public ISource CreateInstance(string entry, IPlugInContext context) { var config = context.Configuration; if (!OperatingSystem.IsWindows()) { throw new PlatformNotSupportedException($"Source type '{entry}' is only supported on Windows"); } switch (entry.ToLowerInvariant()) { case WINDOWS_EVENT_LOG_POLLING_SOURCE: var pollingOptions = new WindowsEventLogPollingSourceOptions(); ParseWindowsEventLogSourceOptions(config, pollingOptions); ParseEventLogPollingSourceOptions(config, pollingOptions); var weps = new WindowsEventPollingSource(config[ConfigConstants.ID], config["LogName"], config["Query"], context.BookmarkManager, pollingOptions, context); return(weps); case WINDOWS_EVENT_LOG_SOURCE: var eventOpts = new WindowsEventLogSourceOptions(); ParseWindowsEventLogSourceOptions(config, eventOpts); var source = new EventLogSource(config[ConfigConstants.ID], config["LogName"], config["Query"], context.BookmarkManager, eventOpts, context); return(source); case WINDOWS_PERFORMANCE_COUNTER_SOURCE: var performanceCounterSource = new PerformanceCounterSource(context); return(performanceCounterSource); case WINDOWS_ETW_EVENT_SOURCE: var providerName = config["ProviderName"]; var traceLevelString = DefaultMissingConfig(config["TraceLevel"], "Verbose"); var matchAnyKeywordString = DefaultMissingConfig(config["MatchAnyKeyword"], ulong.MaxValue.ToString()); if (string.IsNullOrWhiteSpace(providerName)) { throw new Exception($"A provider name must be specified for the WindowsEtwEventSource."); } TraceEventLevel traceLevel; ulong matchAnyKeyword; if (!Enum.TryParse <TraceEventLevel>(traceLevelString, out traceLevel)) { var validNames = string.Join(", ", Enum.GetNames(typeof(TraceEventLevel))); throw new Exception($"{traceLevelString} is not a valid trace level value ({validNames}) for the WindowsEtwEventSource."); } matchAnyKeyword = ParseMatchAnyKeyword(matchAnyKeywordString); var eventSource = new EtwEventSource(providerName, traceLevel, matchAnyKeyword, context); return(eventSource); default: throw new Exception($"Source type {entry} not recognized."); } }
public EventLogSource(string id, string logName, string query, IBookmarkManager bookmarkManager, WindowsEventLogSourceOptions options, IPlugInContext context) : base(id, logName, query, bookmarkManager, context) { Id = id; _options = options; _eventLogQuery = string.IsNullOrWhiteSpace(query) ? new EventLogQuery(_logName, PathType.LogName) : new EventLogQuery(_logName, PathType.LogName, _query); InitialPosition = options.InitialPosition; InitialPositionTimestamp = options.InitialPositionTimestamp; }
private void LoadInitialPositionSettings(IConfiguration config, WindowsEventLogSourceOptions options) { var initialPositionConfig = config["InitialPosition"]; if (!string.IsNullOrEmpty(initialPositionConfig)) { switch (initialPositionConfig.ToLower()) { case "eos": options.InitialPosition = InitialPositionEnum.EOS; break; case "0": options.InitialPosition = InitialPositionEnum.BOS; break; case "bookmark": options.InitialPosition = InitialPositionEnum.Bookmark; break; case "timestamp": options.InitialPosition = InitialPositionEnum.Timestamp; string initialPositionTimeStamp = config["InitialPositionTimestamp"]; if (string.IsNullOrWhiteSpace(initialPositionTimeStamp)) { throw new Exception("Missing initial position timestamp."); } try { var timeZone = Utility.ParseTimeZoneKind(config["TimeZoneKind"]); var timestamp = DateTime.Parse(initialPositionTimeStamp, null, System.Globalization.DateTimeStyles.RoundtripKind); options.InitialPositionTimestamp = timeZone == DateTimeKind.Utc ? DateTime.SpecifyKind(timestamp, DateTimeKind.Utc) : DateTime.SpecifyKind(timestamp, DateTimeKind.Local).ToUniversalTime(); } catch { throw new Exception($"Invalid InitialPositionTimestamp {initialPositionTimeStamp}"); } break; default: throw new Exception($"Invalid InitialPosition {initialPositionConfig}"); } } }
private void ParseWindowsEventLogSourceOptions(IConfiguration config, WindowsEventLogSourceOptions options) { if (config["CustomFilters"] is not null) { options.CustomFilters = config["CustomFilters"].Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries); var badFilters = string.Join(",", options.CustomFilters.Where(i => EventInfoFilters.GetFilter(i) == null)); if (!string.IsNullOrWhiteSpace(badFilters)) { throw new ConfigurationException($"Custom filter/s '{badFilters}' do not exist. Please check the filter names."); } } if (bool.TryParse(config["IncludeEventData"], out var ied)) { options.IncludeEventData = ied; } if (bool.TryParse(config["BookmarkOnBufferFlush"], out var bookmarkOnBufferFlush)) { options.BookmarkOnBufferFlush = bookmarkOnBufferFlush; } LoadInitialPositionSettings(config, options); }