protected override bool ReadLocal() { if (!callable.WaitOne(0)) { Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE"); callable.WaitOne(); try { throw new Exception("Parse already been processed by another thread while this call has made"); } finally { callable.ReleaseMutex(); } } try { //if (!string.IsNullOrEmpty(FileName) || !File.Exists(FileName)) //{ // return true; //} Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- Started with lastfile: " + lastFile); string eventLogLocation = FileName; string query = Position > 0 ? "*[System/EventRecordID > " + Position + "]" : null; IntPtr handle = IntPtr.Zero; var events = new IntPtr[] { IntPtr.Zero }; IntPtr hRenderContext = IntPtr.Zero; IntPtr pRenderedValues = IntPtr.Zero; var metaDict = new Dictionary<string, IntPtr>(); int dwBufferUsed = 0; int dwPropertyCount = 0; int dwBufferSize = 0; int status = UnsafeNativeMethods.ERROR_SUCCESS; try { handle = UnsafeNativeMethods.EvtQuery(IntPtr.Zero, eventLogLocation, query, (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath); if (handle == IntPtr.Zero) { Log.Log(LogType.FILE, LogLevel.ERROR, "Parser In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error()); return false; } hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null, UnsafeNativeMethods .EvtRenderContextFlags .EvtRenderContextSystem); if (hRenderContext == IntPtr.Zero) { Log.Log(LogType.FILE, LogLevel.ERROR, "Parser In ReadLocal -- Error Creating Render Context Failed: " + Marshal.GetLastWin32Error() + ")"); return false; } var sb = new StringBuilder(); int returned = 0; var rec = new EventRecordWrapper(); isFileFinished = false; lastLine = "-"; while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned)) { try { if (!GetRenderValues(hRenderContext, events[0], UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues, ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed, ref dwPropertyCount, ref status)) { Log.Log(LogType.FILE, LogLevel.ERROR, "Parser In ReadLocal -- Error Getting Render Event Values Failed: " + status + ")"); continue; } string meta = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure(pRenderedValues, typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); if (meta == null) { Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- Event has no meta data. Skipping"); continue; } rec.Reset(); rec.EventId = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).UShort; IntPtr metaPtr; if (!metaDict.TryGetValue(meta, out metaPtr)) { metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(IntPtr.Zero, meta, null, 0, 0); if (metaPtr == IntPtr.Zero) { Log.Log(LogType.FILE, LogLevel.ERROR, "Parser In ReadLocal -- Error Getting Meta Data Failed: Meta(" + meta + ") Status(" + Marshal.GetLastWin32Error() + ")"); continue; } metaDict[meta] = metaPtr; } if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent, ref sb, out dwBufferUsed, ref status)) { Log.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status); continue; } rec.Description = sb.ToString(); if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask, ref sb, out dwBufferUsed, ref status)) { Log.Log(LogType.FILE, LogLevel.ERROR, "Get TaskDisplayName failed: " + status); continue; } rec.TaskDisplayName = sb.ToString(); if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel, ref sb, out dwBufferUsed, ref status)) { Log.Log(LogType.FILE, LogLevel.ERROR, "Get LevelDisplayName failed: " + status); continue; } rec.LevelDisplayName = sb.ToString(); rec.MachineName = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); ulong timeCreated = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).FileTime; rec.TimeCreated = DateTime.FromFileTime((long)timeCreated); rec.LogName = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); rec.RecordId = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).ULong; if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword, ref sb, out dwBufferUsed, ref status)) { Log.Log(LogType.FILE, LogLevel.ERROR, "Get Keywrod DisplayNames failed:" + status); continue; } rec.KeywordsDisplayNames.Clear(); int s = 0, e = 0; do { while (e < sb.Length && sb[e] != '\0') ++e; if (e == s) { break; } if (e == sb.Length) { rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s)); break; } rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s)); s = ++e; } while (true); ParseSpecific(rec, eventLogLocation); Position = (long)rec.RecordId; SetRegistry(); } finally { UnsafeNativeMethods.EvtClose(events[0]); events[0] = IntPtr.Zero; } } isFileFinished = true; return true; } finally { CleanupEvtHandle(handle); CleanupEvtHandle(events[0]); CleanupEvtHandle(hRenderContext); CleanupEvtHandle(metaDict); } } catch (EventLogNotFoundException e) { Log.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message); } finally { callable.ReleaseMutex(); } return false; }
// protected bool ReadLocal(string fileName) { L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started."); if (!callable.WaitOne(0)) { L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE"); callable.WaitOne(); try { throw new Exception("Parse already been processed by another thread while this call has made"); } finally { callable.ReleaseMutex(); } } try { L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started with lastfile: " + lastFile); var eventLogLocation = fileName; var query = last_recordnum > 0 ? "*[System/EventRecordID > " + last_recordnum + "]" : null; var handle = IntPtr.Zero; var events = new[] { IntPtr.Zero }; var hRenderContext = IntPtr.Zero; var pRenderedValues = IntPtr.Zero; var hRenderContextEvtData = IntPtr.Zero; var metaDict = new Dictionary<string, IntPtr>(); var dwBufferUsed = 0; var dwPropertyCount = 0; var dwBufferSize = 0; var status = UnsafeNativeMethods.ERROR_SUCCESS; var session = IntPtr.Zero; try { var info = user == null ? null : user.Split('\\'); if (info != null && info.Length == 3) { string domain = string.IsNullOrEmpty(info[0]) ? null : info[0]; ip = string.IsNullOrEmpty(info[1]) ? null : info[1]; string userName = string.IsNullOrEmpty(info[2]) ? null : info[2]; L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Remote Logger: " + user); var login = new UnsafeNativeMethods.EvtRpcLogin() { Domain = domain, User = userName, Password = CoTaskMemUnicodeSafeHandle.Zero, Server = ip }; var secureString = new SecureString(); if (!string.IsNullOrEmpty(password)) { foreach (var ch in password) { secureString.AppendChar(ch); } } login.