private static void WRITE_Errors_To_EventLog(string MethodInCode, string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
ErrorLogging_Level();
string err_msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " MethodInCode=" + MethodInCode + " Message=" + msg + "\n";
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
}
private static void Start_Send_File_Based_Logs()
{
bool Data_Sent = false;
try
{
if (Settings.Log_Forwarders_HostNames.Any(s => string.Equals(s, "127.0.0.1", StringComparison.OrdinalIgnoreCase)) == false && Settings.Log_Forwarders_HostNames.Any(s => string.IsNullOrEmpty(s)) == false)
{
for (int z = 0; z < Read_Local_Files.FileContents_From_FileReads.Count; ++z)
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
Data_Sent = Log_Network_Forwarder.SEND_Logs(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
if (Data_Sent == true && File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location) && Settings.AppConfig_File_Args.ContainsKey(Settings.SWELF_AppConfig_Args[15]))
{
File.Delete(Read_Local_Files.FileContents_From_FileReads.ElementAt(z));
File.Create(Read_Local_Files.FileContents_From_FileReads.ElementAt(z)).Close();
}
}
}
}
catch (Exception e)//network resource unavailable. Dont send data and try again next run. No logs will be queued by app only re read
{
Settings.Log_Storage_Location_Unavailable(" Start_Send_File_Based_Logs() " + e.Message.ToString());
}
}
internal void READ_EventLog(string Eventlog_FullName, long PlaceKeeper_EventRecordID = 1)
{
long EVTlog_PlaceHolder = PlaceKeeper_EventRecordID;
try
{
if (EVTlog_PlaceHolder <= 1)
{
EVTlog_PlaceHolder = Settings.EventLog_w_PlaceKeeper[Eventlog_FullName];
}
}
catch (Exception e)
{
EVTlog_PlaceHolder = 1;
}
if (Settings.CHECK_If_EventLog_Exsits(Eventlog_FullName))
{
EventLog_Log_API = new EventLog_File(Eventlog_FullName, PlaceKeeper_EventRecordID);
long First_EventID = EventLog_Log_API.First_EventLogID_From_Check;
long Last_EventID = EventLog_Log_API.Last_EventLogID_From_Check;
if (PlaceKeeper_EventRecordID > First_EventID && PlaceKeeper_EventRecordID < Last_EventID)//Normal operation placekkeeper in middle of log file
{
EVTlog_PlaceHolder = PlaceKeeper_EventRecordID;
READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API);
Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID;
}
else if (Last_EventID == PlaceKeeper_EventRecordID)//no logs added
{
EVTlog_PlaceHolder = PlaceKeeper_EventRecordID;
}
else if (PlaceKeeper_EventRecordID <= 1)
{
EVTlog_PlaceHolder = First_EventID;
READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API);
EventLog_SWELF.WRITE_Warning_EventLog("Logging as EventLog Source 1st run for Eventlog named '" + Eventlog_FullName + "' on machine named '" + Settings.ComputerName + "' due to PlaceKeeper_EventRecordID<=1");
Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID;
}
else if (First_EventID > PlaceKeeper_EventRecordID)//missed all logs and missing log files send alert for missing log files
{
EVTlog_PlaceHolder = First_EventID;
READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API);
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("Missed " + (First_EventID - PlaceKeeper_EventRecordID) + " logs from '" + Eventlog_FullName + "' on machine '" + Settings.ComputerName + "' the first eventlog id was older than where app left off. Possible log file cycle/overwrite between runs. First event log id number in the log is " + First_EventID + " SWELF left off from last run at " + PlaceKeeper_EventRecordID);
Settings.EventLog_w_PlaceKeeper[Eventlog_FullName.ToLower()] = Last_EventID;
}
else//unknown/catch condition assume 1st run
{
EVTlog_PlaceHolder = First_EventID;
READ_WindowsEventLog_API(Eventlog_FullName, EVTlog_PlaceHolder, EventLog_Log_API);
EventLog_SWELF.WRITE_Warning_EventLog("ERROR: App unable to determine app reading state in event log. App starting over. App not told to reset. '" + Eventlog_FullName + "' '" + Settings.ComputerName + "'. unknown/catch condition assume 1st run");
Settings.EventLog_w_PlaceKeeper[Eventlog_FullName] = Last_EventID;
}
}
else
{
Error_Operation.Log_Error("READ_EventLog() if (Settings.FIND_EventLog_Exsits())", Eventlog_FullName + " EventLog does not exist.", "", Error_Operation.LogSeverity.Informataion);
}
}
internal static void Stop(int error_code, string ErrorMethod, string Message, string StackInfo)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("ALERT: SWELF MAIN UNSALVAGEABLE ERROR: " + ErrorMethod + " " + Message + " " + StackInfo, Error_Operation.EventID.SWELF_MAIN_APP_ERROR);
