public dynamic CreateDynamic(EventRecord record)
        {
            var obj = new ExpandoObject();
            IDictionary<string, object> underObject = obj;
            underObject["Source"] = "WindowsEventLog";
            underObject["Devicename"] = record.MachineName.ToUpper();
            underObject["EventTime"] = record.TimeCreated.Value.ToUniversalTime().ToString("o");
            underObject["EventId"] = record.Id.ToString();
            underObject["Level"] = record.Level.HasValue ? ((int)record.Level.Value).ToString() : string.Empty;
            underObject["User"] = record.UserId != null ? record.UserId.Translate(typeof(NTAccount)).ToString() : "N/A";
            underObject["ProviderName"] = record.ProviderName;

            // if SQL Audit Event
            if (record.Id == 33205)
            {
                var entries = record.FormatDescription().Replace("Audit event: ", "").Split(new[] {'\n'});
                foreach (var entry in entries)
                {
                    var colon = entry.IndexOf(':');
                    if (colon != -1)
                    {
                        underObject.Add(entry.Substring(0, colon), entry.Substring(colon + 1, entry.Length - colon - 1));
                    }
                }
            }
            else
            {
                underObject["Description"] = record.FormatDescription();
                var root = XElement.Parse(record.ToXml());
                XNamespace x = "http://schemas.microsoft.com/win/2004/08/events/event";
                var dataNodes = root.Descendants(x + "Data")
                                    .Where(e => e.HasAttributes && e.Attributes().Any(a => a.Name == "Name"));
                foreach (var node in dataNodes)
                {
                    var key = node.Attributes().First(a => a.Name == "Name").Value;
                    if (!underObject.ContainsKey(key))
                    {
                        underObject.Add(key, node.Value);
                    }
                }
            }

            return underObject;
        }
Пример #2
0
 // ReadLocal
 public EventRecord DisplayEventAndLogInformation(EventRecord eventInstance, string fileName, EventLogReader logReader)
 {
     //EventRecord eventInstance = null;
     //for (eventInstance = logReader.ReadEvent(); null != eventInstance; eventInstance = logReader.ReadEvent())
     //{
     //    #region Gerçek
     //    //_eventId = eventInstance.Id;
     //    //_eventType = eventInstance.TaskDisplayName;
     //    //_description = eventInstance.FormatDescription();
     //    //_eventCategory = eventInstance.LevelDisplayName;
     //    //_computerName = eventInstance.MachineName;
     //    //DateTime dtCreate = Convert.ToDateTime(eventInstance.TimeCreated);
     //    //_dateTimeCreate = dtCreate.ToString(DateFormat);
     //    //DateTime dtNow = DateTime.Now;
     //    //_dateTimeNow = dtNow.ToString(DateFormat);
     //    #endregion
     //}
     eventInstance = logReader.ReadEvent();
     return eventInstance;
 }
Пример #3
0
        public static ApplicationError ParseEntry(EventRecord eventRecord)
        {
            try
            {
                var iisIdRegex = new Regex(@"/LM/W3SVC/(\d{1,9}).+", RegexOptions.IgnoreCase | RegexOptions.Compiled);
                // Entries kan forekomme uden et IIS id.
                var iisIdString = eventRecord.Properties[8].Value.ToString();
                var iisIdMatch = iisIdRegex.Match(iisIdString);
                var iisIdResult = (iisIdMatch.Groups.Count > 1 && !string.IsNullOrEmpty(iisIdMatch.Groups[1].Value)) ? Convert.ToInt32(iisIdMatch.Groups[1].Value) : 0;

                if (iisIdResult == 0)
                    return null;
                var fullMessage = eventRecord.Properties[18].Value.ToString();
                var error = new ApplicationError
                {
                    Id = (int)eventRecord.RecordId,
                    SiteIisId = iisIdResult,
                    DateTime = eventRecord.TimeCreated.Value.ToUniversalTime(),
                    ExceptionType = eventRecord.Properties[17].Value.ToString(),
                    Message = eventRecord.Properties[1].Value.ToString(),
                    FullMessage = fullMessage.Replace(Environment.NewLine, "<br />").Trim(),
                    ThreadInformation = eventRecord.Properties[29].Value.ToString().Replace(Environment.NewLine, "<br />").Trim(),
                    Url = eventRecord.Properties[19].Value.ToString(),
                    ClientIpAddress = eventRecord.Properties[21].Value.ToString()
                };

                var indexOfBreak = fullMessage.IndexOf("\n   ", System.StringComparison.InvariantCulture);
                var description = fullMessage.Substring(0, indexOfBreak);
                
                error.Description = description;

