public WindowsEventPollingSource(string logName, string query, bool includeEventData, IPlugInContext context)
     : base(new ServiceDependency("EventLog"), context)
 {
     _logName          = logName;
     _query            = query;
     _includeEventData = includeEventData;
     customFilters     = context?.Configuration?["CustomFilters"]?.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) ?? new string[0];
     if (customFilters.Length > 0)
     {
         var badFilters = string.Join(",", customFilters.Where(i => EventInfoFilters.GetFilter(i) == null));
         if (!string.IsNullOrWhiteSpace(badFilters))
         {
             throw new ConfigurationException($"Custom filter/s '{badFilters}' do not exist. Please check the filter names.");
         }
     }
     if (bool.TryParse(context?.Configuration?["BookmarkOnBufferFlush"] ?? "false", out bool bookmarkOnBufferFlush))
     {
         this.bookmarkOnBufferFlush = bookmarkOnBufferFlush;
     }
 }
Exemplo n.º 2
0
        public EventLogSource(string logName, string query, IPlugInContext context) : base(new ServiceDependency("EventLog"), context)
        {
            Guard.ArgumentNotNullOrEmpty(logName, nameof(logName));
            this.logName           = logName;
            this.query             = query;
            this.recordSubject     = new Subject <IEnvelope <EventInfo> >();
            this.bookmarkDirectory = Path.GetDirectoryName(this.GetBookmarkFilePath());
            if (!Directory.Exists(this.bookmarkDirectory))
            {
                Directory.CreateDirectory(this.bookmarkDirectory);
            }

            if (bool.TryParse(context?.Configuration?["BookmarkOnBufferFlush"] ?? "false", out bool bookmarkOnBufferFlush))
            {
                this.bookmarkOnBufferFlush = bookmarkOnBufferFlush;
            }

            if (string.IsNullOrWhiteSpace(query))
            {
                this.eventLogQuery = new EventLogQuery(this.logName, PathType.LogName);
            }
            else
            {
                this.eventLogQuery = new EventLogQuery(this.logName, PathType.LogName, this.query);
            }

            if (bool.TryParse(context?.Configuration?["IncludeEventData"], out bool incEventData))
            {
                this.includeEventData = incEventData;
            }

            this.customFilters = context?.Configuration?["CustomFilters"]?.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries) ?? new string[0];
            if (this.customFilters.Length > 0)
            {
                var badFilters = string.Join(",", this.customFilters.Where(i => EventInfoFilters.GetFilter(i) == null));
                if (!string.IsNullOrWhiteSpace(badFilters))
                {
                    throw new ConfigurationException($"Custom filter/s '{badFilters}' do not exist. Please check the filter names.");
                }
            }
        }
        private void SendEventRecord(EventRecord eventRecord)
        {
            if (InitialPosition == InitialPositionEnum.Timestamp &&
                eventRecord.TimeCreated.HasValue &&
                InitialPositionTimestamp > eventRecord.TimeCreated.Value.ToUniversalTime())
            {
                return; //Don't send if timetamp initial position is in the future
            }

            EventRecordEnvelope envelope;

            if (_options.CustomFilters.Length > 0)
            {
                // Create new envelope with event data for filtering
                envelope = new EventRecordEnvelope(eventRecord, true, _options.BookmarkOnBufferFlush
                    ? new IntegerPositionRecordBookmark(Id, Id, eventRecord.RecordId ?? 0)
                    : null);

                //Don't send if any filter return false
                if (_options.CustomFilters.Any(name => !EventInfoFilters.GetFilter(name)(eventRecord)))
                {
                    return;
                }

                //Strip off Event Data if not configured
                if (!_options.IncludeEventData)
                {
                    envelope.Data.EventData = null;
                }
            }
            else
            {
                envelope = new EventRecordEnvelope(eventRecord, _options.IncludeEventData, _options.BookmarkOnBufferFlush
                    ? new IntegerPositionRecordBookmark(Id, Id, eventRecord.RecordId ?? 0)
                    : null);
            }

            _recordSubject.OnNext(envelope);
            _metrics?.PublishCounter(Id, MetricsConstants.CATEGORY_SOURCE, CounterTypeEnum.Increment,
                                     MetricsConstants.EVENTLOG_SOURCE_EVENTS_READ, 1, MetricUnit.Count);
        }
        private void SendEventRecord(EventRecord eventRecord)
        {
            if (InitialPosition == InitialPositionEnum.Timestamp &&
                InitialPositionTimestamp.HasValue &&
                eventRecord.TimeCreated.HasValue &&
                InitialPositionTimestamp.Value > eventRecord.TimeCreated.Value.ToUniversalTime())
            {
                return; //Don't send if timetamp initial position is in the future
            }

            if (customFilters.Any(name => !EventInfoFilters.GetFilter(name)(eventRecord)))
            {
                //Don't send if any filter return false
                return;
            }

            var envelope = new RawEventRecordEnvelope(eventRecord, _includeEventData, 0);

