filtered by End date!"); } } if (_startDate.HasValue || _endDate.HasValue) { _logger.Info(""); } if (_fluentCommandLineParser.Object.CsvDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.CsvDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.CsvDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.CsvDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.CsvDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.csv"; if (_fluentCommandLineParser.Object.CsvName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.CsvName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.CsvDirectory, outName); _logger.Warn($"CSV output will be saved to '{outFile}'\r\n"); try { _swCsv = new StreamWriter(outFile, false, Encoding.UTF8); _csvWriter = new CsvWriter(_swCsv, CultureInfo.InvariantCulture); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } var foo = _csvWriter.Configuration.AutoMap <EventRecord>(); if (_fluentCommandLineParser.Object.PayloadAsJson == false) { foo.Map(t => t.Payload).Ignore(); } else { foo.Map(t => t.Payload).Index(22); } foo.Map(t => t.RecordPosition).Ignore(); foo.Map(t => t.Size).Ignore(); foo.Map(t => t.Timestamp).Ignore(); foo.Map(t => t.RecordNumber).Index(0); foo.Map(t => t.EventRecordId).Index(1); foo.Map(t => t.TimeCreated).Index(2); foo.Map(t => t.TimeCreated).ConvertUsing(t => $"{t.TimeCreated.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}"); foo.Map(t => t.EventId).Index(3); foo.Map(t => t.Level).Index(4); foo.Map(t => t.Provider).Index(5); foo.Map(t => t.Channel).Index(6); foo.Map(t => t.ProcessId).Index(7); foo.Map(t => t.ThreadId).Index(8); foo.Map(t => t.Computer).Index(9); foo.Map(t => t.UserId).Index(10); foo.Map(t => t.MapDescription).Index(11); foo.Map(t => t.UserName).Index(12); foo.Map(t => t.RemoteHost).Index(13); foo.Map(t => t.PayloadData1).Index(14); foo.Map(t => t.PayloadData2).Index(15); foo.Map(t => t.PayloadData3).Index(16); foo.Map(t => t.PayloadData4).Index(17); foo.Map(t => t.PayloadData5).Index(18); foo.Map(t => t.PayloadData6).Index(19); foo.Map(t => t.ExecutableInfo).Index(20); foo.Map(t => t.SourceFile).Index(21); _csvWriter.Configuration.RegisterClassMap(foo); _csvWriter.WriteHeader <EventRecord>(); _csvWriter.NextRecord(); } if (Directory.Exists(_fluentCommandLineParser.Object.MapsDirectory) == false) { _logger.Warn( $"Maps directory '{_fluentCommandLineParser.Object.MapsDirectory}' does not exist! Event ID maps will not be loaded!!"); } else { _logger.Info($"Loading maps from '{Path.GetFullPath(_fluentCommandLineParser.Object.MapsDirectory)}'"); var errors = EventLog.LoadMaps(Path.GetFullPath(_fluentCommandLineParser.Object.MapsDirectory)); if (errors) { return; } _logger.Info($"Maps loaded: {EventLog.EventLogMaps.Count:N0}"); } _includeIds = new HashSet <int>(); _excludeIds = new HashSet <int>(); if (_fluentCommandLineParser.Object.ExcludeIds.IsNullOrEmpty() == false) { var excSegs = _fluentCommandLineParser.Object.ExcludeIds.Split(','); foreach (var incSeg in excSegs) { if (int.TryParse(incSeg, out var goodId)) { _excludeIds.Add(goodId); } } } if (_fluentCommandLineParser.Object.IncludeIds.IsNullOrEmpty() == false) { _excludeIds.Clear(); var incSegs = _fluentCommandLineParser.Object.IncludeIds.Split(','); foreach (var incSeg in incSegs) { if (int.TryParse(incSeg, out var goodId)) { _includeIds.Add(goodId); } } } /*if (_fluentCommandLineParser.Object.Vss) * { * string driveLetter; * if (_fluentCommandLineParser.Object.File.IsEmpty() == false) * { * driveLetter = Path.GetPathRoot(Path.GetFullPath(_fluentCommandLineParser.Object.File)) * .Substring(0, 1); * } * else * { * driveLetter = Path.GetPathRoot(Path.GetFullPath(_fluentCommandLineParser.Object.Directory)) * .Substring(0, 