                return error;
            }
            catch (Exception ex)
            {
                EventLog.WriteEntry("Servant for IIS", "Error parsing entry: " + ex.Message + Environment.NewLine + ex.StackTrace + Environment.NewLine + Environment.NewLine + Environment.NewLine + "EventRecord: " + Environment.NewLine + eventRecord.ToXml());
                return null;
            }
        }
Пример #4
0
 private static bool HasEntryType(EventRecord eventRecord, EventLogEntryType entryType)
 {
     var keywords = (StandardEventKeywords)(eventRecord.Keywords ?? 0);
     var level = (StandardEventLevel)(eventRecord.Level ?? 0);
     bool isClassicEvent = keywords.HasFlag(StandardEventKeywords.EventLogClassic);
     switch (entryType)
     {
         case EventLogEntryType.Error:
             return isClassicEvent && level == StandardEventLevel.Error;
         case EventLogEntryType.Warning:
             return isClassicEvent && level == StandardEventLevel.Warning;
         case EventLogEntryType.Information:
             return isClassicEvent && level == StandardEventLevel.Informational;
         case EventLogEntryType.SuccessAudit:
             return keywords.HasFlag(StandardEventKeywords.AuditSuccess);
         case EventLogEntryType.FailureAudit:
             return keywords.HasFlag(StandardEventKeywords.AuditFailure);
     }
     return false;
 }
Пример #5
0
        private log_entry_line to_log_entry(EventRecord rec, string log_name) {
            log_entry_line entry = new log_entry_line();
            try {
                entry.add("Log", log_name);
                entry.add("EventID", "" + rec.Id);

                entry.add("level", event_level((StandardEventLevel) rec.Level));
                entry.add("date", rec.TimeCreated.Value.ToString("dd-MM-yyyy"));
                entry.add("time", rec.TimeCreated.Value.ToString("HH:mm:ss.fff"));

                try {
                    var task = rec.Task != 0 ? rec.TaskDisplayName : "";
                    entry.add("Category", task ?? "");
                } catch {
                    entry.add("Category", "");
                }

                entry.add("Machine Name", rec.MachineName);
                entry.add("Source", "" + rec.ProviderName);
                entry.add("User Name", rec.UserId != null ? rec.UserId.Value : "");
                /* 1.5.14+ this generates waaaay too many errors - just ignore for now
                try {
                    var keywords = rec.KeywordsDisplayNames;
                    entry.add("Keywords", keywords != null ? util.concatenate(keywords, ",") : "");
                } catch {
                    entry.add("Keywords", "");
                }*/


                // note: this throws a lot of exceptions; however, we don't have much of a choice here - just showing the raw properties is rather useless
                try {
                    var desc = rec.FormatDescription();
                    entry.add("msg", desc ?? "");
                } catch {
                    try {
                        string desc = util.concatenate( rec.Properties.Select(x => x.Value.ToString()), "\r\n");
                        entry.add("msg", desc);
                    } catch {
                        entry.add("msg", "");
                    }
                }

            } catch (Exception e) {
                logger.Fatal("can't convert EventRectord to entry " + e.Message);
            }
            return entry;
        }
 internal EventRecordWrittenEventArgs(EventLogRecord record) { this.record = record; }
 internal EventRecordWrittenEventArgs(EventLogRecord record)
 {
     this.record = record;
 }
        private static string SerializeEventRecord(EventRecord e)
        {
            string logstashEvent = string.Empty;

            using (StringWriter sw = new StringWriter(CultureInfo.InvariantCulture))
            using (JsonTextWriter writer = new JsonTextWriter(sw))
            {
                writer.WriteStartObject();
                AddEventProperty(writer, "@version", 1);
                string normalisedDate = ((DateTime)e.TimeCreated).ToString("o", CultureInfo.InvariantCulture);

                AddEventProperty(writer, "@timestamp", normalisedDate);
                AddEventProperty(writer, "type", "eventlog");
                try
                {
                  AddEventProperty(writer, "SourceName", e.ProviderName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "EventIdentifier", e.Id);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "ComputerName", e.MachineName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "@message", e.FormatDescription());
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "TaskName", e.TaskDisplayName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "host", Environment.MachineName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "path", e.LogName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "LogFile", e.LogName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "SourceIdentifier", e.ProviderId);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "Type", System.Enum.GetName(typeof(StandardEventLevel), e.Level));
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "EventType", e.Level);
                }
                catch {}
                try
                {
                  if (!IsNull(e.UserId))
                  {
                      AddEventProperty(writer, "User", ResolveSIDtoUsername(e.UserId.Value));
                  }
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "RecordNumber", e.RecordId);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "ActivityIdentifier", e.ActivityId);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "RelatedActivityIdentifier", e.RelatedActivityId);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "Opcode", e.Opcode);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "OpcodeName", e.OpcodeDisplayName);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "pid", e.ProcessId);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "ThreadId", e.ThreadId);
                }
                catch {}
                try
                {
                  SerializeEventProperties(writer, e.Properties);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "Qualifiers", e.Qualifiers);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "Task", e.Task);
                }
                catch {}
                try
                {
                  AddEventProperty(writer, "EventVersion", e.Version);
                }
                catch {}

