private void OnEventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try
{
string[] propertyQueries = new string[] { "Event/EventData/Data[@Name=\"IpAddress\"]" };
EventLogPropertySelector propertySelector = new EventLogPropertySelector(propertyQueries);
string str = ((EventLogRecord)e.EventRecord).GetPropertyValues(propertySelector)[0].ToString();
NegotiationdEventArgs data = new NegotiationdEventArgs
{
IpAddress = str,
EventId = e.EventRecord.Id,
EventName = e.EventRecord.LogName,
EventMessageXml = e.EventRecord.ToXml(),
CreateDate = e.EventRecord.TimeCreated.Value
};
if (Negotiated != null)
{
Negotiated(this, data);
}
}
catch (Exception exception)
{
WriteEntry(exception.Message);
}
}
public void GetPropertyValues_MatchProviderIdUsingProviderMetadata_Success()
{
Dictionary <string, Guid> providerNameAndIds = new Dictionary <string, Guid>();
string logName = "Application";
string queryString = "*[System/Level=4]";
var xPathEnum = new List <string>()
{
"Event/System/EventID", "Event/System/Provider/@Name"
};
var logPropertyContext = new EventLogPropertySelector(xPathEnum);
var eventsQuery = new EventLogQuery(logName, PathType.LogName, queryString);
try
{
using (var logReader = new EventLogReader(eventsQuery))
{
for (EventLogRecord eventRecord = (EventLogRecord)logReader.ReadEvent();
eventRecord != null;
eventRecord = (EventLogRecord)logReader.ReadEvent())
{
IList <object> logEventProps;
logEventProps = eventRecord.GetPropertyValues(logPropertyContext);
int eventId;
Assert.True(int.TryParse(string.Format("{0}", logEventProps[0]), out eventId));
string providerName = (string)logEventProps[1];
if (!providerNameAndIds.ContainsKey(providerName) && eventRecord.ProviderId.HasValue)
{
providerNameAndIds.Add(providerName, eventRecord.ProviderId.Value);
}
}
}
}
catch (EventLogNotFoundException) { }
if (providerNameAndIds.Count > 0)
{
using (var session = new EventLogSession())
{
foreach (var nameAndId in providerNameAndIds)
{
ProviderMetadata providerMetadata = null;
try
{
providerMetadata = new ProviderMetadata(nameAndId.Key);
Assert.Equal(providerMetadata.Id, nameAndId.Value);
}
catch (EventLogException)
{
continue;
}
finally
{
providerMetadata?.Dispose();
}
}
}
}
}
public static void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[8];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/System/EventRecordID";
xPathRefs[3] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
xPathRefs[4] = "Event/EventData/Data[@Name=\"TargetDomainName\"]";
xPathRefs[5] = "Event/UserData/EventXML/User";
xPathRefs[6] = "Event/UserData/EventXML/Address";
xPathRefs[7] = "Event/System/EventID";
IEnumerable <String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
StreamWriterExtention.WriteToFile(logEventProps);
DbOperationExtentions.WriteToDb(logEventProps);
#if (DEBUG)
{
Console.WriteLine("U1 Time: {0}", logEventProps[0]);
Console.WriteLine("Computer: {0}", logEventProps[1]);
Console.WriteLine("EventRecordId: {0}", logEventProps[2]);
Console.WriteLine("TargetUserName: {0}", logEventProps[3]);
Console.WriteLine("TargetDomainName: {0}", logEventProps[4]);
Console.WriteLine("User: {0}", logEventProps[5]);
Console.WriteLine("IP: {0}", logEventProps[6]);
Console.WriteLine("EventType: {0}", logEventProps[7]);
Console.WriteLine("---------------------------------------");
Console.WriteLine("Description: {0}", arg.EventRecord.FormatDescription());
}
#endif
}
else
{
#if (DEBUG)
{
Console.WriteLine("The event instance was null.");
}
#endif
}
}
public void Ctor_NonEmptyPropertyQuery_Success()
{
IDictionary <string, string> dictionary = new SortedDictionary <string, string>()
{
["key"] = "value"
};
var selector = new EventLogPropertySelector(dictionary.Keys);
Assert.NotNull(selector);
selector.Dispose();
}
void OnEntryWritten(object source, EventRecordWrittenEventArgs evt)
{
EventLogRecord e = (EventLogRecord)evt.EventRecord;
using (var loginEventPropertySelector = new EventLogPropertySelector(new[]
{
// (The XPath expression evaluates to null if no Data element exists with the specified name.)