1); * } * * * Helper.MountVss(driveLetter,VssDir); * Console.WriteLine(); * }*/ EventLog.TimeDiscrepancyThreshold = _fluentCommandLineParser.Object.TimeDiscrepancyThreshold; if (_fluentCommandLineParser.Object.File.IsNullOrEmpty() == false) { if (File.Exists(_fluentCommandLineParser.Object.File) == false) { _logger.Warn($"'{_fluentCommandLineParser.Object.File}' does not exist! Exiting"); return; } if (_swXml == null && _swJson == null && _swCsv == null) { //no need for maps _logger.Debug("Clearing map collection since no output specified"); EventLog.EventLogMaps.Clear(); } _fluentCommandLineParser.Object.Dedupe = false; ProcessFile(Path.GetFullPath(_fluentCommandLineParser.Object.File)); /*if (_fluentCommandLineParser.Object.Vss) * { * var vssDirs = Directory.GetDirectories(VssDir); * * var root = Path.GetPathRoot(Path.GetFullPath(_fluentCommandLineParser.Object.File)); * var stem = Path.GetFullPath(_fluentCommandLineParser.Object.File).Replace(root, ""); * * foreach (var vssDir in vssDirs) * { * var newPath = Path.Combine(vssDir, stem); * if (File.Exists(newPath)) * { * ProcessFile(newPath); * } * } * }*/ } else { _logger.Info($"Looking for event log files in '{_fluentCommandLineParser.Object.Directory}'"); _logger.Info(""); /* var f = new DirectoryEnumerationFilters * { * InclusionFilter = fsei => fsei.Extension.ToUpperInvariant() == ".EVTX", * RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink, * ErrorFilter = (errorCode, errorMessage, pathProcessed) => true * };*/ /* var dirEnumOptions = * DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive | * DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException | * DirectoryEnumerationOptions.BasicSearch;*/ var files2 = Directory.EnumerateFileSystemEntries(Path.GetFullPath(_fluentCommandLineParser.Object.Directory), "*.evtx"); if (_swXml == null && _swJson == null && _swCsv == null) { //no need for maps _logger.Debug("Clearing map collection since no output specified"); EventLog.EventLogMaps.Clear(); } foreach (var file in files2) { ProcessFile(file); } /*if (_fluentCommandLineParser.Object.Vss) * { * var vssDirs = Directory.GetDirectories(VssDir); * * Console.WriteLine(); * * foreach (var vssDir in vssDirs) * { * var root = Path.GetPathRoot(Path.GetFullPath(_fluentCommandLineParser.Object.Directory)); * var stem = Path.GetFullPath(_fluentCommandLineParser.Object.Directory).Replace(root, ""); * * var target = Path.Combine(vssDir, stem); * * _logger.Fatal($"\r\nSearching 'VSS{target.Replace($"{VssDir}\\","")}' for event logs..."); * * var vssFiles = Helper.GetFilesFromPath(target, true, "*.evtx"); * * foreach (var file in vssFiles) * { * ProcessFile(file); * } * } * * }*/ } _swCsv?.Flush(); _swCsv?.Close(); _swJson?.Flush(); _swJson?.Close(); _swXml?.Flush(); _swXml?.Close(); sw.Stop(); _logger.Info(""); var suff = string.Empty; if (_fileCount != 1) { suff = "s"; } _logger.Error( $"Processed {_fileCount:N0} file{suff} in {sw.Elapsed.TotalSeconds:N4} seconds\r\n"); if (_errorFiles.Count > 0) { _logger.Info(""); _logger.Error("Files with errors"); foreach (var errorFile in _errorFiles) { _logger.Info($"'{errorFile.Key}' error count: {errorFile.Value:N0}"); } _logger.Info(""); } /*if (_fluentCommandLineParser.Object.Vss) * { * if (Directory.Exists(VssDir)) * { * foreach (var directory in Directory.GetDirectories(VssDir)) * { * Directory.Delete(directory); * } * Directory.Delete(VssDir,true); * } * }*/ }