Error_Operation.WRITE_Stored_Errors();
Error_Operation.SEND_Errors_To_Central_Location();
Environment.Exit(error_code);
}
internal static void CHECK_Reg_vs_File_Config(string Settings_FilePath)
{
if (Settings.GET_AppConfigFile_Path == Settings_FilePath)//Appconfig
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.ConsoleAppConfig_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The app config file(ConsoleAppConfig.conf) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
if (Reg_Operation.CHECK_SWELF_Reg_Key_Exists(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents))
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else
{
File_Operation.DELETE_AND_CREATE_File(Settings.GET_AppConfigFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, Reg_Operation.READ_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents));
Reg_Operation.ADD_or_CHANGE_SWELF_Reg_Key(Reg_Operation.REG_KEY.ConsoleAppConfig_Contents, Crypto_Operation.Decrypt_File_Contents(Settings.GET_AppConfigFile_Path));
}
}
}
else if (Settings.GET_EventLogID_PlaceHolder_Path == Settings_FilePath)//EventLog ID
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The file that tracks the event id of an eventlog config file (Eventlog_with_PlaceKeeper.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_EventLogID_PlaceHolder_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Config_File_Location, Settings.AppConfigFile_FileName, File_Operation.GET_Default_ConsoleAppConfig_File_Contents);
}
else if (Settings.GET_SearchTermsFile_Path == Settings_FilePath)//Search SearchFile
{
if (CHECK_File_vs_Reg_Contents(Settings_FilePath, Reg_Operation.REG_KEY.SearchTerms_File_Contents) == false)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Search term file (Searchs.txt) config file did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Eventlog_with_PlaceKeeper_File_Contents);
}
}
else if (Settings.GET_WhiteList_SearchTermsFile_Path == Settings_FilePath)//Search WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The white list search terms file (WhiteList_Searchs.txt) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Search_File_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else if (Settings.GET_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLUGIN Search
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (Search.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.SearchTermsFileName_FileName, File_Operation.GET_Default_Powershell_Plugins_File_Contents);
}
else if (Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path == Settings_FilePath)//PLugin WHitelist
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("CHECK_Reg_vs_File_Config() The Plugin config file (WhiteList_Searchs.txt in the Plugins Folder) did not match what was stored in the registry on this machine. Config File was " + Settings_FilePath);
File_Operation.DELETE_AND_CREATE_File(Settings.GET_WhiteList_SearchTermsFile_PLUGIN_Path);
File_Operation.CREATE_NEW_Files_And_Dirs(Settings.Plugin_Files_Location, Settings.Search_WhiteList_FileName, File_Operation.GET_Default_Whitelist_File_Contents);
}
else
{
LOG_SEC_CHECK_Fail("CHECK_Reg_vs_File_Config() File Path:" + Settings_FilePath + " did not match encrypted config file path");
}
}
private static void Start_Write_To_SWELF_EventLogs()
{
for (int z = 0; z < Settings.SWELF_Events_Of_Interest_Matching_EventLogs.Count; ++z)
{
try
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Settings.SWELF_Events_Of_Interest_Matching_EventLogs.ElementAt(z));
}
catch (Exception e)
{
Error_Operation.Log_Error("Start_Write_To_SWELF_EventLogs()", "An EventLog " + Settings.SWELF_Events_Of_Interest_Matching_EventLogs.ElementAt(z).GET_XML_of_Log + " errored on write to SWELF Eventlog with the following error " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
}
}
internal static void WRITE_Errors_To_Log(string MethodInCode, string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
ErrorLogging_Level();
if (Logging_Level_To_Report >= (int)LogSeverity)
{
string err_msg = "DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SourceComputer=" + Settings.ComputerName + " Severity=" + Severity_Levels[(int)LogSeverity] + " MethodInCode=" + MethodInCode + " Message=" + msg + "\n";
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, err_msg);