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='LogonType']",
"Event/EventData/Data[@Name='ElevatedToken']",
"Event/EventData/Data[@Name='WorkstationName']",
"Event/EventData/Data[@Name='ProcessName']",
"Event/EventData/Data[@Name='IpAddress']",
"Event/EventData/Data[@Name='IpPort']",
"Event/EventData/Data[@Name='TargetUserName']"
}))
using (var logoffEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetLogonId']"
}))
switch (e.Id)
{
case 4624:
var loginPropertyValues = ((EventLogRecord)e).GetPropertyValues(loginEventPropertySelector);
var sid = loginPropertyValues[0];
var logonId = loginPropertyValues[1];
var logonType = loginPropertyValues[2];
var elevatedToken = loginPropertyValues[3];
var workstationName = loginPropertyValues[4];
var processName = loginPropertyValues[5];
var ipAddress = loginPropertyValues[6];
var ipPort = loginPropertyValues[7];
var userName = loginPropertyValues[8];
Console.WriteLine("got eventId={0} sid={1} logonId={2} logonType={3} token={4} workstation={5} process={6} ip={7} port={8} user={9}",
e.Id, sid, logonId, logonType, elevatedToken, workstationName, processName, ipAddress, ipPort, userName);
break;
case 4634:
var logoffPropertyValues = ((EventLogRecord)e).GetPropertyValues(logoffEventPropertySelector);
var sid1 = logoffPropertyValues[0];
var logoffId = logoffPropertyValues[1];
Console.WriteLine("got eventId={0} sid={1} logonId={2}",
e.Id, sid1, logoffId);
break;
}
}
public static void ReadEventLogData()
{
string queryString =
"<QueryList>" +
" <Query Id='0' Path='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'>" +
" <Select Path='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'>*[System[(EventID=21 or EventID=23 or EventID=24 or EventID=25)]]</Select>" +
" </Query>" +
"</QueryList>";
try
{
EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
//create an array of strings for xpath enum.
String[] xPathRefs = new String[4];
xPathRefs[0] = "Event/UserData/EventXML/User";
xPathRefs[1] = "Event/UserData/EventXML/Address";
xPathRefs[2] = "Event/System/EventRecordID";
xPathRefs[3] = "Event/System/EventID";
//Sample to read different way to map.
//xPathRefs[2] = "Event/EventData/Data[@Name='MainPathBootTime']";
//xPathRefs[3] = "Event/EventData/Data[@Name='BootPostBootTime']";
IEnumerable <String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
for (EventRecord eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
IList <object> logEventProps;
logEventProps = ((EventLogRecord)eventDetail).GetPropertyValues(logPropertyContext);
string user = logEventProps[0].ToString();
string ip = logEventProps[1] != null ? logEventProps[1].ToString() : "";
int eventRecordID = logEventProps[2] != null?Convert.ToInt32(logEventProps[2]) : 0;
int eventTypeId = logEventProps[3] != null?Convert.ToInt32(logEventProps[3]) : 0;
}
}
catch (EventLogNotFoundException e)
{
#if (DEBUG)
{
Console.WriteLine("Error while reading the event logs");
}
#endif
}
}
public List <IEvent> ReadEventLogData()
{
List <IEvent> coll = new List <IEvent>();
string queryString =
"<QueryList>" +
" <Query Id='0' Path='Microsoft-Windows-Diagnostics-Performance/Operational'>" +
" <Select Path='Microsoft-Windows-Diagnostics-Performance/Operational'>*[System[(EventID=100)]]</Select>" +
" </Query>" +
"</QueryList>";
try
{
EventLogQuery eventsQuery = new EventLogQuery("System", PathType.LogName, queryString);
EventLogReader logReader = new EventLogReader(eventsQuery);
//create an array of strings for xpath enum.