private static void Main(string[] args) { ExceptionlessClient.Default.Startup("tYeWS6A5K5uItgpB44dnNy2qSb2xJxiQWRRGWebq"); SetupNLog(); _logger = LogManager.GetLogger("EvtxECmd"); _fluentCommandLineParser = new FluentCommandLineParser <ApplicationArguments> { IsCaseSensitive = false }; _fluentCommandLineParser.Setup(arg => arg.File) .As('f') .WithDescription("File to process. This or -d is required\r\n"); _fluentCommandLineParser.Setup(arg => arg.Directory) .As('d') .WithDescription("Directory to process that contains evtx files. This or -f is required"); _fluentCommandLineParser.Setup(arg => arg.CsvDirectory) .As("csv") .WithDescription( "Directory to save CSV formatted results to."); // This, --json, or --xml required _fluentCommandLineParser.Setup(arg => arg.CsvName) .As("csvf") .WithDescription( "File name to save CSV formatted results to. When present, overrides default name"); _fluentCommandLineParser.Setup(arg => arg.JsonDirectory) .As("json") .WithDescription( "Directory to save JSON formatted results to."); // This, --csv, or --xml required _fluentCommandLineParser.Setup(arg => arg.JsonName) .As("jsonf") .WithDescription( "File name to save JSON formatted results to. When present, overrides default name"); _fluentCommandLineParser.Setup(arg => arg.XmlDirectory) .As("xml") .WithDescription( "Directory to save XML formatted results to."); // This, --csv, or --json required _fluentCommandLineParser.Setup(arg => arg.XmlName) .As("xmlf") .WithDescription( "File name to save XML formatted results to. When present, overrides default name\r\n"); _fluentCommandLineParser.Setup(arg => arg.DateTimeFormat) .As("dt") .WithDescription( "The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff") .SetDefault("yyyy-MM-dd HH:mm:ss.fffffff"); _fluentCommandLineParser.Setup(arg => arg.IncludeIds) .As("inc") .WithDescription( "List of event IDs to process. All others are ignored. Overrides --exc Format is 4624,4625,5410") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.ExcludeIds) .As("exc") .WithDescription( "List of event IDs to IGNORE. All others are included. Format is 4624,4625,5410") .SetDefault(string.Empty); _fluentCommandLineParser.Setup(arg => arg.FullJson) .As("fj") .WithDescription( "When true, export all available data when using --json. Default is FALSE.") .SetDefault(false); _fluentCommandLineParser.Setup(arg => arg.Metrics) .As("met") .WithDescription( "When true, show metrics about processed event log. Default is TRUE.\r\n") .SetDefault(true); _fluentCommandLineParser.Setup(arg => arg.MapsDirectory) .As("maps") .WithDescription( "The path where event maps are located. Defaults to 'Maps' folder where program was executed\r\n ") .SetDefault(Path.Combine(BaseDirectory, "Maps")); _fluentCommandLineParser.Setup(arg => arg.Debug) .As("debug") .WithDescription("Show debug information during processing").SetDefault(false); _fluentCommandLineParser.Setup(arg => arg.Trace) .As("trace") .WithDescription("Show trace information during processing\r\n").SetDefault(false); var header = $"EvtxECmd version {Assembly.GetExecutingAssembly().GetName().Version}" + "\r\n\r\nAuthor: Eric Zimmerman ([email protected])" + "\r\nhttps://github.com/EricZimmerman/evtx"; var footer = @"Examples: EvtxECmd.exe -f ""C:\Temp\Application.evtx"" --csv ""c:\temp\out"" --csvf MyOutputFile.csv" + "\r\n\t " + @" EvtxECmd.exe -f ""C:\Temp\Application.evtx"" --csv ""c:\temp\out""" + "\r\n\t " + @" EvtxECmd.exe -f ""C:\Temp\Application.evtx"" --json ""c:\temp\jsonout""" + "\r\n\t " + "\r\n\t" + " Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes\r\n"; _fluentCommandLineParser.SetupHelp("?", "help") .WithHeader(header) .Callback(text => _logger.Info(text + "\r\n" + footer)); var result = _fluentCommandLineParser.Parse(args); if (result.HelpCalled) { return; } if (result.HasErrors) { _logger.Error(""); _logger.Error(result.ErrorText); _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options); return; } if (_fluentCommandLineParser.Object.File.IsNullOrEmpty() && _fluentCommandLineParser.Object.Directory.IsNullOrEmpty()) { _fluentCommandLineParser.HelpOption.ShowHelp(_fluentCommandLineParser.Options); _logger.Warn("-f or -d is required. Exiting"); return; } _logger.Info(header); _logger.Info(""); _logger.Info($"Command line: {string.Join(" ", Environment.GetCommandLineArgs().Skip(1))}\r\n"); if (IsAdministrator() == false) { _logger.Fatal("Warning: Administrator privileges not found!