}
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog("DateTime=" + DateTime.Now.ToString(Settings.SWELF_Date_Time_Format) + " SWELF Immediate" + " Severity=" + Severity_Levels[(int)LogSeverity] + " Message=" + err_msg + "\n", eventID);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
}
}
private static void Start_Run_Plugins()
{
try
{
Settings.Plugin_Search_Terms_Unparsed = Settings.Plugin_Search_Terms_Unparsed.Distinct().ToList();
for (int x = 0; x < Settings.Plugin_Search_Terms_Unparsed.Count; ++x)
{
EventLog_Entry PSLog = new EventLog_Entry();
PSLog.ComputerName = Settings.ComputerName;
PSLog.EventID = Convert.ToInt32(Error_Operation.EventID.Powershell_Plugin);
PSLog.LogName = "SWELF PowerShell Plugin Output";
PSLog.Severity = "Information";
PSLog.CreatedTime = DateTime.Now;
PSLog.TaskDisplayName = "SWELF Powershell Plugin Output";
PSLog.SearchRule = "SWELF_Powershell_Plugin=" + Settings.Plugin_Search_Terms_Unparsed.ElementAt(x);
PSLog.UserID = Environment.UserName;
PSLog.EventData = Powershell_Plugin.Run_PS_Script(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(0), Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(2));
if (PSLog.EventData.ToLower().Contains(Settings.Plugin_Search_Terms_Unparsed.ElementAt(x).Split(Settings.SplitChar_SearchCommandSplit[0]).ElementAt(1).ToLower()))
{
Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.Enqueue(PSLog);
try
{
EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs.ElementAt(0));
Log_Network_Forwarder.SEND_Logs(Settings.PS_Plugin_SWELF_Events_Of_Interest_Matching_EventLogs);
}
catch (Exception e)
{
Error_Operation.Log_Error("Network_Forwarder.SEND_Logs(), EventLog_SWELF.WRITE_EventLog_From_SWELF_Search(), or Start_Run_Plugins()", Settings.EventLog_w_PlaceKeeper_List.ElementAt(x) + " HostEventLogAgent_Eventlog.WRITE_EventLog " + e.Message.ToString(), e.StackTrace.ToString(), Error_Operation.LogSeverity.Warning);
}
}
}
Settings.PS_PluginDone = true;
GC.Collect();
}
catch (Exception e)
{
Error_Operation.Log_Error("Powershell_Plugin.Run_PS_Script() ", e.StackTrace.ToString(), e.Message.ToString(), Error_Operation.LogSeverity.Warning);
Error_Operation.SEND_Errors_To_Central_Location();
Settings.PS_PluginDone = true;
}
}
private static void READ_Powershell_SearchTerms(string Contents)
{
try
{
List <string> ConfigLines = Contents.Split(SplitNewLine, StringSplitOptions.RemoveEmptyEntries).ToList();
for (int x = 0; x < ConfigLines.Count; ++x)
{
if (ConfigLines.ElementAt(x).StartsWith(CommentCharConfigs.ToString()) == false && String.IsNullOrWhiteSpace(ConfigLines.ElementAt(x)) == false)
{
Plugin_Search_Terms_Unparsed.Add(ConfigLines.ElementAt(x).Replace("\r", String.Empty).ToLower());
}
}
}
catch (Exception e)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("READ_Powershell_SearchTerms() " + e.Message.ToString());
File_Operation.CREATE_NEW_Files_And_Dirs(Plugin_Search_Location, SearchTermsFileName_FileName, "#File Path to Powershell Script~ SearchTerm~ Powershell Script Arguments");
}
}
private static void WRITE_Errors_To_Log(string msg, LogSeverity LogSeverity, EventID eventID = 0)
{
if (File_Operation.CHECK_if_File_Exists(Settings.GET_ErrorLog_Location))
{
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
else
{
File.Create(Settings.GET_ErrorLog_Location).Close();
File.AppendAllText(Settings.GET_ErrorLog_Location, msg);
}
File_Operation.CHECK_File_Size(Settings.GET_ErrorLog_Location);
if (LogSeverity == LogSeverity.Informataion)
{
EventLog_SWELF.WRITE_Info_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Verbose)
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Warning)
{
EventLog_SWELF.WRITE_Warning_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.FailureAudit)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog(msg, eventID);
}
else if (LogSeverity == LogSeverity.Critical)
{
EventLog_SWELF.WRITE_ERROR_EventLog(msg, eventID);
}
else
{
EventLog_SWELF.WRITE_Verbose_EventLog(msg, eventID);
}
}
internal static void Stop(int error_code, string ErrorMethod, string Message, string StackInfo, Error_Operation.LogSeverity Ls)
{
EventLog_SWELF.WRITE_FailureAudit_Error_To_EventLog("ALERT: SWELF MAIN UNSALVAGEABLE ERROR: " + ErrorMethod + " " + Message + " " + StackInfo, Error_Operation.EventID.SWELF_MAIN_APP_ERROR);
Error_Operation.Log_Error("STOP(" + error_code + ErrorMethod + ")", Message, StackInfo, Ls);
Environment.Exit(error_code);
}