protected override bool ReadLocal()
{
if (!callable.WaitOne(0))
{
Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE");
callable.WaitOne();
try
{
throw new Exception("Parse already been processed by another thread while this call has made");
}
finally
{
callable.ReleaseMutex();
}
}
try
{
//if (!string.IsNullOrEmpty(FileName) || !File.Exists(FileName))
//{
// return true;
//}
Log.Log(LogType.FILE, LogLevel.INFORM, "Parser In ReadLocal -- Started with lastfile: " + lastFile);
string eventLogLocation = FileName;
string query = Position > 0 ? "*[System/EventRecordID > " + Position + "]" : null;
IntPtr handle = IntPtr.Zero;
var events = new IntPtr[] { IntPtr.Zero };
IntPtr hRenderContext = IntPtr.Zero;
IntPtr pRenderedValues = IntPtr.Zero;
var metaDict = new Dictionary<string, IntPtr>();
int dwBufferUsed = 0;
int dwPropertyCount = 0;
int dwBufferSize = 0;
int status = UnsafeNativeMethods.ERROR_SUCCESS;
try
{
handle = UnsafeNativeMethods.EvtQuery(IntPtr.Zero, eventLogLocation,
query,
(int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath);
if (handle == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error());
return false;
}
hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextSystem);
if (hRenderContext == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Creating Render Context Failed: " +
Marshal.GetLastWin32Error() + ")");
return false;
}
var sb = new StringBuilder();
int returned = 0;
var rec = new EventRecordWrapper();
isFileFinished = false;
lastLine = "-";
while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned))
{
try
{
if (!GetRenderValues(hRenderContext, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Getting Render Event Values Failed: " + status +
")");
continue;
}
string meta =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(pRenderedValues, typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (meta == null)
{
Log.Log(LogType.FILE, LogLevel.INFORM,
"Parser In ReadLocal -- Event has no meta data. Skipping");
continue;
}
rec.Reset();
rec.EventId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).UShort;
IntPtr metaPtr;
if (!metaDict.TryGetValue(meta, out metaPtr))
{
metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(IntPtr.Zero, meta, null, 0, 0);
if (metaPtr == IntPtr.Zero)
{
Log.Log(LogType.FILE, LogLevel.ERROR,
"Parser In ReadLocal -- Error Getting Meta Data Failed: Meta(" + meta +
") Status(" + Marshal.GetLastWin32Error() + ")");
continue;
}
metaDict[meta] = metaPtr;
}
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status);
continue;
}
rec.Description = sb.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask, ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get TaskDisplayName failed: " + status);
continue;
}
rec.TaskDisplayName = sb.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get LevelDisplayName failed: " + status);
continue;
}
rec.LevelDisplayName = sb.ToString();
rec.MachineName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
ulong timeCreated =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).FileTime;
rec.TimeCreated = DateTime.FromFileTime((long)timeCreated);
rec.LogName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
rec.RecordId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).ULong;
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword,
ref sb,
out dwBufferUsed, ref status))
{
Log.Log(LogType.FILE, LogLevel.ERROR, "Get Keywrod DisplayNames failed:" + status);
continue;
}
rec.KeywordsDisplayNames.Clear();
int s = 0, e = 0;
do
{
while (e < sb.Length && sb[e] != '\0')
++e;
if (e == s)
{
break;
}
if (e == sb.Length)
{
rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s));
break;
}
rec.KeywordsDisplayNames.Add(sb.ToString(s, e - s));
s = ++e;
} while (true);
ParseSpecific(rec, eventLogLocation);
Position = (long)rec.RecordId;
SetRegistry();
}
finally
{
UnsafeNativeMethods.EvtClose(events[0]);
events[0] = IntPtr.Zero;
}
}
isFileFinished = true;
return true;
}
finally
{
CleanupEvtHandle(handle);
CleanupEvtHandle(events[0]);
CleanupEvtHandle(hRenderContext);
CleanupEvtHandle(metaDict);
}
}
catch (EventLogNotFoundException e)
{
Log.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message);
}
finally
{
callable.ReleaseMutex();
}
return false;
}
//
protected bool ReadLocal(string fileName)
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started.");