\r\n"); } if (_fluentCommandLineParser.Object.Debug) { LogManager.Configuration.LoggingRules.First().EnableLoggingForLevel(LogLevel.Debug); } if (_fluentCommandLineParser.Object.Trace) { LogManager.Configuration.LoggingRules.First().EnableLoggingForLevel(LogLevel.Trace); } LogManager.ReconfigExistingLoggers(); var sw = new Stopwatch(); sw.Start(); var ts = DateTimeOffset.UtcNow; _errorFiles = new Dictionary <string, int>(); if (_fluentCommandLineParser.Object.JsonDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.JsonDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.JsonDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.JsonDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.JsonDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.json"; if (_fluentCommandLineParser.Object.JsonName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.JsonName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.JsonDirectory, outName); _logger.Warn($"json output will be saved to '{outFile}'\r\n"); try { _swJson = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } } if (_fluentCommandLineParser.Object.XmlDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.XmlDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.XmlDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.XmlDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.XmlDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.xml"; if (_fluentCommandLineParser.Object.XmlName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.XmlName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.XmlDirectory, outName); _logger.Warn($"XML output will be saved to '{outFile}'\r\n"); try { _swXml = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } } if (_fluentCommandLineParser.Object.CsvDirectory.IsNullOrEmpty() == false) { if (Directory.Exists(_fluentCommandLineParser.Object.CsvDirectory) == false) { _logger.Warn( $"Path to '{_fluentCommandLineParser.Object.CsvDirectory}' doesn't exist. Creating..."); try { Directory.CreateDirectory(_fluentCommandLineParser.Object.CsvDirectory); } catch (Exception) { _logger.Fatal( $"Unable to create directory '{_fluentCommandLineParser.Object.CsvDirectory}'. Does a file with the same name exist? Exiting"); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.csv"; if (_fluentCommandLineParser.Object.CsvName.IsNullOrEmpty() == false) { outName = Path.GetFileName(_fluentCommandLineParser.Object.CsvName); } var outFile = Path.Combine(_fluentCommandLineParser.Object.CsvDirectory, outName); _logger.Warn($"CSV output will be saved to '{outFile}'\r\n"); try { _swCsv = new StreamWriter(outFile, false, Encoding.UTF8); _csvWriter = new CsvWriter(_swCsv); } catch (Exception) { _logger.Error($"Unable to open '{outFile}'! Is it in use? Exiting!\r\n"); Environment.Exit(0); } var foo = _csvWriter.Configuration.AutoMap <EventRecord>(); foo.Map(t => t.PayloadXml).Ignore(); foo.Map(t => t.RecordPosition).Ignore(); foo.Map(t => t.Size).Ignore(); foo.Map(t => t.Timestamp).Ignore(); foo.Map(t => t.RecordNumber).Index(0); foo.Map(t => t.TimeCreated).Index(1); foo.Map(t => t.TimeCreated).ConvertUsing(t => $"{t.TimeCreated.