/* Start the event logging for each el */
int startEL(char *app, os_el *el)
{
DWORD NumberOfRecords = 0;
/* Open the event log */
el->h = OpenEventLog(NULL, app);
if (!el->h) {
merror(EVTLOG_OPEN, ARGV0, app);
return (-1);
}
el->name = app;
if (GetOldestEventLogRecord(el->h, &el->record) == 0) {
/* Unable to read oldest event log record */
merror(EVTLOG_GETLAST, ARGV0, app);
CloseEventLog(el->h);
el->h = NULL;
return (-1);
}
if (GetNumberOfEventLogRecords(el->h, &NumberOfRecords) == 0) {
merror(EVTLOG_GETLAST, ARGV0, app);
CloseEventLog(el->h);
el->h = NULL;
return (-1);
}
if (NumberOfRecords <= 0) {
return (0);
}
return ((int)NumberOfRecords);
}
BOOL
ClearEvents(VOID)
{
HANDLE hEventLog;
WCHAR szFileName[MAX_PATH];
WCHAR szMessage[MAX_LOADSTRING];
ZeroMemory(szFileName, sizeof(szFileName));
ZeroMemory(szMessage, sizeof(szMessage));
LoadStringW(hInst, IDS_CLEAREVENTS_MSG, szMessage, MAX_LOADSTRING);
sfn.lpstrFile = szFileName;
sfn.nMaxFile = MAX_PATH;
switch (MessageBoxW(hwndMainWindow, szMessage, szTitle, MB_YESNOCANCEL | MB_ICONINFORMATION))
{
case IDCANCEL:
{
return FALSE;
}
case IDNO:
{
sfn.lpstrFile = NULL;
break;
}
case IDYES:
{
if (!GetSaveFileNameW(&sfn))
{
return FALSE;
}
break;
}
}
hEventLog = OpenEventLogW(lpComputerName, lpSourceLogName);
if (!hEventLog)
{
ShowLastWin32Error();
return FALSE;
}
if (!ClearEventLogW(hEventLog, sfn.lpstrFile))
{
ShowLastWin32Error();
CloseEventLog(hEventLog);
return FALSE;
}
CloseEventLog(hEventLog);
return TRUE;
}
static void test_oldest(void)
{
HANDLE handle;
BOOL ret;
DWORD oldest;
const char backup[] = "backup.evt";
SetLastError(0xdeadbeef);
ret = GetOldestEventLogRecord(NULL, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
oldest = 0xdeadbeef;
ret = GetOldestEventLogRecord(NULL, &oldest);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n");
handle = OpenEventLogA(NULL, "Application");
SetLastError(0xdeadbeef);
ret = GetOldestEventLogRecord(handle, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
oldest = 0xdeadbeef;
ret = GetOldestEventLogRecord(handle, &oldest);
ok(ret, "Expected success\n");
ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
CloseEventLog(handle);
/* Make a backup eventlog to work with */
if (create_backup(backup))
{
handle = OpenBackupEventLogA(NULL, backup);
todo_wine
ok(handle != NULL, "Expected a handle\n");
/* Does GetOldestEventLogRecord work with backup eventlogs? */
oldest = 0xdeadbeef;
ret = GetOldestEventLogRecord(handle, &oldest);
todo_wine
{
ok(ret, "Expected success\n");
ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
}
CloseEventLog(handle);
DeleteFileA(backup);
}
}
static void test_open_close(void)
{
HANDLE handle;
BOOL ret;
SetLastError(0xdeadbeef);
ret = CloseEventLog(NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE ||
GetLastError() == ERROR_NOACCESS, /* W2K */
"Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenEventLogA(NULL, NULL);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenEventLogA("IDontExist", NULL);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenEventLogA("IDontExist", "deadbeef");
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
"Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
/* This one opens the Application log */
handle = OpenEventLogA(NULL, "deadbeef");
ok(handle != NULL, "Expected a handle\n");
ret = CloseEventLog(handle);
ok(ret, "Expected success\n");
/* Close a second time */
SetLastError(0xdeadbeef);
ret = CloseEventLog(handle);
todo_wine
{
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
}
/* Empty servername should be read as local server */
handle = OpenEventLogA("", "Application");
ok(handle != NULL, "Expected a handle\n");
CloseEventLog(handle);
handle = OpenEventLogA(NULL, "Application");
ok(handle != NULL, "Expected a handle\n");
CloseEventLog(handle);
}
VOID
SaveProtocol(VOID)
{
HANDLE hEventLog;
WCHAR szFileName[MAX_PATH];
ZeroMemory(szFileName, sizeof(szFileName));
sfn.lpstrFile = szFileName;
sfn.nMaxFile = MAX_PATH;
if (!GetSaveFileNameW(&sfn))
{
return;
}
hEventLog = OpenEventLogW(lpComputerName, lpSourceLogName);
if (!hEventLog)
{
ShowLastWin32Error();
return;
}
if (!BackupEventLogW(hEventLog, szFileName))
{
ShowLastWin32Error();
}
CloseEventLog(hEventLog);
}
/* close event logger */
static int zbx_close_eventlog(HANDLE eventlog_handle)
{
if (NULL != eventlog_handle)
CloseEventLog(eventlog_handle);
return SUCCEED;
}
static void test_info(void)
{
HANDLE handle;
BOOL ret;
DWORD needed;
BYTE buffer[2 * sizeof(EVENTLOG_FULL_INFORMATION)];
EVENTLOG_FULL_INFORMATION *efi = (void *)buffer;
if (!pGetEventLogInformation)
{
/* NT4 */
win_skip("GetEventLogInformation is not available\n");
return;
}
SetLastError(0xdeadbeef);
ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
handle = OpenEventLogA(NULL, "Application");
SetLastError(0xdeadbeef);
ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed);
ok(!ret, "Expected failure\n");
ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
needed = 0xdeadbeef;
efi->dwFull = 0xdeadbeef;
ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, &needed);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
ok(efi->dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
/* Not that we care, but on success last error is set to ERROR_IO_PENDING */
efi->dwFull = 0xdeadbeef;
needed = sizeof(buffer);
ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, needed, &needed);
ok(ret, "Expected success\n");
ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
ok(efi->dwFull == 0 || efi->dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi->dwFull);
CloseEventLog(handle);
}
BOOL My_CloseEventLog()
{
HANDLE hEventLog=NULL;
BOOL returnVal_Real = NULL;
BOOL returnVal_Intercepted = NULL;
DWORD error_Real = 0;
DWORD error_Intercepted = 0;
__try{
disableInterception();
returnVal_Real = CloseEventLog (hEventLog);
error_Real = GetLastError();
enableInterception();
returnVal_Intercepted = CloseEventLog (hEventLog);
error_Intercepted = GetLastError();
}__except(puts("in filter"), 1){puts("exception caught");}
return ((returnVal_Real == returnVal_Intercepted) && (error_Real == error_Intercepted));
}
//---------------------------------------------------------------------
// OpenEventLog/CloseEventLogを対にするクラス
//---------------------------------------------------------------------
//---------------------------------------------------------------------
// イベントログを開く
//---------------------------------------------------------------------
BOOL kjm::eventlog::OpenEventLog( LPCTSTR lpUNCServerName, LPCTSTR lpSourceName ) {
// すでに開いているかもしれないので、閉じる
CloseEventLog();
m_unc_server_name = ( lpUNCServerName ) ? lpUNCServerName : "";
m_source_name = ( lpSourceName ) ? lpSourceName : "";
m_hEventLog = ::OpenEventLog( lpUNCServerName, lpSourceName );
return ( m_hEventLog ) ? TRUE : FALSE;
}
static void test_clear(void)
{
HANDLE handle;
BOOL ret;
const char backup[] = "backup.evt";
const char backup2[] = "backup2.evt";
SetLastError(0xdeadbeef);
ret = ClearEventLogA(NULL, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
/* Make a backup eventlog to work with */
if (!create_backup(backup))
return;
SetLastError(0xdeadbeef);
ret = ClearEventLogA(NULL, backup);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
handle = OpenBackupEventLogA(NULL, backup);
todo_wine
ok(handle != NULL, "Expected a handle\n");
/* A real eventlog would fail with ERROR_ALREADY_EXISTS */
SetLastError(0xdeadbeef);
ret = ClearEventLogA(handle, backup);
ok(!ret, "Expected failure\n");
/* The eventlog service runs under an account that doesn't have the necessary
* permissions on the users home directory on a default Vista+ system.