String[] xPathRefs = new String[4];
xPathRefs[0] = "Event/EventData/Data[@Name='BootEndTime']";
xPathRefs[1] = "Event/EventData/Data[@Name='BootTime']";
xPathRefs[2] = "Event/EventData/Data[@Name='MainPathBootTime']";
xPathRefs[3] = "Event/EventData/Data[@Name='BootPostBootTime']";
IEnumerable <String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
for (EventRecord eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
IList <object> logEventProps;
// Cast the EventRecord into an EventLogRecord to retrieve property values.
// This will fetch the event properties we requested through the
// context created by the EventLogPropertySelector
logEventProps = ((EventLogRecord)eventDetail).GetPropertyValues(logPropertyContext);
if (eventDetail.Id == 100)
{
int boot = Convert.ToInt32(logEventProps[1]);
int mainPath = Convert.ToInt32(logEventProps[2]);
int postBoot = Convert.ToInt32(logEventProps[3]);
DateTime date = (DateTime)logEventProps[0];
coll.Add(new StartupEvent(date, boot, mainPath, postBoot, (int)eventDetail.Level));
}
}
}
catch (EventLogNotFoundException e)
{
Console.WriteLine("Error while reading the event logs");
}
return(coll);
}
private void watcher_EventRecordWritten(object sender, EventRecordWrittenEventArgs e)
{
try {
string[] xPathProperties = new string[1] {
@"Event/EventData/Data[@Name=""IpAddress""]"
};
EventLogPropertySelector props = new EventLogPropertySelector(xPathProperties);
string ipAddress = ((EventLogRecord)e.EventRecord).GetPropertyValues(props)[0].ToString();
NotificationEventArgs args = new NotificationEventArgs();
args.CreateDate = e.EventRecord.TimeCreated.Value;
args.EventId = e.EventRecord.Id;
args.IpAddress = ipAddress;
OnAttackDetected(this, args);
} catch (Exception ex) {
EventLog.WriteEntry("Cyberarms.IntrusionDetection.Base.Plugins.WindowsSecurityBase", ex.Message);
}
}
public void EventLogEventRead(object obj, EventRecordWrittenEventArgs arg)
{
if (arg.EventRecord != null)
{
EventRecord eventInstance = arg.EventRecord;
//String eventMessage = eventInstance.FormatDescription(); // You can get event information from FormatDescription API itself.
//String eventMessageXMLFmt = eventInstance.ToXml(); // Getting event information in xml format
String[] xPathRefs = new String[9];
xPathRefs[0] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[1] = "Event/System/Computer";
xPathRefs[2] = "Event/EventData/Data[@Name=\"TargetUserName\"]";
IEnumerable <String> xPathEnum = xPathRefs;
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
IList <object> logEventProps = ((EventLogRecord)arg.EventRecord).GetPropertyValues(logPropertyContext);
Log("Time: ", logEventProps[0]);
Log("Computer: ", logEventProps[1]);
}
}
public void TestEventLogReader()
{
string eventLogQuery = @"<QueryList>
<Query Id=""0"" Path=""Security"">
<Select Path=""Security"">
*[System[(EventID=4625) and
TimeCreated[timediff(@SystemTime) <= 86400000]]]
</Select>
</Query>
</QueryList>";
EventLogQuery query = new EventLogQuery("Security", PathType.LogName,
String.Format(eventLogQuery));
EventLogReader rdr = new EventLogReader(query);
EventRecord eventRecord = rdr.ReadEvent();
if (eventRecord != null)
{
foreach (string s in eventRecord.KeywordsDisplayNames)
{
System.Diagnostics.Debug.Print(s);
}
}
string[] xPathProperties = new string[1] {
@"Event/EventData/Data[@Name=""IpAddress""]"
};
EventLogPropertySelector props = new EventLogPropertySelector(xPathProperties);
System.Diagnostics.Debug.Print(((EventLogRecord)eventRecord).GetPropertyValues(props)[0].ToString());
System.Diagnostics.Debug.Print(eventRecord.Properties[0].Value.ToString());
}
private void Worker()
{
if (_listener is null)
{
return;
}
var logRecords = new List <LogRecord>();
var cfg = new Config(_configFile);
LogMessage("Starting new observation loop.");
LogMessage($"Last logged IMAP session: {cfg.LastObservationSession}");
LogMessage($"Last logged IMAP time: {cfg.LastObservationTime}");
LogMessage($"Searching for matching events: {cfg.CheckEventLog}");
LogMessage($"Max days to retain logs: {cfg.MaxDaysToRetainLogs}");
LogMessage(
"Log directory: " +
(string.IsNullOrWhiteSpace(cfg.LogDirectory) ? "(auto discovered)" : cfg.LogDirectory));
// support both daily and hourly log files.