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}"); foo.Map(t => t.EventId).Index(2); foo.Map(t => t.Level).Index(3); foo.Map(t => t.Provider).Index(4); foo.Map(t => t.Channel).Index(5); foo.Map(t => t.ProcessId).Index(6); foo.Map(t => t.ThreadId).Index(7); foo.Map(t => t.Computer).Index(8); foo.Map(t => t.UserId).Index(9); foo.Map(t => t.MapDescription).Index(10); foo.Map(t => t.UserName).Index(11); foo.Map(t => t.RemoteHost).Index(12); foo.Map(t => t.PayloadData1).Index(13); foo.Map(t => t.PayloadData2).Index(14); foo.Map(t => t.PayloadData3).Index(15); foo.Map(t => t.PayloadData4).Index(16); foo.Map(t => t.PayloadData5).Index(17); foo.Map(t => t.PayloadData6).Index(18); foo.Map(t => t.ExecutableInfo).Index(19); foo.Map(t => t.SourceFile).Index(20); _csvWriter.Configuration.RegisterClassMap(foo); _csvWriter.WriteHeader <EventRecord>(); _csvWriter.NextRecord(); } if (Directory.Exists(_fluentCommandLineParser.Object.MapsDirectory) == false) { _logger.Warn( $"Maps directory '{_fluentCommandLineParser.Object.MapsDirectory}' does not exist! Event ID maps will not be loaded!!"); } else { _logger.Debug($"Loading maps from '{Path.GetFullPath(_fluentCommandLineParser.Object.MapsDirectory)}'"); var errors = EventLog.LoadMaps(Path.GetFullPath(_fluentCommandLineParser.Object.MapsDirectory)); if (errors) { return; } _logger.Info($"Maps loaded: {EventLog.EventLogMaps.Count:N0}"); } _includeIds = new HashSet <int>(); _excludeIds = new HashSet <int>(); if (_fluentCommandLineParser.Object.ExcludeIds.IsNullOrEmpty() == false) { var excSegs = _fluentCommandLineParser.Object.ExcludeIds.Split(','); foreach (var incSeg in excSegs) { if (int.TryParse(incSeg, out var goodId)) { _excludeIds.Add(goodId); } } } if (_fluentCommandLineParser.Object.IncludeIds.IsNullOrEmpty() == false) { _excludeIds.Clear(); var incSegs = _fluentCommandLineParser.Object.IncludeIds.Split(','); foreach (var incSeg in incSegs) { if (int.TryParse(incSeg, out var goodId)) { _includeIds.Add(goodId); } } } if (_fluentCommandLineParser.Object.File.IsNullOrEmpty() == false) { if (File.Exists(_fluentCommandLineParser.Object.File) == false) { _logger.Warn($"'{_fluentCommandLineParser.Object.File}' does not exist! Exiting"); return; } ProcessFile(_fluentCommandLineParser.Object.File); } else { _logger.Info($"Looking for event log files in '{_fluentCommandLineParser.Object.Directory}'"); _logger.Info(""); var f = new DirectoryEnumerationFilters(); f.InclusionFilter = fsei => fsei.Extension.ToUpperInvariant() == ".EVTX"; f.RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink; f.ErrorFilter = (errorCode, errorMessage, pathProcessed) => true; var dirEnumOptions = DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive | DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException | DirectoryEnumerationOptions.BasicSearch; var files2 = Directory.EnumerateFileSystemEntries(Path.GetFullPath(_fluentCommandLineParser.Object.Directory), dirEnumOptions, f); foreach (var file in files2) { ProcessFile(file); } } _swCsv?.Flush(); _swCsv?.Close(); _swJson?.Flush(); _swJson?.Close(); _swXml?.Flush(); _swXml?.Close(); sw.Stop(); _logger.Info(""); var suff = string.Empty; if (_fileCount != 1) { suff = "s"; } _logger.Error( $"Processed {_fileCount:N0} file{suff} in {sw.Elapsed.TotalSeconds:N4} seconds\r\n"); if (_errorFiles.Count > 0) { _logger.Info(""); _logger.Error("Files with errors"); foreach (var errorFile in _errorFiles) { _logger.Info($"'{errorFile.Key}' error count: {errorFile.Value:N0}"); } _logger.Info(""); } }