*/
ok(GetLastError() == ERROR_INVALID_HANDLE ||
GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */
"Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
/* Show that ClearEventLog only works for real eventlogs. */
SetLastError(0xdeadbeef);
ret = ClearEventLogA(handle, backup2);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
SetLastError(0xdeadbeef);
ret = ClearEventLogA(handle, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
CloseEventLog(handle);
todo_wine
ok(DeleteFileA(backup), "Could not delete the backup file\n");
}
static BOOL create_backup(const char *filename)
{
HANDLE handle;
DWORD rc, attribs;
DeleteFileA(filename);
handle = OpenEventLogA(NULL, "Application");
rc = BackupEventLogA(handle, filename);
if (!rc && GetLastError() == ERROR_PRIVILEGE_NOT_HELD)
{
skip("insufficient privileges to backup the eventlog\n");
CloseEventLog(handle);
return FALSE;
}
ok(rc, "BackupEventLogA failed, le=%u\n", GetLastError());
CloseEventLog(handle);
attribs = GetFileAttributesA(filename);
todo_wine
ok(attribs != INVALID_FILE_ATTRIBUTES, "Expected a backup file attribs=%#x le=%u\n", attribs, GetLastError());
return TRUE;
}
/*
* Closes the specified event log.
*
* TLVs:
*
* req: TLV_TYPE_EVENT_HANDLE - The event log handle
*/
DWORD request_sys_eventlog_close(Remote * remote, Packet * packet)
{
Packet * response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS;
HANDLE hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
if(CloseEventLog(hEvent) == 0) {
result = GetLastError();
}
packet_transmit_response(result, remote, response);
return ERROR_SUCCESS;
}
void logInfo(const char *functionName, const char *text) {
#ifndef WIN32
syslog(LOG_INFO, "SoftHSM: %s: %s", functionName, text);
#else
HANDLE hEventLog = OpenEventLog(NULL, "SoftHSM");
if(hEventLog) {
char msg[1024];
char* msgs[1];
snprintf(msg, sizeof(msg), "%s: %s", functionName, text);
msgs[0] = msg;
ReportEvent(hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 0, NULL, 1, 0, (const char **)msgs, NULL);
CloseEventLog(hEventLog);
}
#endif
}
/* open event logger and return number of records */
static int zbx_open_eventlog(LPCTSTR wsource, HANDLE *eventlog_handle, zbx_uint64_t *FirstID,
zbx_uint64_t *LastID)
{
const char *__function_name = "zbx_open_eventlog";
wchar_t reg_path[MAX_PATH];
HKEY hk = NULL;
DWORD dwNumRecords, dwOldestRecord;
int ret = FAIL;
zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __function_name);
*eventlog_handle = NULL;
/* Get path to eventlog */
StringCchPrintf(reg_path, MAX_PATH, EVENTLOG_REG_PATH TEXT("%s"), wsource);
if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hk))
goto out;
RegCloseKey(hk);
if (NULL == (*eventlog_handle = OpenEventLog(NULL, wsource))) /* open log file */
goto out;
if (0 == GetNumberOfEventLogRecords(*eventlog_handle, &dwNumRecords) ||
0 == GetOldestEventLogRecord(*eventlog_handle, &dwOldestRecord))
{
CloseEventLog(*eventlog_handle);
*eventlog_handle = NULL;
goto out;
}
*FirstID = dwOldestRecord;
*LastID = dwOldestRecord + dwNumRecords - 1;
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s FirstID:" ZBX_FS_UI64 " LastID:" ZBX_FS_UI64 " numIDs:%lu",
__function_name, zbx_result_string(ret), *FirstID, *LastID, dwNumRecords);
ret = SUCCEED;
out:
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret));
return ret;
}
void
snmp_disable_syslog_entry(netsnmp_log_handler *logh)
{
if (!logh || !logh->enabled || logh->type != NETSNMP_LOGHANDLER_SYSLOG)
return;
#ifdef WIN32
if (logh->magic) {
HANDLE eventlog_h = (HANDLE)logh->magic;
CloseEventLog(eventlog_h);
logh->magic = NULL;
}
#else
closelog();
logh->imagic = 0;
#endif
netsnmp_disable_this_loghandler(logh);
}
int mqtt3_log_close(struct mqtt3_config *config)
{
if(log_destinations & MQTT3_LOG_SYSLOG){
#ifndef WIN32
closelog();
#else
CloseEventLog(syslog_h);
#endif
}
if(log_destinations & MQTT3_LOG_FILE){
if(config->log_fptr){
fclose(config->log_fptr);
config->log_fptr = NULL;
}
}
/* FIXME - do something for all destinations! */
return MOSQ_ERR_SUCCESS;
}
static void test_backup(void)
{
HANDLE handle;
BOOL ret;
const char backup[] = "backup.evt";
const char backup2[] = "backup2.evt";
SetLastError(0xdeadbeef);
ret = BackupEventLogA(NULL, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = BackupEventLogA(NULL, backup);
ok(!ret, "Expected failure\n");
ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
handle = OpenEventLogA(NULL, "Application");
SetLastError(0xdeadbeef);
ret = BackupEventLogA(handle, NULL);
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
ret = BackupEventLogA(handle, backup);
if (!ret && GetLastError() == ERROR_PRIVILEGE_NOT_HELD)
{
skip("insufficient privileges for backup tests\n");
CloseEventLog(handle);
return;
}
ok(ret, "Expected success\n");
todo_wine
ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
/* Try to overwrite */
SetLastError(0xdeadbeef);
ret = BackupEventLogA(handle, backup);
todo_wine
{
ok(!ret, "Expected failure\n");
ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %d\n", GetLastError());
}
CloseEventLog(handle);
/* Can we make a backup of a backup? */
handle = OpenBackupEventLogA(NULL, backup);
todo_wine
ok(handle != NULL, "Expected a handle\n");
ret = BackupEventLogA(handle, backup2);
todo_wine
{
ok(ret, "Expected success\n");
ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
}
CloseEventLog(handle);
DeleteFileA(backup);
DeleteFileA(backup2);
}
int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow) {
int rc;
WNDCLASSEX wc;
MSG msg;
const char *class_name = "brickd_logviewer";
(void)hPrevInstance;
(void)lpCmdLine;
_hinstance = hInstance;
_event_log = OpenEventLog(NULL, "Brick Daemon");
if (_event_log == NULL) {
rc = GetLastError();
report_error("Could not open event log: %s (%d)",
get_error_name(rc), rc);
return 0;
}
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = window_proc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = hInstance;
wc.hIcon = NULL;
wc.hCursor = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
wc.lpszMenuName = NULL;
wc.lpszClassName = class_name;
wc.hIconSm = NULL;
if (!RegisterClassEx(&wc)) {
rc = GetLastError();
report_error("Could not register window class: %s (%d)",
get_error_name(rc), rc);
CloseEventLog(_event_log);
return 0;
}
_hwnd = CreateWindowEx(WS_EX_APPWINDOW | WS_EX_CLIENTEDGE,
class_name,
_title,
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT,
1000, 700,
NULL,
NULL,
hInstance,
NULL);
if (_hwnd == NULL) {
rc = GetLastError();
report_error("Could not create window: %s (%d)",
get_error_name(rc), rc);
CloseEventLog(_event_log);
return 0;
}
SendMessage(_hwnd, WM_SETICON, ICON_BIG,
(LPARAM)LoadIcon(hInstance, MAKEINTRESOURCE(IDI_ICON)));
create_menu();
if (init_common_controls() < 0 ||
create_status_bar() < 0 ||
create_event_list_view() < 0 ||
create_debug_list_view() < 0) {
CloseEventLog(_event_log);
return 0;
}
set_current_list_view(_event_list_view);
ShowWindow(_hwnd, nCmdShow);
UpdateWindow(_hwnd);
if (CreateThread(NULL, 0, read_named_pipe, NULL, 0, NULL) == NULL) {
rc = GetLastError();
report_error("Could not create named pipe thread: %s (%d)",
get_error_name(rc), rc);
}
read_event_log();
SetTimer(_hwnd, 1, 200, (TIMERPROC)NULL);
while ((rc = GetMessage(&msg, NULL, 0, 0)) != 0) {
if (rc < 0) {
rc = GetLastError();
report_error("Could not get window message: %s (%d)",
get_error_name(rc), rc);
break;
} else {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
}
free(_record_buffer);
CloseEventLog(_event_log);
return msg.wParam;
}
BOOL
QueryEventMessages(LPWSTR lpMachineName,
LPWSTR lpLogName)
{
HWND hwndDlg = NULL;
HANDLE hEventLog;
EVENTLOGRECORD *pevlr;
DWORD dwRead, dwNeeded, dwThisRecord, dwTotalRecords = 0, dwCurrentRecord = 0, dwRecordsToRead = 0, dwFlags, dwMaxLength;
size_t cchRemaining;
LPWSTR lpSourceName;
LPWSTR lpComputerName;
LPSTR lpData;
BOOL bResult = TRUE; /* Read succeeded. */
WCHAR szWindowTitle[MAX_PATH];
WCHAR szStatusText[MAX_PATH];
WCHAR szLocalDate[MAX_PATH];
WCHAR szLocalTime[MAX_PATH];
WCHAR szEventID[MAX_PATH];
WCHAR szEventTypeText[MAX_LOADSTRING];
WCHAR szCategoryID[MAX_PATH];
WCHAR szUsername[MAX_PATH];
WCHAR szEventText[EVENT_MESSAGE_FILE_BUFFER];
WCHAR szCategory[MAX_PATH];
WCHAR szData[MAX_PATH];
PWCHAR lpTitleTemplateEnd;
SYSTEMTIME time;
LVITEMW lviEventItem;
dwFlags = EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ;
/* Open the event log. */
hEventLog = OpenEventLogW(lpMachineName,
lpLogName);
if (hEventLog == NULL)
{
ShowLastWin32Error();
return FALSE;
}
lpSourceLogName = lpLogName;
lpComputerName = lpMachineName;
/* Disable listview redraw */
SendMessage(hwndListView, WM_SETREDRAW, FALSE, 0);
/* Clear the list view */
(void)ListView_DeleteAllItems (hwndListView);
FreeRecords();
GetOldestEventLogRecord(hEventLog, &dwThisRecord);
/* Get the total number of event log records. */
GetNumberOfEventLogRecords (hEventLog , &dwTotalRecords);
g_TotalRecords = dwTotalRecords;
if (dwTotalRecords > 0)
{
EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_ENABLED);
EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_ENABLED);
}
else
{
EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_GRAYED);
EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_GRAYED);
}
g_RecordPtrs = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwTotalRecords * sizeof(PVOID));
/* If we have at least 1000 records show the waiting dialog */
if (dwTotalRecords > 1000)
{
CloseHandle(CreateThread(NULL,
0,
ShowStatusMessageThread,
(LPVOID)&hwndDlg,
0,
NULL));
}
while (dwCurrentRecord < dwTotalRecords)
{
pevlr = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
g_RecordPtrs[dwCurrentRecord] = pevlr;
bResult = ReadEventLog(hEventLog, // Event log handle
dwFlags, // Sequential read
0, // Ignored for sequential read
pevlr, // Pointer to buffer
sizeof(EVENTLOGRECORD), // Size of buffer
&dwRead, // Number of bytes read
&dwNeeded); // Bytes in the next record
if((!bResult) && (GetLastError () == ERROR_INSUFFICIENT_BUFFER))
{
HeapFree(GetProcessHeap(), 0, pevlr);
pevlr = HeapAlloc(GetProcessHeap(), 0, dwNeeded);
g_RecordPtrs[dwCurrentRecord] = pevlr;
ReadEventLogW(hEventLog, // event log handle
dwFlags, // read flags
0, // offset; default is 0
pevlr, // pointer to buffer
dwNeeded, // size of buffer
&dwRead, // number of bytes read
&dwNeeded); // bytes in next record
}
while (dwRead > 0)
{
LoadStringW(hInst, IDS_NOT_AVAILABLE, szUsername, MAX_PATH);
LoadStringW(hInst, IDS_NOT_AVAILABLE, szEventText, MAX_PATH);
LoadStringW(hInst, IDS_NONE, szCategory, MAX_PATH);
// Get the event source name.
