void RenderContext::openForValues(const wchar_t* const* values, std::size_t n)
{
handle_.reset(EvtCreateRenderContext(n, const_cast<const wchar_t**>(values), EvtRenderEventValues));
if (!handle_)
{
throw WinException(L"EvtCreateRenderContext", GetLastError());
}
}
/* Get specific values from an event */
PEVT_VARIANT GetEventInfo(EVT_HANDLE hEvent)
{
EVT_HANDLE hContext = NULL;
PEVT_VARIANT pRenderedEvents = NULL;
LPWSTR ppValues[] = {L"Event/System/Provider/@Name",
L"Event/System/TimeCreated/@SystemTime",
L"Event/System/EventID",
L"Event/System/Level",
L"Event/System/Keywords"};
DWORD count = COUNT_OF(ppValues);
DWORD dwReturned = 0;
DWORD dwBufferSize = (256*sizeof(LPWSTR)*count);
DWORD dwValuesCount = 0;
DWORD status = 0;
/* Create the context to use for EvtRender */
hContext = EvtCreateRenderContext(count, (LPCWSTR*)ppValues, EvtRenderContextValues);
if (NULL == hContext) {
Log(LOG_ERROR|LOG_SYS, "EvtCreateRenderContext failed");
goto cleanup;
}
pRenderedEvents = (PEVT_VARIANT)malloc(dwBufferSize);
/* Use EvtRender to capture the Publisher name from the Event */
/* Log Errors to the event log if things go wrong */
if (!EvtRender(hContext, hEvent, EvtRenderEventValues, dwBufferSize, pRenderedEvents, &dwReturned, &dwValuesCount)) {
if (ERROR_INSUFFICIENT_BUFFER == GetLastError()) {
dwBufferSize = dwReturned;
realloc(pRenderedEvents, dwBufferSize);
if (!EvtRender(hContext, hEvent, EvtRenderEventValues, dwBufferSize, pRenderedEvents, &dwReturned, &dwValuesCount)) {
if (LogInteractive)
Log(LOG_ERROR|LOG_SYS, "Error Rendering Event");
status = ERR_FAIL;
}
} else {
status = ERR_FAIL;
if (LogInteractive)
Log(LOG_ERROR|LOG_SYS, "Error Rendering Event");
}
}
cleanup:
if (hContext)
EvtClose(hContext);
if (status == ERR_FAIL)
return NULL;
else
return pRenderedEvents;
}
void send_channel_event(EVT_HANDLE evt, os_channel *channel)
{
DWORD buffer_length = 0;
PEVT_VARIANT properties_values = NULL;
DWORD count = 0;
EVT_HANDLE context = NULL;
os_event event = {0};
char final_msg[OS_MAXSTR];
int result = 0;
if ((context = EvtCreateRenderContext(count, NULL, EvtRenderContextSystem)) == NULL) {
log2file(
"%s: ERROR: Could not EvtCreateRenderContext() for (%s) which returned (%lu)",
ARGV0,
channel->evt_log,
GetLastError());
goto cleanup;
}
/* Make initial call to determine buffer size necessary */
result = EvtRender(context,
evt,
EvtRenderEventValues,
0,
NULL,
&buffer_length,
&count);
if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
log2file(
"%s: ERROR: Could not EvtRender() to determine buffer size for (%s) which returned (%lu)",
ARGV0,
channel->evt_log,
GetLastError());
goto cleanup;
}
if ((properties_values = malloc(buffer_length)) == NULL) {
log2file(
"%s: ERROR: Could not malloc() memory to process event (%s) which returned [(%d)-(%s)]",
ARGV0,
channel->evt_log,
errno,
strerror(errno));
goto cleanup;
}
if (!EvtRender(context,
evt,
EvtRenderEventValues,
buffer_length,
properties_values,
&buffer_length,
&count)) {
log2file(
"%s: ERROR: Could not EvtRender() for (%s) which returned (%lu)",
ARGV0,
channel->evt_log,
GetLastError());
goto cleanup;
}
event.name = get_property_value(&properties_values[EvtSystemChannel]);
event.id = properties_values[EvtSystemEventID].UInt16Val;
event.source = get_property_value(&properties_values[EvtSystemProviderName]);
event.uid = properties_values[EvtSystemUserID].Type == EvtVarTypeNull ? NULL : properties_values[EvtSystemUserID].SidVal;
event.computer = get_property_value(&properties_values[EvtSystemComputer]);
event.time_created = properties_values[EvtSystemTimeCreated].FileTimeVal;
event.keywords = properties_values[EvtSystemKeywords].Type == EvtVarTypeNull ? 0 : properties_values[EvtSystemKeywords].UInt64Val;
event.level = properties_values[EvtSystemLevel].Type == EvtVarTypeNull ? -1 : properties_values[EvtSystemLevel].ByteVal;
