protected override EventLogEntry GetEntry(int index) { string logDir = FindLogStore(CoreEventLog.Log); // our file names are one-based string file = Path.Combine(logDir, (index + 1).ToString( CultureInfo.InvariantCulture) + ".log"); using (TextReader tr = File.OpenText(file)) { int eventIndex = int.Parse(Path.GetFileNameWithoutExtension(file), CultureInfo.InvariantCulture); uint instanceID = uint.Parse(tr.ReadLine().Substring(12), CultureInfo.InvariantCulture); EventLogEntryType type = (EventLogEntryType) Enum.Parse(typeof(EventLogEntryType), tr.ReadLine().Substring(11)); string source = tr.ReadLine().Substring(8); string category = tr.ReadLine().Substring(10); short categoryNumber = short.Parse(category, CultureInfo.InvariantCulture); string categoryName = "(" + category + ")"; DateTime timeGenerated = DateTime.ParseExact(tr.ReadLine().Substring(15), DateFormat, CultureInfo.InvariantCulture); DateTime timeWritten = File.GetLastWriteTime(file); int stringNums = int.Parse(tr.ReadLine().Substring(20)); ArrayList replacementTemp = new ArrayList(); StringBuilder sb = new StringBuilder(); while (replacementTemp.Count < stringNums) { char c = (char)tr.Read(); if (c == '\0') { replacementTemp.Add(sb.ToString()); sb.Length = 0; } else { sb.Append(c); } } string [] replacementStrings = new string [replacementTemp.Count]; replacementTemp.CopyTo(replacementStrings, 0); string message = FormatMessage(source, instanceID, replacementStrings); int eventID = EventLog.GetEventID(instanceID); byte [] bin = Convert.FromBase64String(tr.ReadToEnd()); return(new EventLogEntry(categoryName, categoryNumber, eventIndex, eventID, source, message, null, Environment.MachineName, type, timeGenerated, timeWritten, bin, replacementStrings, instanceID)); } }
protected override EventLogEntry GetEntry(int index) { // http://msdn.microsoft.com/library/en-us/eventlog/base/readeventlog.asp // http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp // http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html index += OldestEventLogEntry; int bytesRead = 0; int minBufferNeeded = 0; byte [] buffer = new byte [0x7ffff]; // according to MSDN this is the max size of the buffer ReadEventLog(index, buffer, ref bytesRead, ref minBufferNeeded); MemoryStream ms = new MemoryStream(buffer); BinaryReader br = new BinaryReader(ms); // skip first 8 bytes br.ReadBytes(8); int recordNumber = br.ReadInt32(); // 8 int timeGeneratedSeconds = br.ReadInt32(); // 12 int timeWrittenSeconds = br.ReadInt32(); // 16 uint instanceID = br.ReadUInt32(); int eventID = EventLog.GetEventID(instanceID); short eventType = br.ReadInt16(); // 24 short numStrings = br.ReadInt16();; // 26 short categoryNumber = br.ReadInt16();; // 28 // skip reservedFlags br.ReadInt16(); // 30 // skip closingRecordNumber br.ReadInt32(); // 32 int stringOffset = br.ReadInt32(); // 36 int userSidLength = br.ReadInt32(); // 40 int userSidOffset = br.ReadInt32(); // 44 int dataLength = br.ReadInt32(); // 48 int dataOffset = br.ReadInt32(); // 52 DateTime timeGenerated = new DateTime(1970, 1, 1).AddSeconds( timeGeneratedSeconds); DateTime timeWritten = new DateTime(1970, 1, 1).AddSeconds( timeWrittenSeconds); StringBuilder sb = new StringBuilder(); while (br.PeekChar() != '\0') { sb.Append(br.ReadChar()); } br.ReadChar(); // skip the null-char string sourceName = sb.ToString(); sb.Length = 0; while (br.PeekChar() != '\0') { sb.Append(br.ReadChar()); } br.ReadChar(); // skip the null-char string machineName = sb.ToString(); sb.Length = 0; while (br.PeekChar() != '\0') { sb.Append(br.ReadChar()); } br.ReadChar(); // skip the null-char string userName = null; if (userSidLength != 0) { // TODO: lazy init ? ms.Position = userSidOffset; byte [] sid = br.ReadBytes(userSidLength); userName = LookupAccountSid(machineName, sid); } ms.Position = stringOffset; string [] replacementStrings = new string [numStrings]; for (int i = 0; i < numStrings; i++) { sb.Length = 0; while (br.PeekChar() != '\0') { sb.Append(br.ReadChar()); } br.ReadChar(); // skip the null-char replacementStrings [i] = sb.ToString(); } byte [] data = new byte [dataLength]; ms.Position = dataOffset; br.Read(data, 0, dataLength); // TODO: lazy fetch ?? string message = this.FormatMessage(sourceName, instanceID, replacementStrings); string category = FormatCategory(sourceName, categoryNumber); return(new EventLogEntry(category, (short)categoryNumber, recordNumber, eventID, sourceName, message, userName, machineName, (EventLogEntryType)eventType, timeGenerated, timeWritten, data, replacementStrings, instanceID)); }