lpSourceName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD));
// Get the computer name
lpComputerName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD) + (wcslen(lpSourceName) + 1) * sizeof(WCHAR));
// This ist the data section of the current event
lpData = (LPSTR)((LPBYTE)pevlr + pevlr->DataOffset);
// Compute the event type
EventTimeToSystemTime(pevlr->TimeWritten, &time);
// Get the username that generated the event
GetEventUserName(pevlr, szUsername);
GetDateFormatW(LOCALE_USER_DEFAULT, DATE_SHORTDATE, &time, NULL, szLocalDate, MAX_PATH);
GetTimeFormatW(LOCALE_USER_DEFAULT, 0, &time, NULL, szLocalTime, MAX_PATH);
GetEventType(pevlr->EventType, szEventTypeText);
GetEventCategory(lpLogName, lpSourceName, pevlr, szCategory);
StringCbPrintfW(szEventID, sizeof(szEventID), L"%u", (pevlr->EventID & 0xFFFF));
StringCbPrintfW(szCategoryID, sizeof(szCategoryID), L"%u", pevlr->EventCategory);
lviEventItem.mask = LVIF_IMAGE | LVIF_TEXT | LVIF_PARAM;
lviEventItem.iItem = 0;
lviEventItem.iSubItem = 0;
lviEventItem.lParam = (LPARAM)pevlr;
lviEventItem.pszText = szEventTypeText;
switch (pevlr->EventType)
{
case EVENTLOG_ERROR_TYPE:
lviEventItem.iImage = 2;
break;
case EVENTLOG_AUDIT_FAILURE:
lviEventItem.iImage = 2;
break;
case EVENTLOG_WARNING_TYPE:
lviEventItem.iImage = 1;
break;
case EVENTLOG_INFORMATION_TYPE:
lviEventItem.iImage = 0;
break;
case EVENTLOG_AUDIT_SUCCESS:
lviEventItem.iImage = 0;
break;
case EVENTLOG_SUCCESS:
lviEventItem.iImage = 0;
break;
}
lviEventItem.iItem = ListView_InsertItem(hwndListView, &lviEventItem);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 1, szLocalDate);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 2, szLocalTime);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 3, lpSourceName);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 4, szCategory);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 5, szEventID);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 6, szUsername); //User
ListView_SetItemText(hwndListView, lviEventItem.iItem, 7, lpComputerName); //Computer
MultiByteToWideChar(CP_ACP,
0,
lpData,
pevlr->DataLength,
szData,
MAX_PATH);
ListView_SetItemText(hwndListView, lviEventItem.iItem, 8, szData); //Event Text
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)((LPBYTE) pevlr + pevlr->Length);
}
dwRecordsToRead--;
dwCurrentRecord++;
}
// All events loaded
if(hwndDlg)
EndDialog(hwndDlg, 0);
StringCchPrintfExW(szWindowTitle,
sizeof(szWindowTitle) / sizeof(WCHAR),
&lpTitleTemplateEnd,
&cchRemaining,
0,
szTitleTemplate, szTitle, lpLogName); /* i = number of characters written */
/* lpComputerName can be NULL here if no records was read */
dwMaxLength = (DWORD)cchRemaining;
if (!lpComputerName)
GetComputerNameW(lpTitleTemplateEnd, &dwMaxLength);
else
StringCchCopyW(lpTitleTemplateEnd, dwMaxLength, lpComputerName);
StringCbPrintfW(szStatusText, sizeof(szStatusText), szStatusBarTemplate, lpLogName, dwTotalRecords);
// Update the status bar
SendMessageW(hwndStatus, SB_SETTEXT, (WPARAM)0, (LPARAM)szStatusText);
// Set the window title
SetWindowTextW(hwndMainWindow, szWindowTitle);
// Resume list view redraw
SendMessageW(hwndListView, WM_SETREDRAW, TRUE, 0);
// Close the event log.
CloseEventLog(hEventLog);
return TRUE;
}
static void test_readwrite(void)
{
HANDLE handle;
PSID user;
DWORD sidsize, count;
BOOL ret, sidavailable;
BOOL on_vista = FALSE; /* Used to indicate Vista, W2K8 or Win7 */
DWORD i;
char *localcomputer = NULL;
DWORD size;
if (pCreateWellKnownSid)
{
sidsize = SECURITY_MAX_SID_SIZE;
user = HeapAlloc(GetProcessHeap(), 0, sidsize);
SetLastError(0xdeadbeef);
pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize);
sidavailable = TRUE;
}
else
{
win_skip("Skipping some SID related tests\n");
sidavailable = FALSE;
user = NULL;
}
/* Write an event with an incorrect event type. This will fail on Windows 7
* but succeed on all others, hence it's not part of the struct.
*/
handle = OpenEventLogA(NULL, eventlogname);
if (!handle)
{
/* Intermittently seen on NT4 when tests are run immediately after boot */
win_skip("Could not get a handle to the eventlog\n");
goto cleanup;
}
count = 0xdeadbeef;
GetNumberOfEventLogRecords(handle, &count);
if (count != 0)
{
/* Needed for W2K3 without a service pack */
win_skip("We most likely opened the Application eventlog\n");
CloseEventLog(handle);
Sleep(2000);
handle = OpenEventLogA(NULL, eventlogname);
count = 0xdeadbeef;
GetNumberOfEventLogRecords(handle, &count);
if (count != 0)
{
win_skip("We didn't open our new eventlog\n");
CloseEventLog(handle);
goto cleanup;
}
}
SetLastError(0xdeadbeef);
ret = ReportEventA(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL);
if (!ret && GetLastError() == ERROR_CRC)
{
win_skip("Win7 fails when using incorrect event types\n");
ret = ReportEventA(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL);
ok(ret, "Expected success : %d\n", GetLastError());
}
else
{
void *buf;
DWORD read, needed = 0;
EVENTLOGRECORD *record;
ok(ret, "Expected success : %d\n", GetLastError());
/* Needed to catch earlier Vista (with no ServicePack for example) */
buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed)) &&
GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, needed, &read, &needed);
}
if (ret)
{
record = (EVENTLOGRECORD *)buf;
/* Vista and W2K8 return EVENTLOG_SUCCESS, Windows versions before return
* the written eventtype (0x20 in this case).
*/
if (record->EventType == EVENTLOG_SUCCESS)
on_vista = TRUE;
}
HeapFree(GetProcessHeap(), 0, buf);
}
/* This will clear the eventlog. The record numbering for new
* events however differs on Vista SP1+. Before Vista the first
* event would be numbered 1, on Vista SP1+ it's higher as we already
* had at least one event (more in case of multiple test runs without
* a reboot).