                writer.WriteEndObject();
                logstashEvent = sw.ToString();
            }

            return logstashEvent;
        }
Пример #9
0
 private bool IsKnownRecord(Options options, EventRecord record)
 {
     AzureTableStorage table = new AzureTableStorage(options.TableStorageConnectionString, options.KnownLogsTableName);
     return table.IsKnownLog(record.LevelDisplayName, record.FormatDescription());
 }
 // ReadLocal
 public EventRecord DisplayEventAndLogInformation(EventRecord eventInstance, string fileName, EventLogReader logReader)
 {
     eventInstance = logReader.ReadEvent();
     return eventInstance;
 }
Пример #11
0
        private String FormatterEventRecord(EventRecord monER)
        {
            String Resultat = Environment.NewLine + "===" +
                    Environment.NewLine  ;
                Resultat = Resultat + "Quand:" +
                    monER.TimeCreated.ToString() + Environment.NewLine  ;
                Resultat = Resultat + monER.FormatDescription();

            Resultat = Resultat +
                    FormatterPropriete(monER.Properties);
                return Resultat ;
        }
Пример #12
0
        /// <summary>
        /// Takes an event record, and writes the properties into a string builder.
        /// This assumes that the event is a .Net Runtime Provider EventID 1026, which only has one property
        /// that is a Crash Report for Visual Studio.
        /// </summary>
        /// <param name="events">StringBuilder to write the properties to.</param>
        /// <param name="eventLogEntry">EventRecord to extract properties from</param>
        private void WriteCrashReport(StringBuilder events, EventRecord eventLogEntry)
        {
            if (eventLogEntry == null)
                return;

            // We assume that this .Net Runtime Provider EventID 1026, which only has one property
            EventProperty eventProperty = eventLogEntry.Properties.FirstOrDefault();
            if (eventProperty != null)
            {
                int stringBuildInitialLength = events.Length;

                if (eventLogEntry.TimeCreated.HasValue)
                {
                    events.Append("Event Log Time: ");
                    events.AppendLine(eventLogEntry.TimeCreated.Value.ToLocalTime().ToString());
                }
                
                String crashReport = eventProperty.Value.ToString();
                
                crashReport = crashReport.Replace(" at ",               Environment.NewLine + " at ");
                crashReport = crashReport.Replace("Framework Version:", Environment.NewLine + "Framework Version:");
                crashReport = crashReport.Replace("Description:",       Environment.NewLine + "Description:");
                crashReport = crashReport.Replace("Exception Info:",    Environment.NewLine + "Exception Info:" + Environment.NewLine);
                crashReport = crashReport.Replace("Stack:",             Environment.NewLine + "Stack:");

                events.AppendLine(crashReport);
            }
        }
Пример #13
0
        private log_entry_line to_log_entry(EventRecord rec, string log_name) {
            log_entry_line entry = new log_entry_line();
            try {
                try {
                    var task = rec.Task != 0 ? rec.TaskDisplayName : "";
                    entry.add("Category", task ?? "");
                } catch {
                    entry.add("Category", "");
                }
                entry.add("Log", log_name);
                entry.add("Machine Name", rec.MachineName);
                entry.add("level", event_level((StandardEventLevel) rec.Level));
                entry.add("EventID", "" + rec.Id);
                entry.add("Source", "" + rec.ProviderName);
                entry.add("date", rec.TimeCreated.Value.ToString("dd-MM-yyyy"));
                entry.add("time", rec.TimeCreated.Value.ToString("hh:mm:ss.fff"));
                entry.add("User Name", rec.UserId != null ? rec.UserId.Value : "");
                try {
                    var keywords = rec.KeywordsDisplayNames;
                    entry.add("Keywords", keywords != null ? util.concatenate(keywords, ",") : "");
                } catch {
                    entry.add("Keywords", "");
                }

                /*
                try {
                    var desc = rec.FormatDescription();
                    entry.add("msg", desc ?? "");
                } catch {
                    entry.add("msg", "");
                }*/
                // 1.5.7+ seems FormatDescription() throws a lot of exceptions, prety sure there's a bug in .net 
                //        just make it easy
                try {
                    string desc = util.concatenate( rec.Properties.Select(x => x.Value.ToString()), "\r\n");
                    entry.add("msg", desc);
                } catch {
                    entry.add("msg", "");
                }


            } catch (Exception e) {
                logger.Fatal("can't convert EventRectord to entry " + e.Message);
            }
            return entry;
        }