private static void DoWork(string f, string d, string csv, string csvf, string json, string jsonf, string xml, string xmlf, string dt, string inc, string exc, string sd, string ed, bool fj, int tdt, bool met, string maps, bool vss, bool dedupe, bool sync, bool debug, bool trace) { var levelSwitch = new LoggingLevelSwitch(); _activeDateTimeFormat = dt; var formatter = new DateTimeOffsetFormatter(CultureInfo.CurrentCulture); var template = "{Message:lj}{NewLine}{Exception}"; if (debug) { levelSwitch.MinimumLevel = LogEventLevel.Debug; template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}"; } if (trace) { levelSwitch.MinimumLevel = LogEventLevel.Verbose; template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}"; } var conf = new LoggerConfiguration() .WriteTo.Console(outputTemplate: template, formatProvider: formatter) .MinimumLevel.ControlledBy(levelSwitch); Log.Logger = conf.CreateLogger(); if (sync) { try { Log.Information("{Header}", Header); UpdateFromRepo(); } catch (Exception e) { Log.Error(e, "There was an error checking for updates: {Message}", e.Message); } Environment.Exit(0); } if (f.IsNullOrEmpty() && d.IsNullOrEmpty()) { var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth); var hc = new HelpContext(helpBld, _rootCommand, Console.Out); helpBld.Write(hc); Log.Warning("-f or -d is required. Exiting"); Console.WriteLine(); return; } Log.Information("{Header}", Header); Console.WriteLine(); Log.Information("Command line: {Args}", string.Join(" ", Environment.GetCommandLineArgs().Skip(1))); Console.WriteLine(); if (IsAdministrator() == false) { Log.Warning("Warning: Administrator privileges not found!"); Console.WriteLine(); } if (vss & !RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { vss = false; Log.Warning("{Vss} not supported on non-Windows platforms. Disabling...", "--vss"); Console.WriteLine(); } if (vss & (IsAdministrator() == false)) { Log.Error("{Vss} is present, but administrator rights not found. Exiting", "--vss"); Console.WriteLine(); return; } var sw = new Stopwatch(); sw.Start(); var ts = DateTimeOffset.UtcNow; _errorFiles = new Dictionary <string, int>(); if (json.IsNullOrEmpty() == false) { if (Directory.Exists(json) == false) { Log.Information("Path to {Json} doesn't exist. Creating...", json); try { Directory.CreateDirectory(json); } catch (Exception ex) { Log.Fatal(ex, "Unable to create directory {Json}. Does a file with the same name exist? Exiting", json); Console.WriteLine(); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.json"; if (jsonf.IsNullOrEmpty() == false) { outName = Path.GetFileName(jsonf); } var outFile = Path.Combine(json, outName); Log.Information("json output will be saved to {OutFile}", outFile); Console.WriteLine(); try { _swJson = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception ex) { Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile); Console.WriteLine(); Environment.Exit(0); } JsConfig.DateHandler = DateHandler.ISO8601; } if (xml.IsNullOrEmpty() == false) { if (Directory.Exists(xml) == false) { Log.Information("Path to {Xml} doesn't exist. Creating...", xml); try { Directory.CreateDirectory(xml); } catch (Exception ex) { Log.Fatal(ex, "Unable to create directory {Xml}. Does a file with the same name exist? Exiting", xml); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.xml"; if (xmlf.IsNullOrEmpty() == false) { outName = Path.GetFileName(xmlf); } var outFile = Path.Combine(xml, outName); Log.Information("XML output will be saved to {OutFile}", outFile); Console.WriteLine(); try { _swXml = new StreamWriter(outFile, false, Encoding.UTF8); } catch (Exception ex) { Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile); Console.WriteLine(); Environment.Exit(0); } } if (sd.IsNullOrEmpty() == false) { if (DateTimeOffset.TryParse(sd, null, DateTimeStyles.AssumeUniversal, out var dateTimeOffset)) { _startDate = dateTimeOffset; Log.Information("Setting Start date to {StartDate}", _startDate.Value); } else { Log.Warning("Could not parse {Sd} to a valid