switch (event.level) {
case WINEVENT_CRITICAL:
event.category = "CRITICAL";
break;
case WINEVENT_ERROR:
event.category = "ERROR";
break;
case WINEVENT_WARNING:
event.category = "WARNING";
break;
case WINEVENT_INFORMATION:
event.category = "INFORMATION";
break;
case WINEVENT_VERBOSE:
event.category = "DEBUG";
break;
case WINEVENT_AUDIT:
if (event.keywords & WINEVENT_AUDIT_FAILURE) {
event.category = "AUDIT_FAILURE";
break;
} else if (event.keywords & WINEVENT_AUDIT_SUCCESS) {
event.category = "AUDIT_SUCCESS";
break;
}
default:
event.category = "Unknown";
break;
}
if ((event.timestamp = WinEvtTimeToString(event.time_created)) == NULL) {
log2file(
"%s: ERROR: Could not convert timestamp for (%s)",
ARGV0,
channel->evt_log);
goto cleanup;
}
/* Determine user and domain */
get_username_and_domain(&event);
/* Get event log message */
if ((event.message = get_message(evt, properties_values[EvtSystemProviderName].StringVal, EvtFormatMessageEvent)) == NULL) {
log2file(
"%s: ERROR: Could not get message for (%s)",
ARGV0,
channel->evt_log);
} else {
/* Format message */
win_format_event_string(event.message);
}
snprintf(
final_msg,
sizeof(final_msg),
"%s WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
event.timestamp,
event.name,
event.category,
event.id,
event.source && strlen(event.source) ? event.source : "no source",
event.user && strlen(event.user) ? event.user : "******",
event.domain && strlen(event.domain) ? event.domain : "no domain",
event.computer && strlen(event.computer) ? event.computer : "no computer",
event.message && strlen(event.message) ? event.message : "(no message)"
);
if (SendMSG(logr_queue, final_msg, "WinEvtLog", LOCALFILE_MQ) < 0) {
merror(QUEUE_SEND, ARGV0);
}
if (channel->bookmark_enabled) {
update_bookmark(evt, channel);
}
cleanup:
free(properties_values);
free_event(&event);
if (context != NULL) {
EvtClose(context);
}
return;
}
/* open eventlog using API 6 and return the number of records */
static int zbx_open_eventlog6(const wchar_t *wsource, zbx_uint64_t *lastlogsize, EVT_HANDLE *render_context,
zbx_uint64_t *FirstID, zbx_uint64_t *LastID)
{
const char *__function_name = "zbx_open_eventlog6";
EVT_HANDLE log = NULL;
EVT_VARIANT var;
EVT_HANDLE tmp_all_event_query = NULL;
EVT_HANDLE event_bookmark = NULL;
EVT_VARIANT* renderedContent = NULL;
DWORD status = 0;
DWORD size_required = 0;
DWORD size = DEFAULT_EVENT_CONTENT_SIZE;
DWORD bookmarkedCount = 0;
zbx_uint64_t numIDs = 0;
char *tmp_str = NULL;
int ret = FAIL;
*FirstID = 0;
*LastID = 0;
zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __function_name);
/* try to open the desired log */
if (NULL == (log = EvtOpenLog(NULL, wsource, EvtOpenChannelPath)))
{
tmp_str = zbx_unicode_to_utf8(wsource);
zabbix_log(LOG_LEVEL_WARNING, "cannot open eventlog '%s':%s", tmp_str,
strerror_from_system(GetLastError()));
goto out;
}
/* obtain the number of records in the log */
if (TRUE != EvtGetLogInfo(log, EvtLogNumberOfLogRecords, sizeof(var), &var, &size_required))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtGetLogInfo failed:%s",
strerror_from_system(GetLastError()));
goto out;
}
numIDs = var.UInt64Val;
/* get the number of the oldest record in the log */
/* "EvtGetLogInfo()" does not work properly with "EvtLogOldestRecordNumber" */
/* we have to get it from the first EventRecordID */
/* create the system render */
if (NULL == (*render_context = EvtCreateRenderContext(RENDER_ITEMS_COUNT, RENDER_ITEMS, EvtRenderContextValues)))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtCreateRenderContext failed:%s", strerror_from_system(GetLastError()));
goto out;
}
/* get all eventlog */
tmp_all_event_query = EvtQuery(NULL, wsource, NULL, EvtQueryChannelPath);
if (NULL == tmp_all_event_query)
{
if (ERROR_EVT_CHANNEL_NOT_FOUND == (status = GetLastError()))