*/
ClearEventLogA(handle, NULL);
CloseEventLog(handle);
/* Write a bunch of events while using different event sources */
for (i = 0; i < sizeof(read_write)/sizeof(read_write[0]); i++)
{
DWORD oldest;
BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
/* We don't need to use RegisterEventSource to report events */
if (i % 2)
handle = OpenEventLogA(NULL, read_write[i].evt_src);
else
handle = RegisterEventSourceA(NULL, read_write[i].evt_src);
ok(handle != NULL, "Expected a handle\n");
SetLastError(0xdeadbeef);
ret = ReportEventA(handle, read_write[i].evt_type, read_write[i].evt_cat,
read_write[i].evt_id, run_sidtests ? user : NULL,
read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL);
ok(ret, "Expected ReportEvent success : %d\n", GetLastError());
count = 0xdeadbeef;
SetLastError(0xdeadbeef);
ret = GetNumberOfEventLogRecords(handle, &count);
ok(ret, "Expected GetNumberOfEventLogRecords success : %d\n", GetLastError());
todo_wine
ok(count == (i + 1), "Expected %d records, got %d\n", i + 1, count);
oldest = 0xdeadbeef;
ret = GetOldestEventLogRecord(handle, &oldest);
ok(ret, "Expected GetOldestEventLogRecord success : %d\n", GetLastError());
todo_wine
ok(oldest == 1 ||
(oldest > 1 && oldest != 0xdeadbeef), /* Vista SP1+, W2K8 and Win7 */
"Expected oldest to be 1 or higher, got %d\n", oldest);
if (oldest > 1 && oldest != 0xdeadbeef)
on_vista = TRUE;
SetLastError(0xdeadbeef);
if (i % 2)
ret = CloseEventLog(handle);
else
ret = DeregisterEventSource(handle);
ok(ret, "Expected success : %d\n", GetLastError());
}
handle = OpenEventLogA(NULL, eventlogname);
count = 0xdeadbeef;
ret = GetNumberOfEventLogRecords(handle, &count);
ok(ret, "Expected success\n");
todo_wine
ok(count == i, "Expected %d records, got %d\n", i, count);
CloseEventLog(handle);
if (count == 0)
{
skip("No events were written to the eventlog\n");
goto cleanup;
}
/* Report only once */
if (on_vista)
skip("There is no DWORD alignment enforced for UserSid on Vista, W2K8 or Win7\n");
if (on_vista && pGetComputerNameExA)
{
/* New Vista+ behavior */
size = 0;
SetLastError(0xdeadbeef);
pGetComputerNameExA(ComputerNameDnsFullyQualified, NULL, &size);
localcomputer = HeapAlloc(GetProcessHeap(), 0, size);
pGetComputerNameExA(ComputerNameDnsFullyQualified, localcomputer, &size);
}
else
{
size = MAX_COMPUTERNAME_LENGTH + 1;
localcomputer = HeapAlloc(GetProcessHeap(), 0, size);
GetComputerNameA(localcomputer, &size);
}
/* Read all events from our created eventlog, one by one */
handle = OpenEventLogA(NULL, eventlogname);
ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError());
i = 0;
for (;;)
{
void *buf;
DWORD read, needed;
EVENTLOGRECORD *record;
char *sourcename, *computername;
int k;
char *ptr;
BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
HeapFree(GetProcessHeap(), 0, buf);
ok(GetLastError() == ERROR_HANDLE_EOF, "record %d, got %d\n", i, GetLastError());
break;
}
buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, needed, &read, &needed);
ok(ret, "Expected success: %d\n", GetLastError());
record = (EVENTLOGRECORD *)buf;
ok(record->Length == read,
"Expected %d, got %d\n", read, record->Length);
ok(record->Reserved == 0x654c664c,
"Expected 0x654c664c, got %d\n", record->Reserved);
ok(record->RecordNumber == i + 1 ||
(on_vista && (record->RecordNumber > i + 1)),
"Expected %d or higher, got %d\n", i + 1, record->RecordNumber);
ok(record->EventID == read_write[i].evt_id,
"Expected %d, got %d\n", read_write[i].evt_id, record->EventID);
ok(record->EventType == read_write[i].evt_type,
"Expected %d, got %d\n", read_write[i].evt_type, record->EventType);
ok(record->NumStrings == read_write[i].evt_numstrings,
"Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings);
ok(record->EventCategory == read_write[i].evt_cat,
"Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory);
sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD));
ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n",
read_write[i].evt_src, sourcename);
computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1);
ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n",
localcomputer, computername);
/* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if
* no padding was actually required a 0 DWORD was still used for padding. No
* application should be relying on the padding as we are working with offsets
* anyway.
*/
if (!on_vista)
{
DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1;
/* We are already DWORD aligned, there should still be some padding */
if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0)
ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n");
ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n");
}
if (run_sidtests)
{
ok(record->UserSidLength == sidsize, "Expected %d, got %d\n", sidsize, record->UserSidLength);
}
else
{
ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
ok(record->UserSidLength == 0, "Expected 0, got %d\n", record->UserSidLength);
}
ok(record->DataLength == 0, "Expected 0, got %d\n", record->DataLength);
ptr = (char *)((BYTE *)buf + record->StringOffset);
for (k = 0; k < record->NumStrings; k++)
{
ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr);
ptr += lstrlenA(ptr) + 1;
}
ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)),
"Expected the closing DWORD to contain the length of the record\n");
HeapFree(GetProcessHeap(), 0, buf);
i++;
}
CloseEventLog(handle);
/* Test clearing a real eventlog */
handle = OpenEventLogA(NULL, eventlogname);
ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ClearEventLogA(handle, NULL);
ok(ret, "Expected success\n");
count = 0xdeadbeef;
ret = GetNumberOfEventLogRecords(handle, &count);
ok(ret, "Expected success\n");
ok(count == 0, "Expected an empty eventlog, got %d records\n", count);
CloseEventLog(handle);
cleanup:
HeapFree(GetProcessHeap(), 0, localcomputer);
HeapFree(GetProcessHeap(), 0, user);
}
/*--------------------------[ FindFirstReadPos ]--------------------------
* Find approx start position in the event log to start finding entries from - dont want to start sequentially from the beginning
*
* Returns:
* 0 empty event log, or error ; just go from the beginnning
* value record offset
*----------------------------------------------------------------------------*/
DWORD FindFirstReadPos(char *name,uint32 lastrun) {
DWORD minPos=0;
DWORD maxPos;
DWORD probe;
int status;
//char buffer[2048];
uint32 bytes;
uint32 next;
//EVENTLOGRECORD *record = (EVENTLOGRECORD *)&buffer;
HANDLE hLog;
if ((hLog = OpenEventLog(NULL, name)) == NULL)
return 0;
//Find min
status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next);
if (status==0) {
CloseEventLog(hLog);
return 0;
}
minPos=record->RecordNumber;
CloseEventLog(hLog);
if ((hLog = OpenEventLog(NULL, name)) == NULL)
return 0;
//Find min
status=ernoReadEventLog(hLog, EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next);
if (status==0) {
CloseEventLog(hLog);
return 0;
}
maxPos=record->RecordNumber;
CloseEventLog(hLog);
probe=(DWORD)(minPos+0.9*(maxPos-minPos));
while(true) {
if ((maxPos-minPos)<200) {
return minPos;
}
if ((hLog = OpenEventLog(NULL, name)) == NULL)
return 0;
status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,probe, &bytes, &next);
CloseEventLog(hLog);
if (status==0) {
return minPos;
}
if ( (record->TimeWritten >= lastrun)) {
maxPos=record->RecordNumber;
} else {
minPos=record->RecordNumber;
}
probe=(DWORD)((minPos+maxPos)/2);
}
return 0;
}
/*--------------------------[ eventlog_read_events ]--------------------------
* Read messages from the event log
*
* Returns:
* success (0)
* error (-1)
*----------------------------------------------------------------------------*/
int eventlog_read_events(eventlog_data* eventlog, uint32 *lastrun,uint32 *thisrun){
//char buffer[EVENTLOG_BUFFER_LEN];
uint32 bytes;
uint32 next;
// EVENTLOGRECORD *record = (EVENTLOGRECORD *)eventBuffer;
HANDLE hLog;
int status;
DWORD recordCounter=1; //used to indicate where to read next from eventlog. It does *not* neccessarily mean that post is to be added;eventlog->Recordoffset takes care of that.
DWORD startPos;
ntsl_event *event;
char *source;
char *computer;
char *strings;
struct tm _time,*time;
bool ThisIsInitialLoop=true;
__try {
time=&_time;
LabelForResettedEventLog:
if ( (lastrun == NULL) || (thisrun == NULL) || (service_halting()) )
return(-1);
if ((hLog = OpenEventLog(NULL, eventlog->name)) == NULL) {
//ntsl_log_error(NTSL_ERROR_EVENT_LOG_ACCESS, eventlog->name);
DEBUGSERVICE(Message,"Failed to open event log %s. Error: %s", eventlog->name,GetLastError());
return(-1);
}
DEBUGPARSE(Header,"Reading %s event log starting at offset %u.", eventlog->name,eventlog->recordOffset);
//find start position
if (eventlog->recordOffset==0) {
startPos=FindFirstReadPos(eventlog->name,*lastrun);
if (startPos==0) { //no help
status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next);
} else {
status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,startPos, &bytes, &next);
}
if ((status==0)&& (GetLastError() != ERROR_INSUFFICIENT_BUFFER)) { //totally empty eventlog, or error; eject
CloseEventLog(hLog);
return(0);
}
eventlog->recordOffset=record->RecordNumber;
eventlog->verificationTime=record->TimeGenerated;
recordCounter=eventlog->recordOffset;
} else {
recordCounter=max(eventlog->recordOffset,0); //-1 so that a valid entry is read unless the enventlog has been wiped.
