public EventValue(string hostname, long timestamp, int nLevel, string title, string message, long id, string source) { Level = EventValue.levelToString(nLevel); Timestamp = timestamp; Title = title; Message = message; HostName = hostname; Id = id; Source = source; }
public override bool Equals(object obj) { if (obj == null || obj.GetType() != this.GetType()) { return(false); } EventValue that = (EventValue)obj; return(this.Id == that.Id); }
public EventValue(string hostname, long timestamp, int nLevel, string title, string message, long id) { Level = EventValue.levelToString(nLevel); Timestamp = timestamp; Title = title; Message = message; HostName = hostname; Id = id; PluginName = "WindowsEvent"; PluginInstanceName = ""; TypeName = ""; TypeInstanceName = ""; }
public IList<CollectableValue> Read() { // Only collect events and event metric every nth interval if (_intervalCounter++ % _intervalMultiplier != 0) return new List<CollectableValue>(); IList<CollectableValue> collectableValues = new List<CollectableValue>(); long totalEvents = 0; long collectionTime = (long)(Util.toEpoch(DateTime.UtcNow)); List<long> recordIds = new List<long>(); foreach (EventQuery eventQuery in _events) { List<EventRecord> records = GetEventRecords(eventQuery.minLevel, eventQuery.maxLevel, eventQuery.log, eventQuery.source); // Filter the events - event ID must be in target range, description must match regex and we mustn't have already read this event record ID in another query Regex filterExp = new Regex(eventQuery.filterExp, RegexOptions.None); List<EventRecord> filteredRecords = records.FindAll(delegate(EventRecord record) { return !recordIds.Contains((long)record.RecordId) && record.Id >= eventQuery.minEventId && record.Id <= eventQuery.maxEventId && filterExp.IsMatch(record.FormatDescription()); }); // Add these record IDs to dedupe list so we don't capture them again in a later query filteredRecords.ForEach(delegate(EventRecord record) { recordIds.Add((long)record.RecordId); }); if (filteredRecords.Count <= eventQuery.maxPerCycle) { foreach (EventRecord record in filteredRecords) { // Timestamp from record is machine time, not GMT long timestamp = (long)(Util.toEpoch(record.TimeCreated.Value.ToUniversalTime())); long id = (long)record.RecordId; string message = record.FormatDescription(); EventValue newevent = new EventValue(_hostName, timestamp, record.Level.Value, eventQuery.title, message, id); collectableValues.Add(newevent); totalEvents++; } } else { // Too many events - summarise by counting events by application,level and code Dictionary<string, int> detailMap = new Dictionary<string, int>(); int minLevel = 999; // used to get the most severe event in the period for the summary level filteredRecords.ForEach(delegate(EventRecord record) { string key = string.Format("{0} in {1} ({2})", record.LevelDisplayName, record.ProviderName, record.Id); if (record.Level.Value < minLevel) minLevel = record.Level.Value; if (detailMap.ContainsKey(key)) { detailMap[key] = detailMap[key] + 1; } else { detailMap.Add(key, 1); } }); List<KeyValuePair<string, int>> detailList = new List<KeyValuePair<string, int>>(); foreach (string key in detailMap.Keys) { detailList.Add(new KeyValuePair<string, int>(key, detailMap[key])); } detailList.Sort(delegate(KeyValuePair<string, int> pair1, KeyValuePair<string, int> pair2) { return -pair1.Value.CompareTo(pair2.Value); }); string[] messageLines = new string[detailList.Count]; int ix = 0; foreach (KeyValuePair<string, int> pair in detailList) { messageLines[ix++] = pair.Value + " x " + pair.Key; } string title = string.Format("{0} ({1} events)", eventQuery.title, filteredRecords.Count); EventValue newevent = new EventValue(_hostName, collectionTime, minLevel, title, String.Join(", ", messageLines), 0); collectableValues.Add(newevent); totalEvents += filteredRecords.Count; } } // Add event count metric MetricValue eventCountMetric = new MetricValue { HostName = _hostName, PluginName = "windows_events", PluginInstanceName = "", TypeName = "count", TypeInstanceName = "event_count", Values = new double[] { totalEvents }, FriendlyNames = new string[] { "Windows Event Count" }, Epoch = collectionTime }; collectableValues.Add(eventCountMetric); return collectableValues; }