var rexLogFile = new Regex(@"^imap4(\d{8}|\d{10})(?:-\d+)?\.log$", RegexOptions.IgnoreCase);
bool QuitNow() => _listener?.CancellationToken.IsCancellationRequested ?? true;
try
{
while (!QuitNow())
{
logRecords.Clear();
var minLogDate = cfg.LastObservationTime ?? DateTime.Now.AddMinutes(-cfg.MaxAgeInMinutesToReport);
var minLogSess = cfg.LastObservationSession ?? 0;
var fnMinTime = long.Parse(minLogDate.ToUniversalTime().ToString("yyyyMMddHH"));
// search the log directories for new log entries.
foreach (var filename in AvailableLogFiles(cfg))
{
if (QuitNow())
{
return;
}
var match = rexLogFile.Match(Path.GetFileName(filename) ?? "");
if (!match.Success)
{
continue;
}
var tss = match.Groups[1].Value;
if (tss.Length == 8)
{
tss += "24";
}
var ts = long.Parse(tss);
if (ts < fnMinTime)
{
continue;
}
logRecords.AddRange(ParseLog(filename));
logRecords.RemoveAll(
(r) => (r.LogDate < minLogDate && !r.LogDate.CloseTo(minLogDate)) ||
(r.LogDate.CloseTo(minLogDate) && r.SessionID <= minLogSess) ||
!r.IsLoginFailure);
}
if (QuitNow())
{
return;
}
if (!logRecords.Any())
{
continue;
}
// check the event log for user names if configured to do so.
var identified = 0;
if (cfg.CheckEventLog)
{
var ts = minLogDate.AddSeconds(-5)
.ToUniversalTime()
.ToString("yyyy-MM-dd'T'HH:mm:ss'.000Z'");
var evQuery = $"*[System[(EventID=4625) and (TimeCreated[@SystemTime>='{ts}'])]]";
var evLog = new EventLogQuery("Security", PathType.LogName, evQuery);
var selector = new EventLogPropertySelector(
new[]
{
"Event/EventData/Data[@Name='ProcessName']",
"Event/EventData/Data[@Name='TargetUserName']"
});
using (var evReader = new EventLogReader(evLog))
{
var ev = evReader.ReadEvent();
while (ev != null)
{
if (QuitNow())
{
return;
}
if (ev is EventLogRecord er && er.TimeCreated.HasValue)
{
var props = er.GetPropertyValues(selector).Select(x => x?.ToString() ?? "")
.ToArray();
if (!string.IsNullOrWhiteSpace(props[1]) &&
props[0].EndsWith(
"Microsoft.Exchange.Imap4.exe", StringComparison.OrdinalIgnoreCase)
)
{
var evTime = er.TimeCreated.GetValueOrDefault();
var logEntry = logRecords
.Where(r => r.LogDate.CloseTo(evTime, 2.0))
.OrderBy(r => Math.Abs(r.LogDate.Subtract(evTime).TotalSeconds))
.FirstOrDefault();
if (logEntry != null && logEntry.User == "imap-user")
{
identified++;
logEntry.User = props[1];
}
}
}
ev = evReader.ReadEvent();
}
}
}
if (logRecords.Count == 1)
{
LogMessage(
identified > 0
? "Found 1 login attempt and identified the user."