if (!callable.WaitOne(0))
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- CALLED MULTIPLE TIMES STILL IN USE");
callable.WaitOne();
try
{
throw new Exception("Parse already been processed by another thread while this call has made");
}
finally
{
callable.ReleaseMutex();
}
}
try
{
L.Log(LogType.FILE, LogLevel.INFORM, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Started with lastfile: " + lastFile);
var eventLogLocation = fileName;
var query = last_recordnum > 0 ? "*[System/EventRecordID > " + last_recordnum + "]" : null;
var handle = IntPtr.Zero;
var events = new[] { IntPtr.Zero };
var hRenderContext = IntPtr.Zero;
var pRenderedValues = IntPtr.Zero;
var hRenderContextEvtData = IntPtr.Zero;
var metaDict = new Dictionary<string, IntPtr>();
var dwBufferUsed = 0;
var dwPropertyCount = 0;
var dwBufferSize = 0;
var status = UnsafeNativeMethods.ERROR_SUCCESS;
var session = IntPtr.Zero;
try
{
var info = user == null ? null : user.Split('\\');
if (info != null && info.Length == 3)
{
string domain = string.IsNullOrEmpty(info[0]) ? null : info[0];
ip = string.IsNullOrEmpty(info[1]) ? null : info[1];
string userName = string.IsNullOrEmpty(info[2]) ? null : info[2];
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Remote Logger: " + user);
var login = new UnsafeNativeMethods.EvtRpcLogin()
{
Domain = domain,
User = userName,
Password = CoTaskMemUnicodeSafeHandle.Zero,
Server = ip
};
var secureString = new SecureString();
if (!string.IsNullOrEmpty(password))
{
foreach (var ch in password)
{
secureString.AppendChar(ch);
}
}
login.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(secureString));
session = UnsafeNativeMethods.EvtOpenSession(UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin, ref login, 0, 0);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath);
}
/*
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath: " + UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath);
}
else
{
*/
int flags;
if (location.Contains("\\"))
{
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryFilePath");
}
else
{
flags = (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal --EvtQueryChannelPath");
}
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- " + session + " - " + eventLogLocation + " - " + query + " - " + flags);
handle = UnsafeNativeMethods.EvtQuery(session, eventLogLocation, query, flags);
var code = Marshal.GetLastWin32Error();
Console.WriteLine("Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + code);
if (handle == IntPtr.Zero)
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Opening Event File: " + Marshal.GetLastWin32Error());
return false;
}
hRenderContext = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextSystem);
var hRenderContextUser = UnsafeNativeMethods.EvtCreateRenderContext(0, null,
UnsafeNativeMethods
.EvtRenderContextFlags
.EvtRenderContextUser);
if (hRenderContext == IntPtr.Zero)
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Creating Render Context Failed: " +
Marshal.GetLastWin32Error() + ")");
return false;
}
var buffer = new StringBuilder();
var lineBuffer = new StringBuilder();
var tmpBuffer = new StringBuilder();
var domainBuffer = new StringBuilder();
var usernameBuffer = new StringBuilder();
var returned = 0;
var rec = new EventRecordWrapper();
isFileFinished = false;
lastLine = "-";
try
{
while (UnsafeNativeMethods.EvtNext(handle, 1, events, int.MaxValue, 0, ref returned))
{
try
{
rec.Reset();
if (userData)
{
if (GetRenderValues(hRenderContextUser, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
buffer.Remove(0, buffer.Length);
for (var i = 0; i < dwPropertyCount; i++)
{
var v = Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
i *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (v != null && (v = v.Trim()).Length > 0)
buffer.AppendLine(v);
}
rec.Description = buffer.ToString();
}
buffer.Remove(0, buffer.Length);
}
if (!GetRenderValues(hRenderContext, events[0],
UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues,
ref dwBufferSize, ref pRenderedValues, ref dwBufferUsed,
ref dwPropertyCount, ref status))
{
L.Log(LogType.FILE, LogLevel.ERROR,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Error Getting Render Event Values Failed: " +
status +
")");
continue;
}
var meta =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(pRenderedValues,