}
//big loop
while ((status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,recordCounter, &bytes, &next))){
DEBUGPARSE(Message,"Read %u bytes at position %u with return status %d.",bytes,recordCounter, status);
if ((ThisIsInitialLoop)&&(eventlog->verificationTime!=record->TimeGenerated)) { //same id as before, but new time! Start from scratch since eventlog has been rotated/deleted
DEBUGPARSE(Message,"Verification time mismatch! EventLog cleared? starting from the beginning.");
eventlog->recordOffset=0;
ThisIsInitialLoop=false;
CloseEventLog(hLog);
goto LabelForResettedEventLog; //erno only solution to a complete rewrite...(?)
}
ThisIsInitialLoop=false; //Read successful, hence set to false for the future
if (service_halting())
return(-1);
while (bytes > 0) {
/* If this event happened between the last time we ran, and the current
time, and it is one we are interested in, then fill in an ntsl_event
structure, and pass it to the engine to log. */
//If match with registry list of filtered event id's, ignore.
//record->EventID &=0x0000FFFF; Dum, dum idé. Utan unika, högre delarena blir matchningen mellan id och dll'ens id inte unika--> problem.
if ( (record->TimeWritten >= (uint32)*lastrun) &&
(record->TimeWritten < (uint32)*thisrun) &&
(eventlog_check_event(eventlog, record->EventType)) &&
(thisEventIsFilteredOut(record->EventID)==false)) {
source = (LPSTR) ((LPBYTE) record + sizeof(EVENTLOGRECORD));
computer = source + strlen(source) + 1;
strings = (LPSTR) ((LPBYTE) record + record->StringOffset);
__time64_t _TimeGenerated=record->TimeGenerated;
localtime_s(time,&_TimeGenerated);
//DEBUGPARSE(Message,"Nasta startposition %u. Record %u adderades. lastrun: %u thisrun: %u TimeWritten: %u",eventlog->recordOffset,record->RecordNumber,(uint32)*lastrun,(uint32)*thisrun,record->TimeWritten);
if ( (event = (ntsl_event*)malloc0(sizeof(ntsl_event))) == NULL){
ntsl_log_error(NTSL_ERROR_EVENT_MALLOC);
return(-1);
}
event->msg[0] = 0;
//erno2005
strcpy_s(event->facilityName,sizeof(event->facilityName),eventlog->name);
event->time1970format=record->TimeGenerated;
strftime(event->date, NTSL_DATE_LEN, "%b %d %H:%M:%S", time);
if (event->date[4] == '0') // Unix style formatting
event->date[4] = ' ';
strcpy_s(event->host, eventlog_lcase(computer));
strcpy_s(event->source, eventlog_lcase(source));
eventlog_set_event_type(event, record->EventType);
eventlog_set_event_priority(event, record->EventType, eventlog);
eventlog_set_event_msg(event, eventlog->name, record->EventID, strings, record->NumStrings);
eventlog_set_user(event, ((LPBYTE) record + record->UserSidOffset), record->UserSidLength);
DEBUGPARSE(Message,"Sending parsed record %u to output: %s",record->RecordNumber, event->msg);
engine_process_event(event);
event = NULL;
} else {
//DEBUGPARSE(Message,"Next start position %u. Record %u ignored. lastrun: %u thisrun: %u TimeWritten: %u",eventlog->recordOffset,record->RecordNumber,(uint32)*lastrun,(uint32)*thisrun,record->TimeWritten);
}
bytes -= record->Length;
//DEBUGPARSE(Message,"Bytes remaining in buffer to read is %u.",bytes);
if (record->TimeWritten < (uint32)*thisrun) {
eventlog->recordOffset=record->RecordNumber;
eventlog->verificationTime=record->TimeGenerated;
}
record = (EVENTLOGRECORD *) ((LPBYTE) record + record->Length);
recordCounter++;
} //End loop parse received messages in buffer
DEBUGPARSE(EndHeader,"");
//record = (EVENTLOGRECORD *)eventBuffer;
} //end big while loop
if ((status==0)&&(ThisIsInitialLoop)) { //this only happens if an entry has been removed, i.e. deleted from eventLog. Start from scratch.
DEBUGPARSE(Message,"Id not found! EventLog cleared? starting from the beginning.");
eventlog->recordOffset=0;
ThisIsInitialLoop=false;
CloseEventLog(hLog);
goto LabelForResettedEventLog; //erno only solution to a complete rewrite...(?)
}
}
__except( CreateMiniDump( GetExceptionInformation() ), EXCEPTION_EXECUTE_HANDLER ) {
logger(Error,"Exception when reading events from %s! Will reattempt reading. Current or previous event text is:%s", eventlog->name, event->msg);
Sleep(3000);
}
/* イベントログの読み取り */
void ReadLog(void)
{
DWORD BufSize;
DWORD ReadBytes;
DWORD NextSize;
BOOL bResult;
DWORD i;
char *cp;
char *pSourceName;
char *pComputerName;
HANDLE hEventLog = NULL;
EVENTLOGRECORD *pBuf = NULL;
char **Args = NULL;
/* イベントログのオープン */
hEventLog = OpenEventLog(NULL, "Application");
if(hEventLog == NULL) {
printf("event log can not open.\n");
goto Exit;
}
for(;;) {
/* イベントログのサイズ取得 */
BufSize = 1;
pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize);
bResult = ReadEventLog(
hEventLog,
EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
pBuf,
BufSize,
&ReadBytes,
&NextSize);
if(!bResult && GetLastError() != ERROR_INSUFFICIENT_BUFFER) break;
GlobalFree(pBuf);
pBuf = NULL;
/* バッファ割り当て */
BufSize = NextSize;
pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize);
/* イベントログの読み取り */
bResult = ReadEventLog(
hEventLog,
EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
pBuf,
BufSize,
&ReadBytes,
&NextSize);
if(!bResult) break;
eventlog_record rec( pBuf );
/* 読み取ったイベントの表示 */
printf("レコード番号: %d\n", rec.RecordNumber() );
time_t t = rec.TimeGenerated();
printf("生成時刻: %s", ctime( &t ) );
t = rec.TimeWritten();
printf("書き込み時刻: %s", ctime( &t ) );
printf("イベントID: %08x\n", rec.EventID() );
printf( "イベントの種別: %s\n", rec.EventTypeText().c_str() );
cp = (char *)pBuf;
cp += sizeof(EVENTLOGRECORD);
pSourceName = cp;
cp += strlen(cp)+1;
pComputerName = cp;
cp += strlen(cp)+1;
printf("ソース名: %s\n", rec.SourceName().c_str() );
printf("コンピュータ名: %s\n", rec.ComputerName().c_str() );
/* カテゴリの表示 */
printf("二次カテゴリ: ", pBuf->EventCategory);
DispMessage(pSourceName, "CategoryMessageFile", NULL, pBuf->EventCategory);
/* メッセージの表示 */
Args = GetArgs(pBuf);
printf("メッセージ: ");
DispMessage(pSourceName, "EventMessageFile", (const char **)Args, pBuf->EventID);
if(Args != NULL) {
GlobalFree(Args);
Args = NULL;
}
/* 固有データの表示 */
if(pBuf->DataLength > 0) {
printf("固有データ: ");
for(i=0; i<pBuf->DataLength; i++) printf("%02x ", *(((unsigned char *)pBuf)+(pBuf->DataOffset)+i));
printf("\n");
}
printf("\n");
/* バッファ解放 */
GlobalFree(pBuf);
pBuf = NULL;
}
Exit: /* 後処理 */
if(pBuf != NULL) GlobalFree(pBuf);
if(Args != NULL) GlobalFree(Args);
if(hEventLog != NULL) CloseEventLog(hEventLog);
}
/* close event logger */
static void zbx_close_eventlog(HANDLE eventlog_handle)
{
if (NULL != eventlog_handle)
CloseEventLog(eventlog_handle);
}
/* Close eventlog */
static void EventlogClose(int log)
{
/* Close log */
CloseEventLog(EventlogList[log].handle);
EventlogList[log].handle = NULL;
}
LogChannelSyslog::~LogChannelSyslog()
{
stop();
CloseEventLog( (HANDLE) m_sysdata );
}
/** void readel(os_el *el)
* Reads the event log.