: "Found 1 login attempt and did not identify the user.");
}
else
{
LogMessage(
$"Found {logRecords.Count} login attempts and identified the user in {identified} of them.");
}
// report the observations to the listener.
foreach (var record in logRecords)
{
if (QuitNow())
{
return;
}
_listener.RecordObservation(record.ToObservation());
if (record.SessionID > cfg.LastObservationSession.GetValueOrDefault())
{
cfg.LastObservationSession = record.SessionID;
}
if (record.LogDate > cfg.LastObservationTime.GetValueOrDefault())
{
cfg.LastObservationTime = record.LogDate;
}
}
// update the configuration.
File.WriteAllText(_configFile, cfg.ToString());
// purge older log files.
minLogDate = DateTime.Today.AddDays(-cfg.MaxDaysToRetainLogs);
fnMinTime = long.Parse(minLogDate.ToUniversalTime().ToString("yyyyMMdd'24'"));
foreach (var filename in AvailableLogFiles(cfg))
{
var match = rexLogFile.Match(Path.GetFileName(filename) ?? "");
if (!match.Success)
{
continue;
}
var tss = match.Groups[1].Value;
if (tss.Length == 8)
{
tss += "24";
}
var ts = long.Parse(tss);
if (ts >= fnMinTime)
{
continue;
}
try
{
File.Delete(filename);
}
catch (Exception e) when(
e is IOException ||
e is ArgumentException ||
e is NotSupportedException ||
e is UnauthorizedAccessException
)
{
// ignore
}
}
// wait a minute before the next pass.
var timeout = DateTime.Now.AddMinutes(1);
while (DateTime.Now < timeout && !QuitNow())
{
Thread.Sleep(10);
}
}
}
finally
{
try
{
File.WriteAllText(_configFile, cfg.ToString());
}
catch (Exception e) when(
e is ArgumentException ||
e is IOException ||
e is UnauthorizedAccessException ||
e is NotSupportedException ||
e is SecurityException
)
{
// Ignore.
}
LogMessage("Stopping observation loop.");
}
}
public static IReadOnlyList <SecurityEvent> ReadAll()
{
var events = new List <SecurityEvent>();
// To investigate as a separate report:
// 4625 An account failed to log on.
// 4648 A logon was attempted using explicit credentials.
// 4672 Special privileges assigned to new logon.
// 4675 SIDs were filtered.
// 4797 Sometimes "An attempt was made to query the existence of a blank password for an account."
