protected override EventLogEntry GetEntry(int index)
{
string logDir = FindLogStore(CoreEventLog.Log);
// our file names are one-based
string file = Path.Combine(logDir, (index + 1).ToString(
CultureInfo.InvariantCulture) + ".log");
using (TextReader tr = File.OpenText(file))
{
int eventIndex = int.Parse(Path.GetFileNameWithoutExtension(file),
CultureInfo.InvariantCulture);
uint instanceID = uint.Parse(tr.ReadLine().Substring(12),
CultureInfo.InvariantCulture);
EventLogEntryType type = (EventLogEntryType)
Enum.Parse(typeof(EventLogEntryType), tr.ReadLine().Substring(11));
string source = tr.ReadLine().Substring(8);
string category = tr.ReadLine().Substring(10);
short categoryNumber = short.Parse(category, CultureInfo.InvariantCulture);
string categoryName = "(" + category + ")";
DateTime timeGenerated = DateTime.ParseExact(tr.ReadLine().Substring(15),
DateFormat, CultureInfo.InvariantCulture);
DateTime timeWritten = File.GetLastWriteTime(file);
int stringNums = int.Parse(tr.ReadLine().Substring(20));
ArrayList replacementTemp = new ArrayList();
StringBuilder sb = new StringBuilder();
while (replacementTemp.Count < stringNums)
{
char c = (char)tr.Read();
if (c == '\0')
{
replacementTemp.Add(sb.ToString());
sb.Length = 0;
}
else
{
sb.Append(c);
}
}
string [] replacementStrings = new string [replacementTemp.Count];
replacementTemp.CopyTo(replacementStrings, 0);
string message = FormatMessage(source, instanceID, replacementStrings);
int eventID = EventLog.GetEventID(instanceID);
byte [] bin = Convert.FromBase64String(tr.ReadToEnd());
return(new EventLogEntry(categoryName, categoryNumber, eventIndex,
eventID, source, message, null, Environment.MachineName,
type, timeGenerated, timeWritten, bin, replacementStrings,
instanceID));
}
}
protected override EventLogEntry GetEntry(int index)
{
// http://msdn.microsoft.com/library/en-us/eventlog/base/readeventlog.asp
// http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp
// http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
index += OldestEventLogEntry;
int bytesRead = 0;
int minBufferNeeded = 0;
byte [] buffer = new byte [0x7ffff]; // according to MSDN this is the max size of the buffer
ReadEventLog(index, buffer, ref bytesRead, ref minBufferNeeded);
MemoryStream ms = new MemoryStream(buffer);
BinaryReader br = new BinaryReader(ms);
// skip first 8 bytes
br.ReadBytes(8);
int recordNumber = br.ReadInt32(); // 8
int timeGeneratedSeconds = br.ReadInt32(); // 12
int timeWrittenSeconds = br.ReadInt32(); // 16
uint instanceID = br.ReadUInt32();
int eventID = EventLog.GetEventID(instanceID);
short eventType = br.ReadInt16(); // 24
short numStrings = br.ReadInt16();; // 26
short categoryNumber = br.ReadInt16();; // 28
// skip reservedFlags
br.ReadInt16(); // 30
// skip closingRecordNumber
br.ReadInt32(); // 32
int stringOffset = br.ReadInt32(); // 36
int userSidLength = br.ReadInt32(); // 40
int userSidOffset = br.ReadInt32(); // 44
int dataLength = br.ReadInt32(); // 48
int dataOffset = br.ReadInt32(); // 52
DateTime timeGenerated = new DateTime(1970, 1, 1).AddSeconds(
timeGeneratedSeconds);
DateTime timeWritten = new DateTime(1970, 1, 1).AddSeconds(
timeWrittenSeconds);
StringBuilder sb = new StringBuilder();
while (br.PeekChar() != '\0')
{
sb.Append(br.ReadChar());
}
br.ReadChar(); // skip the null-char
string sourceName = sb.ToString();
sb.Length = 0;
while (br.PeekChar() != '\0')
{
sb.Append(br.ReadChar());
}
br.ReadChar(); // skip the null-char
string machineName = sb.ToString();
sb.Length = 0;
while (br.PeekChar() != '\0')
{
sb.Append(br.ReadChar());
}
br.ReadChar(); // skip the null-char
string userName = null;
if (userSidLength != 0)
{
// TODO: lazy init ?
ms.Position = userSidOffset;
byte [] sid = br.ReadBytes(userSidLength);
userName = LookupAccountSid(machineName, sid);
}
ms.Position = stringOffset;
string [] replacementStrings = new string [numStrings];
for (int i = 0; i < numStrings; i++)
{
sb.Length = 0;
while (br.PeekChar() != '\0')
{
sb.Append(br.ReadChar());
}
br.ReadChar(); // skip the null-char
replacementStrings [i] = sb.ToString();
}
byte [] data = new byte [dataLength];
ms.Position = dataOffset;
br.Read(data, 0, dataLength);
// TODO: lazy fetch ??
string message = this.FormatMessage(sourceName, instanceID, replacementStrings);
string category = FormatCategory(sourceName, categoryNumber);
return(new EventLogEntry(category, (short)categoryNumber, recordNumber,
eventID, sourceName, message, userName, machineName,
(EventLogEntryType)eventType, timeGenerated, timeWritten,
data, replacementStrings, instanceID));
}