*/
void readel(os_el *el, int printit)
{
DWORD _evtid = 65535;
DWORD nstr;
DWORD user_size;
DWORD domain_size;
DWORD read, needed;
int size_left;
int str_size;
int id;
char mbuffer[BUFFER_SIZE +1];
LPSTR sstr = NULL;
char *tmp_str = NULL;
char *category;
char *source;
char *computer_name;
char *descriptive_msg;
char el_user[OS_FLSIZE +1];
char el_domain[OS_FLSIZE +1];
char el_string[OS_MAXSTR +1];
char final_msg[OS_MAXSTR +1];
LPSTR el_sstring[OS_FLSIZE +1];
/* Er must point to the mbuffer */
el->er = (EVENTLOGRECORD *) &mbuffer;
/* Zeroing the values */
el_string[OS_MAXSTR] = '\0';
el_user[OS_FLSIZE] = '\0';
el_domain[OS_FLSIZE] = '\0';
final_msg[OS_MAXSTR] = '\0';
el_sstring[0] = NULL;
el_sstring[OS_FLSIZE] = NULL;
/* Event log is not open */
if(!el->h)
{
return;
}
/* Reading the event log */
while(ReadEventLog(el->h,
EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
0,
el->er, BUFFER_SIZE -1, &read, &needed))
{
if(!printit)
{
/* Setting er to the beginning of the buffer */
el->er = (EVENTLOGRECORD *)&mbuffer;
continue;
}
while(read > 0)
{
/* We need to initialize every variable before the loop */
category = el_getCategory(el->er->EventType);
source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
computer_name = source + strlen(source) + 1;
descriptive_msg = NULL;
/* Getting event id. */
id = (int)el->er->EventID & _evtid;
/* Initialing domain/user size */
user_size = 255; domain_size = 255;
el_domain[0] = '\0';
el_user[0] = '\0';
/* We must have some description */
if(el->er->NumStrings)
{
size_left = OS_MAXSTR - OS_SIZE_1024;
sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
el_string[0] = '\0';
for (nstr = 0;nstr < el->er->NumStrings;nstr++)
{
str_size = strlen(sstr);
if(size_left > 1)
{
strncat(el_string, sstr, size_left);
}
tmp_str = strchr(el_string, '\0');
if(tmp_str)
{
*tmp_str = ' ';
tmp_str++; *tmp_str = '\0';
}
else
{
merror("%s: Invalid application string (size+)",
ARGV0);
}
size_left-=str_size + 2;
if(nstr <= 92)
{
el_sstring[nstr] = (LPSTR)sstr;
el_sstring[nstr +1] = NULL;
}
sstr = strchr( (LPSTR)sstr, '\0');
if(sstr)
sstr++;
else
break;
}
/* Get a more descriptive message (if available) */
if(isVista && strcmp(el->name, "Security") == 0)
{
descriptive_msg = el_vista_getMessage(id, el_sstring);
}
else
{
descriptive_msg = el_getMessage(el->er,
el->name,
source,
el_sstring);
}
if(descriptive_msg != NULL)
{
/* Remove any \n or \r */
/* Replace tabs from the argument field to spaces.
* So whenever we have option:\tvalue\t, it will
* become option: value\t
*/
tmp_str = descriptive_msg;
while(*tmp_str != '\0')
{
if(*tmp_str == '\n')
*tmp_str = ' ';
else if(*tmp_str == '\r')
*tmp_str = ' ';
else if((*tmp_str == ':') && (tmp_str[1] == '\t'))
{
tmp_str[1] = ' ';
tmp_str++;
}
tmp_str++;
}
}
}
else
{
strncpy(el_string, "(no message)", 128);
}
/* Getting username */
if(el->er->UserSidLength)
{
SID_NAME_USE account_type;
if(!LookupAccountSid(NULL,
(SID *)((LPSTR)el->er +
el->er->UserSidOffset),
el_user,
&user_size,
el_domain,
&domain_size,
&account_type))
{
strncpy(el_user, "(no user)", 255);
strncpy(el_domain, "no domain", 255);
}
}
else if(isVista && strcmp(el->name, "Security") == 0)
{
int uid_array_id = -1;
switch(id)
{
case 4624:
uid_array_id = 5;
break;
case 4634:
uid_array_id = 1;
break;
case 4647:
uid_array_id = 1;
break;
case 4769:
uid_array_id = 0;
break;
}
if((uid_array_id >= 0) &&
el_sstring[uid_array_id] &&
el_sstring[uid_array_id +1])
{
strncpy(el_user, el_sstring[uid_array_id], OS_FLSIZE);
strncpy(el_domain, el_sstring[uid_array_id +1], OS_FLSIZE);
}
else
{
strncpy(el_user, "(no user)", 255);
strncpy(el_domain, "no domain", 255);
}
}
else
{
strncpy(el_user, "(no user)", 255);
strncpy(el_domain, "no domain", 255);
}
if(printit)
{
DWORD _evtid = 65535;
int id = (int)el->er->EventID & _evtid;
final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0';
final_msg[OS_MAXSTR - OS_LOG_HEADER -1] = '\0';
snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER -1,
"WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
el->name,
category,
id,
source,
el_user,
el_domain,
computer_name,
descriptive_msg != NULL?descriptive_msg:el_string);
if(SendMSG(logr_queue, final_msg, "WinEvtLog",
LOCALFILE_MQ) < 0)
{
merror(QUEUE_SEND, ARGV0);
}
}
if(descriptive_msg != NULL)
{
LocalFree(descriptive_msg);
}
/* Changing the point to the er */
read -= el->er->Length;
el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
}
/* Setting er to the beginning of the buffer */
el->er = (EVENTLOGRECORD *)&mbuffer;
}
id = GetLastError();
if(id == ERROR_HANDLE_EOF)
{
return;
}
/* Event log was cleared. */
else if(id == ERROR_EVENTLOG_FILE_CHANGED)
{
char msg_alert[512 +1];
msg_alert[512] = '\0';
merror("%s: WARN: Event log cleared: '%s'", ARGV0, el->name);
/* Send message about cleared */
snprintf(msg_alert, 512, "ossec: Event log cleared: '%s'", el->name);
SendMSG(logr_queue, msg_alert, "WinEvtLog", LOCALFILE_MQ);
/* Closing the event log and reopenning. */
CloseEventLog(el->h);
el->h = NULL;
/* Reopening. */
if(startEL(el->name, el) < 0)
{
merror("%s: ERROR: Unable to reopen event log '%s'",
ARGV0, el->name);
}
}
else
{
debug1("%s: WARN: Error reading event log: %d", ARGV0, id);
}
}
static void test_read(void)
{
HANDLE handle;
BOOL ret;
DWORD count, toread, read, needed;
void *buf;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
read = 0xdeadbeef;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL);
ok(!ret, "Expected failure\n");
ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
needed = 0xdeadbeef;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed);
ok(!ret, "Expected failure\n");
ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
/* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
buf = NULL;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
SetLastError(0xdeadbeef);
ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
HeapFree(GetProcessHeap(), 0, buf);
handle = OpenEventLogA(NULL, "Application");
/* Show that we need the proper dwFlags with a (for the rest) proper call */
buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
todo_wine
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
HeapFree(GetProcessHeap(), 0, buf);
/* First check if there are any records (in practice only on Wine: FIXME) */
count = 0;