// Logoff events without logon events
var query = new EventLogQuery(
"Security",
PathType.LogName,
@"*[(((System[EventID=4624] and EventData[Data[@Name='LogonType']!=5]) or System[EventID=4634])
and EventData[
Data[@Name='TargetUserSid']!='S-1-0-0'
and Data[@Name='TargetUserSid']!='S-1-5-7'
and Data[@Name='TargetUserSid']!='S-1-5-18'
and Data[@Name='TargetDomainName']!='Font Driver Host'
and Data[@Name='TargetDomainName']!='Window Manager'])
or System[EventID=4647 or EventID=4608]]");
using (var loginEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='TargetLinkedLogonId']",
"Event/EventData/Data[@Name='TargetUserSid']",
"Event/EventData/Data[@Name='TargetUserName']",
"Event/EventData/Data[@Name='TargetDomainName']",
"Event/EventData/Data[@Name='LogonType']",
"Event/EventData/Data[@Name='ElevatedToken']",
"Event/EventData/Data[@Name='WorkstationName']",
"Event/EventData/Data[@Name='ProcessName']",
"Event/EventData/Data[@Name='IpAddress']",
"Event/EventData/Data[@Name='IpPort']"
}))
using (var logoffEventPropertySelector = new EventLogPropertySelector(new[]
{
"Event/EventData/Data[@Name='TargetLogonId']",
"Event/EventData/Data[@Name='TargetUserSid']"
}))
using (var reader = new EventLogReader(query))
{
while (reader.ReadEvent() is { } ev)
{
switch (ev.Id)
{
case 4608:
events.Add(new StartupEvent(ev.TimeCreated.Value));
break;
case 4624:
var loginPropertyValues = ((EventLogRecord)ev).GetPropertyValues(loginEventPropertySelector);
events.Add(new LogonEvent(
ev.TimeCreated.Value,
logonId: (ulong)loginPropertyValues[0],
linkedLogonId: (ulong)loginPropertyValues[1],
user: (SecurityIdentifier)loginPropertyValues[2],
userName: (string)loginPropertyValues[3],
domainName: (string)loginPropertyValues[4],
logonType: (LogonType)(uint)loginPropertyValues[5],
elevatedToken: loginPropertyValues[6] is "%%1842",
workstationName: GetXPathString(loginPropertyValues[7]),
processName: GetXPathString(loginPropertyValues[8]),
ipAddress: GetXPathString(loginPropertyValues[9]),
ipPort: GetXPathString(loginPropertyValues[10])));
break;
case 4634:
case 4647:
var logoffPropertyValues = ((EventLogRecord)ev).GetPropertyValues(logoffEventPropertySelector);
events.Add(new LogoffEvent(
ev.TimeCreated.Value,
logonId: (ulong)logoffPropertyValues[0],
user: (SecurityIdentifier)logoffPropertyValues[1]));
break;
}
}
}
return(events);
}
static void Main(string[] args)
{
String logName = "Application";
String queryString = "*[System/Level=2]";
UdpClient _udpClient;
String host = "192.168.1.28";
UTF8Encoding _encoding = new UTF8Encoding();
EventLogQuery eventsQuery = new EventLogQuery(logName,
PathType.LogName, queryString);
EventLogReader logReader;
Console.WriteLine("Querying the Application channel event log for all events...");
try
{
// Query the log
logReader = new EventLogReader(eventsQuery);
}
catch (EventLogNotFoundException e)
{
Console.WriteLine("Failed to query the log!");
Console.WriteLine(e);
return;
}
//////
// This section creates a list of XPath reference strings to select
// the properties that we want to display
// In this example, we will extract the User, TimeCreated, EventID and EventRecordID
//////
// Array of strings containing XPath references
String[] xPathRefs = new String[4];
xPathRefs[0] = "Event/System/Security/@UserID";
xPathRefs[1] = "Event/System/TimeCreated/@SystemTime";
xPathRefs[2] = "Event/System/EventID";
xPathRefs[3] = "Event/System/EventRecordID";
// Place those strings in an IEnumberable object
IEnumerable <String> xPathEnum = xPathRefs;
// Create the property selection context using the XPath reference
EventLogPropertySelector logPropertyContext = new EventLogPropertySelector(xPathEnum);
_udpClient = new UdpClient();
_udpClient.Connect(host, 5140);
int numberOfEvents = 0;
// For each event returned from the query
for (EventRecord eventInstance = logReader.ReadEvent();
eventInstance != null;
eventInstance = logReader.ReadEvent())
{
IList <object> logEventProps;
try
{
// Cast the EventRecord into an EventLogRecord to retrieve property values.