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
if (meta == null)
{
L.Log(LogType.FILE, LogLevel.INFORM,
"Nt2008EventLogFileV_2Recorder In ReadLocal -- Event has no meta data. Skipping");
continue;
}
rec.EventId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventID) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).UShort;
L.Log(LogType.FILE, LogLevel.DEBUG, "EventId: " + rec.EventId);
IntPtr metaPtr;
if (!metaDict.TryGetValue(meta, out metaPtr))
{
metaPtr = UnsafeNativeMethods.EvtOpenPublisherMetadata(session,
meta, flags == (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath ? eventLogLocation : null, LangId, 0);
if (metaPtr != IntPtr.Zero)
metaDict[meta] = metaPtr;
}
if (!userData || string.IsNullOrEmpty(rec.Description))
{
rec.Description = string.Empty;
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags
.EvtFormatMessageEvent,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
L.Log(LogType.FILE, LogLevel.ERROR, "Get Description failed:" + status);
}
rec.Description = buffer.ToString();
}
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageTask,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
}
rec.TaskDisplayName = buffer.ToString();
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageLevel,
ref buffer,
out dwBufferUsed, ref status))
{
buffer.Remove(0, buffer.Length);
}
rec.LevelDisplayName = buffer.ToString();
rec.MachineName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemComputer) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
ulong timeCreated =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemTimeCreated) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).FileTime;
rec.TimeCreated = DateTime.FromFileTime((long)timeCreated);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- TimeCreated: " + rec.TimeCreated);
rec.LogName =
Marshal.PtrToStringAuto(
((UnsafeNativeMethods.EvtVariant)
(Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemChannel) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))))
.StringVal);
rec.RecordId =
((UnsafeNativeMethods.EvtVariant)
Marshal.PtrToStructure(
new IntPtr((Int32)pRenderedValues +
((int)
UnsafeNativeMethods.EvtSystemPropertyId.EvtSystemEventRecordId) *
Marshal.SizeOf(typeof(UnsafeNativeMethods.EvtVariant))),
typeof(UnsafeNativeMethods.EvtVariant))).ULong;
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords");
if (!GetMessageString(metaPtr, events[0],
UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageKeyword,
ref buffer,
out dwBufferUsed, ref status))
{
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords FAILED:" + status);
buffer.Remove(0, buffer.Length);
}
else
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Getting Keywords SUCCESS:[" + buffer + "]");
rec.KeywordsDisplayNames.Clear();
int s = 0, e = 0;
do
{
while (e < buffer.Length && buffer[e] != '\0')
++e;
if (e == s)
{
break;
}
if (e == buffer.Length)
{
rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s));
break;
}
rec.KeywordsDisplayNames.Add(buffer.ToString(s, e - s));
s = ++e;
} while (true);
L.Log(LogType.FILE, LogLevel.DEBUG, "Nt2008EventLogFileV_2Recorder In ReadLocal -- Description: " + rec.Description);
ParseSpecific(rec, eventLogLocation);
last_recordnum = (long)rec.RecordId;
//SetRegistry();
}
finally
{
UnsafeNativeMethods.EvtClose(events[0]);
events[0] = IntPtr.Zero;
}
}
}
finally
{
try
{
var customServiceBase = GetInstanceService("Security Manager Remote Recorder");
L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry.");
customServiceBase.SetReg(Id, last_recordnum.ToString(CultureInfo.InvariantCulture), "-", lastFile, "", LastRecordDate);
L.Log(LogType.FILE, LogLevel.DEBUG, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Registry Set.");
}
catch (Exception exception)
{
L.Log(LogType.FILE, LogLevel.ERROR, " Nt2008EventLogFileV_2Recorder In ReadLocal -->> Setting Registry Error." + exception.Message);
}
}
isFileFinished = true;
return true;
}
finally
{
CleanupEvtHandle(handle);
CleanupEvtHandle(events[0]);
CleanupEvtHandle(hRenderContext);
CleanupEvtHandle(hRenderContextEvtData);
CleanupEvtHandle(metaDict);
}
}
catch (EventLogNotFoundException e)
{
L.Log(LogType.FILE, LogLevel.ERROR, "EVTX Parser in ReadLocal ERROR." + e.Message);
}
finally
{
callable.ReleaseMutex();
}
return false;
}