            _recordSubject.OnNext(envelope);
            _metrics?.PublishCounter(Id, MetricsConstants.CATEGORY_SOURCE, CounterTypeEnum.Increment,
                                     MetricsConstants.EVENTLOG_SOURCE_EVENTS_READ, 1, MetricUnit.Count);
        }
Exemplo n.º 5
0
        private void SendEventRecord(EventRecord eventRecord)
        {
            if (this.InitialPosition == InitialPositionEnum.Timestamp &&
                this.InitialPositionTimestamp.HasValue &&
                eventRecord.TimeCreated.HasValue &&
                this.InitialPositionTimestamp.Value > eventRecord.TimeCreated.Value.ToUniversalTime())
            {
                return; //Don't send if timetamp initial position is in the future
            }

            EventRecordEnvelope envelope;

            if (this.customFilters.Length > 0)
            {
                envelope = new EventRecordEnvelope(eventRecord, true, this.bookmarkId); //Need event data for filtering

                //Don't send if any filter return false
                if (this.customFilters.Any(name => !EventInfoFilters.GetFilter(name)(envelope.Data)))
                {
                    return;
                }

                //Strip off Event Data if not configured
                if (!this.includeEventData)
                {
                    envelope.Data.EventData = null;
                }
            }
            else
            {
                envelope = new EventRecordEnvelope(eventRecord, this.includeEventData, this.bookmarkId);
            }

            this.recordSubject.OnNext(envelope);
            this._metrics?.PublishCounter(this.Id, MetricsConstants.CATEGORY_SOURCE, CounterTypeEnum.Increment,
                                          MetricsConstants.EVENTLOG_SOURCE_EVENTS_READ, 1, MetricUnit.Count);
        }
Exemplo n.º 6
0
        public EventLogSource(string logName, string query, IPlugInContext context) : base(new ServiceDependency("EventLog"), context)
        {
            Guard.ArgumentNotNullOrEmpty(logName, nameof(logName));
            _logName = logName;
            _query   = query;

            if (string.IsNullOrEmpty(query))
            {
                _eventLogQuery = new EventLogQuery(logName, PathType.LogName);
            }
            else
            {
                _eventLogQuery = new EventLogQuery(logName, PathType.LogName, query);
            }

            string includeEventData = context?.Configuration?["IncludeEventData"];

            if (!string.IsNullOrWhiteSpace(includeEventData))
            {
                _includeEventData = Convert.ToBoolean(includeEventData);
            }

            string customFilters = context?.Configuration?["CustomFilters"];

            if (!string.IsNullOrWhiteSpace(customFilters))
            {
                _customFilters = customFilters.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
                foreach (var filter in _customFilters)
                {
                    if (EventInfoFilters.GetFilter(filter) == null)
                    {
                        throw new ConfigurationException($"Custom filter {filter} does not exist. Please check the filter name.");
                    }
                }
            }
        }
Exemplo n.º 7
0
        private void ParseWindowsEventLogSourceOptions(IConfiguration config, WindowsEventLogSourceOptions options)
        {
            if (config["CustomFilters"] is not null)
            {
                options.CustomFilters = config["CustomFilters"].Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
                var badFilters = string.Join(",", options.CustomFilters.Where(i => EventInfoFilters.GetFilter(i) == null));
                if (!string.IsNullOrWhiteSpace(badFilters))
                {
                    throw new ConfigurationException($"Custom filter/s '{badFilters}' do not exist. Please check the filter names.");
                }
            }

            if (bool.TryParse(config["IncludeEventData"], out var ied))
            {
                options.IncludeEventData = ied;
            }

            if (bool.TryParse(config["BookmarkOnBufferFlush"], out var bookmarkOnBufferFlush))
            {
                options.BookmarkOnBufferFlush = bookmarkOnBufferFlush;
            }

            LoadInitialPositionSettings(config, options);
        }
        /// <summary>
        /// Handles the incoming <see cref="EventRecord"/>
        /// </summary>
        /// <returns>True iff the reader should continue reading new records.</returns>
        private bool OnEventRecord(EventRecord eventRecord, long?prevRecordId, CancellationToken cancellationToken)
        {
            try
            {
                if (prevRecordId == eventRecord.RecordId)
                {
                    //This code deduplicate the events with the same RecordId
                    _logger.LogInformation("WindowsEventPollingSource Id {0} skipped duplicated log: {1}.", Id, eventRecord.ToXml());
                }

                if (InitialPosition == InitialPositionEnum.Timestamp &&
                    eventRecord.TimeCreated.HasValue &&
                    InitialPositionTimestamp > eventRecord.TimeCreated.Value.ToUniversalTime())
                {
                    //Don't send if timetamp initial position is in the future
                    return(true);
                }

                if (_options.CustomFilters.Length > 0 && _options.CustomFilters.Any(name => !EventInfoFilters.GetFilter(name)(eventRecord)))
                {
                    //Don't send if any filter return false
                    return(true);
                }

                var task = _eventChannel.Writer.WriteAsync(eventRecord, cancellationToken);
                if (!task.IsCompleted)
                {
                    // wait only if writing to buffer does not finish synchronously
                    task.AsTask().GetAwaiter().GetResult();
                }
            }
            catch (EventLogException ele)
            {
                if (ele.Message.Contains("The handle is invalid", StringComparison.OrdinalIgnoreCase))
                {
                    return(false);
                }
                else
                {
                    ProcessRecordError(ele);
                }
            }
            catch (Exception ex)
            {
                ProcessRecordError(ex);
            }
            return(true);
        }