private void ParseAuditOperations2(ref Rec rec, AuditInfo audit, StringBuilder buffer, StringBuilder domainBuffer, StringBuilder userBuffer, ref int sentItems)
{
try
{
if (string.IsNullOrEmpty(rec.Description))
return;
using (var reader = new StringReader(rec.Description))
{
string line;
var state = -1;
var mask = 0;
var values = new string[9];
while (true)
{
using (Benchmark("ParseAuditOperations2 ReadLine"))
{
line = reader.ReadLine();
}
if (line == null)
break;
Match m;
switch (state)
{
case -1:
m = RegLine.Match(line);
if (m.Success)
{
state = m.Groups[1].Success ? 2 : 3;
/*
for (state = 1; state < m.Groups.Count && !m.Groups[state].Success; ++state)
{
}
if (state == m.Groups.Count)
state = -1;
else
++state;
* */
}
break;
default:
m = ((Regex)RegExps[state][0]).Match(line);
if (m.Success)
{
//WriteLine(line);
var i = 1;
var ms = 1;
while (i < m.Groups.Count)
{
if (m.Groups[i].Success)
{
values[i / 2] = m.Groups[i + 1].Value;
mask |= ms;
break;
}
i += 2;
ms <<= 1;
}
if (mask == ((int)RegExps[state][1]))
{
var username = string.IsNullOrEmpty(values[1]) || string.IsNullOrEmpty(values[2])
? UserWithDomain(values[0], buffer, domainBuffer, userBuffer)
: values[1] + "\\" + values[2];
AuditLogonEnv2 env;
lock (_handles2)
{
if (!_handles2.TryGetValue(values[3], out env))
{
env = new AuditLogonEnv2(values[3]);
_handles2[env.LogonId] = env;
}
}
if (state == 3)
{
using (Benchmark("ParseAuditOperations2 DeleteHandle2"))
{
AuditDeleteHandle2(ref rec, env, username, values[0], values[4],
values[5],
ref sentItems);
}
}
else if (audit.ObjectType == "File")
{
//Console.WriteLine(rec.Description);
//var ln = Console.ReadLine();
//if (ln.Equals("d"))
// DEBUG_BREAK = true;
//else if (ln.Equals("q"))
// DEBUG_BREAK = false;
using (Benchmark("ParseAuditOperations2 AuditObjectRequestHandle2"))
{
AuditObjectRequestHandle2(ref rec, env, values[3], username, values[0],
values[5], values[6],
values[8], values[4], values[7], ref sentItems);
}
}
return;
}
}
break;
}
}
}
}
catch (Exception e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "Error while parsing audit operations:" + e);
}
}
public EventLogFileAuditRecorder()
{
_handles2["00000"] = new AuditLogonEnv2("00000");
_handles2["00000"].ProcessLastAudit["-----"] = new AuditHandle2("12313", "-----", "test");
cleanupTimer = new Timer { AutoReset = false, Interval = 60000 };
cleanupTimer.Elapsed += new ElapsedEventHandler(cleanupTimer_Elapsed);
cleanupTimer.Start();
enc = Encoding.UTF8;
}
private void AuditObjectRequestHandle2(ref Rec rec, AuditLogonEnv2 env, string logonId, string username,
string userSid, string handleId, string processId, string processName,
string objectName, string accessMask, ref int sentItems)
{
if (!string.IsNullOrEmpty(objectName))
{
var kernel = RegKernelPath.Match(objectName);
if (kernel.Success)
objectName = QueryDosPath(kernel.Groups[1].Value, kernel.Groups[2].Value);
}
var access = (AccessMask)GetPid(accessMask);
//if ((access & NewFileDirMask) == NewFileDirMask)
//{
// SendData(ref rec, "NEW", (access & AccessMask.AppendOrAddSubDir) == AccessMask.None ? "Directory" : "File",
// objectName, userSid, username, processName,
// GetPid(processId), accessMask, string.Empty);
// sentItems++;
// return;
//}
AuditHandle2 handle;
lock (env)
{
if ((access & AccessMask.Synchronize) == AccessMask.Synchronize)
{
if (env.ProcessLastAudit.TryGetValue(processId, out handle))
env.ProcessLastAudit.Remove(processId);
else
handle = null;
if ((access & (AccessMask.WriteOrAddFile | AccessMask.AppendOrAddSubDir)) != AccessMask.None)
{
if (handle != null)
{
if (handle.Name == objectName)
{
//handle.AccessType |= access;
env.ProcessLastAudit[processId] = handle;
++sentItems;
return;
}
if (handle.Name.StartsWith(objectName))
{
if (handle.Name.Length > objectName.Length)
{
if (objectName[objectName.Length - 1] == Path.DirectorySeparatorChar ||
handle.Name[objectName.Length] == Path.DirectorySeparatorChar)
{
SendData(ref rec, "RENAME",
(access & AccessMask.AppendOrAddSubDir) ==
AccessMask.None
? "Directory"
: "File",
handle.Name, userSid, username, processName,
GetPid(processId), accessMask, objectName);
sentItems++;
return;
}
}
}
SendData(ref rec, "MOVE", string.Empty, handle.Name, userSid, username, processName,
GetPid(processId), accessMask, objectName);
sentItems++;
}
else
{
SendData(ref rec, "NEW",
(access & AccessMask.AppendOrAddSubDir) == AccessMask.None
? "Directory"
: "File",
objectName, userSid, username, processName,
GetPid(processId), accessMask, string.Empty);
sentItems++;
}
}
else if ((access & AccessMask.Delete) == AccessMask.Delete)
{
if (handle == null)
handle = new AuditHandle2(handleId, processId, processName);
handle.AccessType = access;
handle.LogonId = logonId;
handle.Name = objectName;
handle.Owner = user;
handle.OwnerSid = userSid;
env.ProcessLastAudit[processId] = handle;
++sentItems;
}
}
else if ((access & AccessMask.Delete) == AccessMask.Delete)
{
env.ProcessLastAudit.Remove(processId);
SendData(ref rec, "DELETED", string.Empty,
objectName, userSid, username, processName,
GetPid(processId), accessMask, string.Empty);
sentItems++;
}
}
}
private void AuditDeleteHandle2(ref Rec rec, AuditLogonEnv2 env, string user, string userSid,
string handleId, string processId, ref int sentItems)
{
AuditHandle2 handle;
lock (env)
{
if (env.ProcessLastAudit.TryGetValue(processId, out handle) && handle.HandleId == handleId)
{
env.ProcessLastAudit.Remove(processId);
SendData(ref rec, "DELETED", string.Empty, handle.Name, userSid, user, handle.ProcessName,
GetPid(processId), string.Format("{0:X}", handle.AccessType), string.Empty);
sentItems++;
}
}
}