GetNumberOfEventLogRecords(handle, &count);
if (!count)
{
skip("No records in the 'Application' log\n");
CloseEventLog(handle);
return;
}
/* Get the buffer size for the first record */
buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
read = needed = 0xdeadbeef;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
ok(!ret, "Expected failure\n");
ok(read == 0, "Expected no bytes read\n");
ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n");
ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
/* Read the first record */
toread = needed;
buf = HeapReAlloc(GetProcessHeap(), 0, buf, toread);
read = needed = 0xdeadbeef;
SetLastError(0xdeadbeef);
ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed);
ok(ret, "Expected success\n");
ok(read == toread ||
broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */
"Expected the requested size to be read\n");
ok(needed == 0, "Expected no extra bytes to be read\n");
HeapFree(GetProcessHeap(), 0, buf);
CloseEventLog(handle);
}
void EventLogMonitor(void)
{
DWORD status = ERROR_SUCCESS;
DWORD dwWaitReason = 0;
DWORD dwLastRecordNumber = 0;
int nMonSize = sizeof(event_monitor)/sizeof(struct _EVENT_MONITOR);
HANDLE *arrhWaitHandles = (HANDLE*)malloc(nMonSize*sizeof(HANDLE));
g_arrhEventLog = (HANDLE*)malloc(nMonSize*sizeof(HANDLE));
for (int i=0; i<nMonSize; i++)
{
// Get the DLL that contains the message table string resources for the provider.
event_monitor[i].hResource = GetMessageResources(event_monitor[i].resource_dll);
if (NULL == event_monitor[i].hResource)
{
wprintf(L"Fail to load resource file.\n");
}
// Get a handle to a manual reset event object that will be signal
// when events are written to the log.
arrhWaitHandles[i] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (NULL == arrhWaitHandles[i])
{
wprintf(L"CreateEvent failed with %lu.\n", GetLastError());
}
// Open the log file. The source name (provider) must exist as
// a subkey of Application.
g_arrhEventLog[i] = OpenEventLog(NULL, event_monitor[i].provider_name);
//g_arrhEventLog[i] = OpenEventLog(NULL, L"Application");
if (NULL == g_arrhEventLog[i])
{
wprintf(L"OpenEventLog failed with 0x%x.\n", GetLastError());
}
// Seek to the last record in the event log and read it in order
// to position the cursor for reading any new records when the
// service notifies you that new records have been written to the
// log file.
status = SeekToLastRecord(g_arrhEventLog[i]);
if (ERROR_SUCCESS != status)
{
wprintf(L"SeekToLastRecord failed with %lu.\n", status);
}
// Request notification when events are written to the log.
if (!NotifyChangeEventLog(g_arrhEventLog[i], arrhWaitHandles[i]))
{
wprintf(L"NotifyChangeEventLog failed with %lu.\n", GetLastError());
goto cleanup;
}
}
wprintf(L"Waiting for notification of new events...\n\n");
// Loop until the user presses a key or there is an error.
while (true)
{
if (0 == g_enable_monitor)
{
break;
}
dwWaitReason = WaitForMultipleObjects(nMonSize, arrhWaitHandles, FALSE, /*INFINITE*/10*1000);
dwWaitReason -= WAIT_OBJECT_0;
if (dwWaitReason >= 0 && dwWaitReason < nMonSize)
{
if (ERROR_SUCCESS != (status = DumpNewRecords(dwWaitReason)))
{
wprintf(L"DumpNewRecords failed.\n");
break;
}
wprintf(L"\nWaiting for notification of new events...\n");
ResetEvent(arrhWaitHandles[dwWaitReason]);
}
else if (dwWaitReason == WAIT_TIMEOUT)
{
printf("WaitForMultiple Timeout.\n");
}
else
{
if (WAIT_FAILED == dwWaitReason)
{
wprintf(L"WaitForSingleObject failed with %lu\n", GetLastError());
}
break;
}
}
cleanup:
for (int i=0; i<nMonSize; i++)
{
if (g_arrhEventLog[i])
CloseEventLog(g_arrhEventLog[i]);
if (arrhWaitHandles[i])
CloseHandle(arrhWaitHandles[i]);
if (event_monitor[i].hResource)
FreeLibrary(event_monitor[i].hResource);
}
if (arrhWaitHandles)
free(arrhWaitHandles);
if (g_arrhEventLog)
free(g_arrhEventLog);
}
static void test_openbackup(void)
{
HANDLE handle, handle2, file;
DWORD written;
const char backup[] = "backup.evt";
const char text[] = "Just some text";
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA(NULL, NULL);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA(NULL, "idontexist.evt");
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_FILE_NOT_FOUND, "Expected ERROR_FILE_NOT_FOUND, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA("IDontExist", NULL);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA("IDontExist", "idontexist.evt");
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
"Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
/* Make a backup eventlog to work with */
if (create_backup(backup))
{
/* FIXME: Wine stops here */
if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES)
{
skip("We don't have a backup eventlog to work with\n");
return;
}
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA("IDontExist", backup);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
"Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
/* Empty servername should be read as local server */
handle = OpenBackupEventLogA("", backup);
ok(handle != NULL, "Expected a handle\n");
CloseEventLog(handle);
handle = OpenBackupEventLogA(NULL, backup);
ok(handle != NULL, "Expected a handle\n");
/* Can we open that same backup eventlog more than once? */
handle2 = OpenBackupEventLogA(NULL, backup);
ok(handle2 != NULL, "Expected a handle\n");
ok(handle2 != handle, "Didn't expect the same handle\n");
CloseEventLog(handle2);
CloseEventLog(handle);
DeleteFileA(backup);
}
/* Is there any content checking done? */
file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
CloseHandle(file);
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA(NULL, backup);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY ||
GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */
"Expected ERROR_NOT_ENOUGH_MEMORY, got %d\n", GetLastError());
CloseEventLog(handle);
DeleteFileA(backup);
file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
WriteFile(file, text, sizeof(text), &written, NULL);
CloseHandle(file);
SetLastError(0xdeadbeef);
handle = OpenBackupEventLogA(NULL, backup);
ok(handle == NULL, "Didn't expect a handle\n");
ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, "Expected ERROR_EVENTLOG_FILE_CORRUPT, got %d\n", GetLastError());
CloseEventLog(handle);
DeleteFileA(backup);
}