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(secureString)); session = UnsafeNativeMethods.EvtOpenSession(UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin, ref login, 0, 0); L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath); } /* flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath; L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath); } else { */ int flags; if (location.Contains("\\")) { flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath; L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryFilePath"); } else { flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath; L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryChannelPath"); } L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- " + session + " - " + eventLogLocation + " - " + query + " - " + flags); handle = UnsafeNativeMethods.EvtQuery(session, eventLogLocation, query, flags); var code = Marshal.GetLastWin32Error(); Console.WriteLine("Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + code); if (handle == IntPtr.Zero) { L.Log(LogType.FILE, LogLevel.ERROR, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error()); return false; } hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null, UnsafeNativeMethods .EvtRenderContextFlags .EvtRenderContextSystem); var hRenderContextUser = UnsafeNativeMethods.EvtCreateRenderContext(0, null, UnsafeNativeMethods .EvtRenderContextFlags .EvtRenderContextUser); if (hRenderContext == IntPtr.Zero) { L.Log(LogType.FILE, LogLevel.ERROR, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Creating Render Context Failed: " + Marshal.GetLastWin32Error() + ")"); return false; } var buffer = new StringBuilder(); var lineBuffer = new StringBuilder(); var tmpBuffer = new StringBuilder(); var domainBuffer = new StringBuilder(); var usernameBuffer = new StringBuilder(); var returned = 0; var rec = new EventRecordWrapper(); isFileFinished = false; lastLine = "-"; try { while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned)) { try { rec.Reset(); if (userData) { if (GetRenderValues(hRenderContextUser, events[0], UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues, ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed, ref dwPropertyCount, ref status)) { buffer.Remove(0, buffer.Length); for (var i = 0; i < dwPropertyCount; i++) { var v = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + i * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); if (v != null && (v = v.Trim()).Length > 0) buffer.AppendLine(v); } rec.Description = buffer.ToString(); } buffer.Remove(0, buffer.Length); } if (!GetRenderValues(hRenderContext, events[0], UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues, ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed, ref dwPropertyCount, ref status)) { L.Log(LogType.FILE, LogLevel.ERROR, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Getting Render Event Values Failed: " + status + ")"); continue; } var meta = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure(pRenderedValues, typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); if (meta == null) { L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Event has no meta data. Skipping"); continue; } rec.EventId = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).UShort; L.Log(LogType.FILE, LogLevel.DEBUG, "EventId: " + rec.EventId); IntPtr metaPtr; if (!metaDict.TryGetValue(meta, out metaPtr)) { metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(session, meta, flags == (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath ? eventLogLocation : null, LangId, 0); if (metaPtr != IntPtr.Zero) metaDict[meta] = metaPtr; } if (!userData || string.IsNullOrEmpty(rec.Description)) { rec.Description = string.Empty; if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags .EvtFormatMessageEvent, ref buffer, out dwBufferUsed, ref status)) { buffer.Remove(0, buffer.Length); L.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status); } rec.Description = buffer.ToString(); } if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask, ref buffer, out dwBufferUsed, ref status)) { buffer.Remove(0, buffer.Length); } rec.TaskDisplayName = buffer.ToString(); if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel, ref buffer, out dwBufferUsed, ref status)) { buffer.Remove(0, buffer.Length); } rec.LevelDisplayName = buffer.ToString(); rec.MachineName = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); ulong timeCreated = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).FileTime; rec.TimeCreated = DateTime.FromFileTime((long)timeCreated); L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- TimeCreated: " + rec.TimeCreated); rec.LogName = Marshal.PtrToStringAuto( ((UnsafeNativeMethods.EvtVariant) (Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant)))) .StringVal); rec.RecordId = ((UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure( new IntPtr((Int32)pRenderedValues + ((int) UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) * Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))), typeof(UnsafeNativeMethods.EvtVariant))).ULong; L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords"); if (!GetMessageString(metaPtr, events[0], UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword, ref buffer, out dwBufferUsed, ref status)) { L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords FAILED:" + status); buffer.Remove(0, buffer.Length); } else L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords SUCCESS:[" + buffer + "]"); rec.KeywordsDisplayNames.Clear(); int s = 0, e = 0; do { while (e < buffer.Length && buffer[e] != '\0') ++e; if (e == s) { break; } if (e == buffer.Length) { rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s)); break; } rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s)); s = ++e; } while (true); L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Description: " + rec.Description); ParseSpecific(rec, eventLogLocation); last_recordnum = (long)rec.RecordId; //SetRegistry(); } finally { UnsafeNativeMethods.EvtClose(events[0]); events[0] = IntPtr.Zero; } } } finally { try { var customServiceBase = GetInstanceService("Security Manager Remote Recorder"); L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry."); customServiceBase.SetReg(Id, last_recordnum.ToString(CultureInfo.InvariantCulture), "-", lastFile, "", LastRecordDate); L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Registry Set."); } catch (Exception exception) { L.Log(LogType.FILE, LogLevel.ERROR, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry Error." + exception.Message); } } isFileFinished = true; return true; } finally { CleanupEvtHandle(handle); CleanupEvtHandle(events[0]); CleanupEvtHandle(hRenderContext); CleanupEvtHandle(hRenderContextEvtData); CleanupEvtHandle(metaDict); } } catch (EventLogNotFoundException e) { L.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message); } finally { callable.ReleaseMutex(); } return false; }