// This will fetch the event properties we requested through the
// context created by the EventLogPropertySelector
logEventProps = ((EventLogRecord)eventInstance).GetPropertyValues(logPropertyContext);
Console.WriteLine("Event {0} :", ++numberOfEvents);
Console.WriteLine("User: {0}", logEventProps[0]);
Console.WriteLine("TimeCreated: {0}", logEventProps[1]);
Console.WriteLine("EventID: {0}", logEventProps[2]);
Console.WriteLine("EventRecordID : {0}", logEventProps[3]);
// Event properties can also be retrived through the event instance
Console.WriteLine("Event Description:" + eventInstance.FormatDescription());
Console.WriteLine("MachineName: " + eventInstance.MachineName);
Console.WriteLine("=================== START ====================");
Console.WriteLine(eventInstance.ToXml());
Console.WriteLine("==============================================");
String xmlString = eventInstance.ToXml();
byte[] data = _encoding.GetBytes(xmlString);
_udpClient.Send(data, data.Length);
}
catch (Exception e)
{
Console.WriteLine("Couldn't render event!");
Console.WriteLine("Exception: Event {0} may not have an XML representation \n\n", ++numberOfEvents);
Console.WriteLine(e);
}
}
}
public EventLogInput(InputElement input, SelectorElement selector, EventQueue equeue)
: base(input, selector, equeue)
{
Log.Info("input[" + InputName + "]/selector[" + SelectorName
+ "] creating EventLogInput");
// Event log query with suppressed events logged by this service
StringBuilder qstr = new StringBuilder();
qstr.Append("<QueryList>");
qstr.Append("<Query>");
qstr.Append(selector.Query.Value);
qstr.Append("<Suppress Path=\"Application\">*[System/Provider/@Name=\"F2B\"]</Suppress>");
qstr.Append("</Query>");
qstr.Append("</QueryList>");
EventLogSession session = null;
if (input.Server != string.Empty)
{
SecureString pw = new SecureString();
Array.ForEach(input.Password.ToCharArray(), pw.AppendChar);
session = new EventLogSession(input.Server, input.Domain,
input.Username, pw,
SessionAuthentication.Default);
pw.Dispose();
}
EventLogQuery query = new EventLogQuery(null, PathType.LogName, qstr.ToString());
if (session != null)
{
query.Session = session;
}
// create event watcher (must be enable later)
watcher = new EventLogWatcher(query);
watcher.EventRecordWritten +=
new EventHandler <EventRecordWrittenEventArgs>(
(s, a) => EventRead(s, a));
// event data parsers (e.g. XPath + regex to extract event data)
// (it is important to preserve order - it is later used as array index)
evtregexs = new List <EventLogParserData>();
List <string> xPathRefs = new List <string>();
foreach (RegexElement item in selector.Regexes)
{
if (string.IsNullOrEmpty(item.XPath))
{
Log.Warn("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event regexp \"" + item.Id + "\" attribute xpath empty");
continue;
}
if (!xPathRefs.Contains(item.XPath))
{
xPathRefs.Add(item.XPath);
}
try
{
int index = xPathRefs.IndexOf(item.XPath);
EventLogParserData eli = new EventLogParserData(item.Id, item.Type, item.XPath, index, item.Value);
evtregexs.Add(eli);
}
catch (ArgumentException ex)
{
Log.Error("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event regexp failed: " + ex.Message);
throw;
}
}
evtsel = null;
if (xPathRefs.Count > 0)
{
evtsel = new EventLogPropertySelector(xPathRefs);
}
// user defined event properties
evtdata_before = new List <EventDataElement>();
evtdata_match = new List <KeyValuePair <string, EventDataElement> >();
evtdata_after = new List <EventDataElement>();
foreach (EventDataElement item in selector.EventData)
{
if (item.Apply == "before")
{
evtdata_before.Add(item);
}
else if (item.Apply == "after")
{
evtdata_after.Add(item);
}
else if (item.Apply.StartsWith("match."))
{
string key = item.Apply.Substring("match.".Length);
evtdata_match.Add(new KeyValuePair <string, EventDataElement>(key, item));
}
else
{
Log.Warn("Invalid input[" + InputName + "]/selector[" + SelectorName
+ "] event data \"" + item.Name + "\" attribute apply \""
+ item.Apply + "\": ignoring this item");
}
}
}