datetime! Events will not be filtered by Start date!", sd); } } if (ed.IsNullOrEmpty() == false) { if (DateTimeOffset.TryParse(ed, null, DateTimeStyles.AssumeUniversal, out var dateTimeOffset)) { _endDate = dateTimeOffset; Log.Information("Setting End date to {EndDate}", _endDate.Value); } else { Log.Warning("Could not parse {Ed} to a valid datetime! Events will not be filtered by End date!", ed); } } if (_startDate.HasValue || _endDate.HasValue) { Console.WriteLine(); } if (csv.IsNullOrEmpty() == false) { if (Directory.Exists(csv) == false) { Log.Information( "Path to {Csv} doesn't exist. Creating...", csv); try { Directory.CreateDirectory(csv); } catch (Exception ex) { Log.Fatal(ex, "Unable to create directory {Csv}. Does a file with the same name exist? Exiting", csv); return; } } var outName = $"{ts:yyyyMMddHHmmss}_EvtxECmd_Output.csv"; if (csvf.IsNullOrEmpty() == false) { outName = Path.GetFileName(csvf); } var outFile = Path.Combine(csv, outName); Log.Information("CSV output will be saved to {OutFile}", outFile); Console.WriteLine(); try { _swCsv = new StreamWriter(outFile, false, Encoding.UTF8); var opt = new CsvConfiguration(CultureInfo.InvariantCulture) { ShouldUseConstructorParameters = _ => false }; _csvWriter = new CsvWriter(_swCsv, opt); } catch (Exception ex) { Log.Error(ex, "Unable to open {OutFile}! Is it in use? Exiting!", outFile); Console.WriteLine(); Environment.Exit(0); } var foo = _csvWriter.Context.AutoMap <EventRecord>(); foo.Map(t => t.RecordPosition).Ignore(); foo.Map(t => t.Size).Ignore(); foo.Map(t => t.Timestamp).Ignore(); foo.Map(t => t.RecordNumber).Index(0); foo.Map(t => t.EventRecordId).Index(1); foo.Map(t => t.TimeCreated).Index(2); foo.Map(t => t.TimeCreated).Convert(t => $"{t.Value.TimeCreated.ToString(dt)}"); foo.Map(t => t.EventId).Index(3); foo.Map(t => t.Level).Index(4); foo.Map(t => t.Provider).Index(5); foo.Map(t => t.Channel).Index(6); foo.Map(t => t.ProcessId).Index(7); foo.Map(t => t.ThreadId).Index(8); foo.Map(t => t.Computer).Index(9); foo.Map(t => t.UserId).Index(10); foo.Map(t => t.MapDescription).Index(11); foo.Map(t => t.UserName).Index(12); foo.Map(t => t.RemoteHost).Index(13); foo.Map(t => t.PayloadData1).Index(14); foo.Map(t => t.PayloadData2).Index(15); foo.Map(t => t.PayloadData3).Index(16); foo.Map(t => t.PayloadData4).Index(17); foo.Map(t => t.PayloadData5).Index(18); foo.Map(t => t.PayloadData6).Index(19); foo.Map(t => t.ExecutableInfo).Index(20); foo.Map(t => t.HiddenRecord).Index(21); foo.Map(t => t.SourceFile).Index(22); foo.Map(t => t.Keywords).Index(23); foo.Map(t => t.Payload).Index(24); _csvWriter.Context.RegisterClassMap(foo); _csvWriter.WriteHeader <EventRecord>(); _csvWriter.NextRecord(); } if (Directory.Exists(maps) == false) { Log.Warning("Maps directory {Maps} does not exist! Event ID maps will not be loaded!!", maps); } else { Log.Debug("Loading maps from {Path}", Path.GetFullPath(maps)); var errors = EventLog.LoadMaps(Path.GetFullPath(maps)); if (errors) { return; } Log.Information("Maps loaded: {Count:N0}", EventLog.EventLogMaps.Count); } _includeIds = new HashSet <int>(); _excludeIds = new HashSet <int>(); if (exc.IsNullOrEmpty() == false) { var excSegs = exc.Split(','); foreach (var incSeg in excSegs) { if (int.TryParse(incSeg, out var goodId)) { _excludeIds.Add(goodId); } } } if (inc.IsNullOrEmpty() == false) { _excludeIds.Clear(); var incSegs = inc.Split(','); foreach (var incSeg in incSegs) { if (int.TryParse(incSeg, out var goodId)) { _includeIds.Add(goodId); } } } if (vss) { string driveLetter; if (f.IsEmpty() == false) { driveLetter = Path.GetPathRoot(Path.GetFullPath(f)) .Substring(0, 1); } else { driveLetter = Path.GetPathRoot(Path.GetFullPath(d)) .Substring(0, 