zabbix_log(LOG_LEVEL_WARNING, "EvtQuery channel missed:%s", strerror_from_system(status));
else
zabbix_log(LOG_LEVEL_WARNING, "EvtQuery failed:%s", strerror_from_system(status));
goto out;
}
/* get the entries and allocate the required space */
renderedContent = zbx_malloc(renderedContent, size);
if (TRUE != EvtNext(tmp_all_event_query, 1, &event_bookmark, INFINITE, 0, &size_required))
{
/* no data in eventlog */
zabbix_log(LOG_LEVEL_DEBUG, "first EvtNext failed:%s", strerror_from_system(GetLastError()));
*FirstID = 1;
*LastID = 1;
numIDs = 0;
*lastlogsize = 0;
ret = SUCCEED;
goto out;
}
/* obtain the information from selected events */
if (TRUE != EvtRender(*render_context, event_bookmark, EvtRenderEventValues, size, renderedContent,
&size_required, &bookmarkedCount))
{
/* information exceeds the allocated space */
if (ERROR_INSUFFICIENT_BUFFER != GetLastError())
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed:%s", strerror_from_system(GetLastError()));
goto out;
}
renderedContent = (EVT_VARIANT*)zbx_realloc((void *)renderedContent, size_required);
size = size_required;
if (TRUE != EvtRender(*render_context, event_bookmark, EvtRenderEventValues, size, renderedContent,
&size_required, &bookmarkedCount))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed:%s", strerror_from_system(GetLastError()));
goto out;
}
}
*FirstID = VAR_RECORD_NUMBER(renderedContent);
*LastID = *FirstID + numIDs;
if (*lastlogsize >= *LastID)
{
*lastlogsize = *FirstID - 1;
zabbix_log(LOG_LEVEL_DEBUG, "lastlogsize is too big. It is set to:" ZBX_FS_UI64, *lastlogsize);
}
ret = SUCCEED;
out:
if (NULL != log)
EvtClose(log);
if (NULL != tmp_all_event_query)
EvtClose(tmp_all_event_query);
if (NULL != event_bookmark)
EvtClose(event_bookmark);
zbx_free(tmp_str);
zbx_free(renderedContent);
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s FirstID:" ZBX_FS_UI64 " LastID:" ZBX_FS_UI64 " numIDs:" ZBX_FS_UI64,
__function_name, zbx_result_string(ret), *FirstID, *LastID, numIDs);
return ret;
}
static int zbx_get_eventlog_message_xpath(LPCTSTR wsource, zbx_uint64_t *lastlogsize, char **out_source, char **out_message,
unsigned short *out_severity, unsigned long *out_timestamp, unsigned long *out_eventid, unsigned char skip_old_data, void **pcontext)
{
const char *__function_name = "zbx_get_eventlog_message_xpath";
int ret = FAIL;
LPSTR tmp_str = NULL;
LPWSTR tmp_wstr = NULL;
LPWSTR event_query = NULL; /* L"Event/System[EventRecordID=WHICH]" */
unsigned long status = ERROR_SUCCESS;
PEVT_VARIANT eventlog_array = NULL;
HANDLE providermetadata_handle = NULL;
LPWSTR query_array[] = {
L"/Event/System/Provider/@Name",
L"/Event/System/EventID",
L"/Event/System/Level",
L"/Event/System/TimeCreated/@SystemTime",
L"/Event/System/EventRecordID"};
DWORD array_count = 5;
DWORD dwReturned = 0, dwValuesCount = 0, dwBufferSize = 0;
const ULONGLONG sec_1970 = 116444736000000000;
static HMODULE hmod_wevtapi = NULL;
zbx_eventlog_context *context;
assert(out_source);
assert(out_message);
assert(out_severity);
assert(out_timestamp);
assert(out_eventid);
zabbix_log(LOG_LEVEL_DEBUG, "In %s() which:%lld", __function_name, *lastlogsize);
*out_source = NULL;
*out_message = NULL;
*out_severity = 0;
*out_timestamp = 0;
*out_eventid = 0;
/* We have to use LoadLibrary() to load wevtapi.dll to avoid it required even before Vista. */
/* load wevtapi.dll once */
if (NULL == hmod_wevtapi)
{
hmod_wevtapi = LoadLibrary(L"wevtapi.dll");
if (NULL == hmod_wevtapi)
{
zabbix_log(LOG_LEVEL_WARNING, "Can't load wevtapi.dll");
goto finish;
}
zabbix_log(LOG_LEVEL_DEBUG, "wevtapi.dll was loaded");
/* get function pointer from wevtapi.dll */
(FARPROC)EvtQuery = GetProcAddress(hmod_wevtapi, "EvtQuery");
(FARPROC)EvtCreateRenderContext = GetProcAddress(hmod_wevtapi, "EvtCreateRenderContext");