1); } Helper.MountVss(driveLetter, VssDir); Console.WriteLine(); } EventLog.TimeDiscrepancyThreshold = tdt; if (f.IsNullOrEmpty() == false) { if (File.Exists(f) == false) { Log.Warning("\t{F} does not exist! Exiting", f); Console.WriteLine(); return; } if (_swXml == null && _swJson == null && _swCsv == null) { //no need for maps Log.Debug("Clearing map collection since no output specified"); EventLog.EventLogMaps.Clear(); } dedupe = false; ProcessFile(Path.GetFullPath(f), dedupe, fj, met); if (vss) { var vssDirs = Directory.GetDirectories(VssDir); var root = Path.GetPathRoot(Path.GetFullPath(f)); var stem = Path.GetFullPath(f).Replace(root, ""); foreach (var vssDir in vssDirs) { var newPath = Path.Combine(vssDir, stem); if (File.Exists(newPath)) { ProcessFile(newPath, dedupe, fj, met); } } } } else { if (Directory.Exists(d) == false) { Log.Warning("\t{D} does not exist! Exiting", d); Console.WriteLine(); return; } Log.Information("Looking for event log files in {D}", d); Console.WriteLine(); #if !NET6_0 var directoryEnumerationFilters = new DirectoryEnumerationFilters { InclusionFilter = fsei => fsei.Extension.ToUpperInvariant() == ".EVTX", RecursionFilter = entryInfo => !entryInfo.IsMountPoint && !entryInfo.IsSymbolicLink, ErrorFilter = (errorCode, errorMessage, pathProcessed) => true }; var dirEnumOptions = DirectoryEnumerationOptions.Files | DirectoryEnumerationOptions.Recursive | DirectoryEnumerationOptions.SkipReparsePoints | DirectoryEnumerationOptions.ContinueOnException | DirectoryEnumerationOptions.BasicSearch; var files2 = Directory.EnumerateFileSystemEntries(Path.GetFullPath(d), dirEnumOptions, directoryEnumerationFilters); #else var enumerationOptions = new EnumerationOptions { IgnoreInaccessible = true, MatchCasing = MatchCasing.CaseInsensitive, RecurseSubdirectories = true, AttributesToSkip = 0 }; var files2 = Directory.EnumerateFileSystemEntries(d, "*.evtx", enumerationOptions); #endif if (_swXml == null && _swJson == null && _swCsv == null) { //no need for maps Log.Debug("Clearing map collection since no output specified"); EventLog.EventLogMaps.Clear(); } foreach (var file in files2) { ProcessFile(file, dedupe, fj, met); } if (vss) { var vssDirs = Directory.GetDirectories(VssDir); Console.WriteLine(); foreach (var vssDir in vssDirs) { var root = Path.GetPathRoot(Path.GetFullPath(d)); var stem = Path.GetFullPath(d).Replace(root, ""); var target = Path.Combine(vssDir, stem); Console.WriteLine(); Log.Information("Searching {Vss} for event logs...", $"VSS{target.Replace($"{VssDir}\\", "")}"); var vssFiles = Helper.GetFilesFromPath(target, "*.evtx", true); foreach (var file in vssFiles) { ProcessFile(file, dedupe, fj, met); } } } } try { _swCsv?.Flush(); _swCsv?.Close(); _swJson?.Flush(); _swJson?.Close(); _swXml?.Flush(); _swXml?.Close(); } catch (Exception e) { Log.Error(e, "Error when flushing output files to disk! Error message: {Message}", e.Message); } sw.Stop(); Console.WriteLine(); if (_fileCount == 1) { Log.Information("Processed {FileCount:N0} file in {TotalSeconds:N4} seconds", _fileCount, sw.Elapsed.TotalSeconds); } else { Log.Information("Processed {FileCount:N0} files in {TotalSeconds:N4} seconds", _fileCount, sw.Elapsed.TotalSeconds); } Console.WriteLine(); if (_errorFiles.Count > 0) { Console.WriteLine(); Log.Information("Files with errors"); foreach (var errorFile in _errorFiles) { Log.Information("{Key} error count: {Value:N0}", errorFile.Key, errorFile.Value); } Console.WriteLine(); } if (vss) { if (Directory.Exists(VssDir)) { foreach (var directory in Directory.GetDirectories(VssDir)) { Directory.Delete(directory); } #if !NET6_0 Directory.Delete(VssDir, true, true); #else Directory.Delete(VssDir, true); #endif } } }