(FARPROC)EvtNext = GetProcAddress(hmod_wevtapi, "EvtNext");
(FARPROC)EvtRender = GetProcAddress(hmod_wevtapi, "EvtRender");
(FARPROC)EvtOpenPublisherMetadata = GetProcAddress(hmod_wevtapi, "EvtOpenPublisherMetadata");
(FARPROC)EvtFormatMessage = GetProcAddress(hmod_wevtapi, "EvtFormatMessage");
(FARPROC)EvtClose = GetProcAddress(hmod_wevtapi, "EvtClose");
if (NULL == EvtQuery ||
NULL == EvtCreateRenderContext ||
NULL == EvtNext ||
NULL == EvtRender ||
NULL == EvtOpenPublisherMetadata ||
NULL == EvtFormatMessage ||
NULL == EvtClose)
{
zabbix_log(LOG_LEVEL_WARNING, "Can't load wevtapi.dll functions");
goto finish;
}
zabbix_log(LOG_LEVEL_DEBUG, "wevtapi.dll functions were loaded");
}
context = *pcontext;
if (context == NULL)
{
context = zbx_malloc(NULL, sizeof(*context));
memset(context, 0, sizeof(*context));
tmp_str = zbx_dsprintf(NULL, "Event/System[EventRecordID>%lld]", *lastlogsize);
event_query = zbx_utf8_to_unicode(tmp_str);
zbx_free(tmp_str);
context->handle = EvtQuery(NULL, wsource, event_query, skip_old_data? EvtQueryChannelPath|EvtQueryReverseDirection: EvtQueryChannelPath);
if (NULL == context->handle)
{
status = GetLastError();
if (ERROR_EVT_CHANNEL_NOT_FOUND == status)
{
zabbix_log(LOG_LEVEL_WARNING, "Missed eventlog");
}
else
{
zabbix_log(LOG_LEVEL_WARNING, "EvtQuery failed");
}
goto finish;
}
context->context_handle = EvtCreateRenderContext(array_count, (LPCWSTR*)query_array, EvtRenderContextValues);
if (NULL == context->context_handle)
{
zabbix_log(LOG_LEVEL_WARNING, "EvtCreateRenderContext failed");
goto finish;
}
*pcontext = context;
}
if (context->each_handle)
{
EvtClose(context->each_handle);
context->each_handle = NULL;
}
if (!EvtNext(context->handle, 1, &context->each_handle, INFINITE, 0, &dwReturned))
{
status = GetLastError();
if (ERROR_NO_MORE_ITEMS == status)
{
zabbix_log(LOG_LEVEL_DEBUG, "EvtNext no more items.");
ret = SUCCEED;
}
else
{
zabbix_log(LOG_LEVEL_WARNING, "First EvtNext failed with %lu", status);
}
goto finish;
}
if (!EvtRender(context->context_handle, context->each_handle, EvtRenderEventValues,
dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount))
{
if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
{
dwBufferSize = dwReturned;
if (NULL == (eventlog_array = (PEVT_VARIANT)zbx_malloc(eventlog_array, dwBufferSize)))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender malloc failed");
goto finish;
}
if (!EvtRender(context->context_handle, context->each_handle, EvtRenderEventValues,
dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed");
goto finish;
}
}
if (ERROR_SUCCESS != (status = GetLastError()))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed with %d", status);
goto finish;
}
}
*out_source = zbx_unicode_to_utf8(eventlog_array[0].StringVal);
providermetadata_handle = EvtOpenPublisherMetadata(NULL, eventlog_array[0].StringVal, NULL, 0, 0);
if (NULL != providermetadata_handle)
{
dwBufferSize = 0;
dwReturned = 0;
if (!EvtFormatMessage(providermetadata_handle, context->each_handle, 0, 0,
NULL, EvtFormatMessageEvent, dwBufferSize, tmp_wstr, &dwReturned))
{
if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
{
dwBufferSize = dwReturned;
if (NULL == (tmp_wstr = (LPWSTR)zbx_malloc(tmp_wstr, dwBufferSize * sizeof(WCHAR))))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage malloc failed");
goto finish;
}
if (!EvtFormatMessage(providermetadata_handle, context->each_handle, 0, 0,
NULL, EvtFormatMessageEvent, dwBufferSize, tmp_wstr, &dwReturned))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage failed");
goto finish;
}
}
if (ERROR_SUCCESS != (status = GetLastError()))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtFormatMessage failed with %d", status);
goto finish;
}
}
*out_message= zbx_unicode_to_utf8(tmp_wstr);
}
else
{
zabbix_log(LOG_LEVEL_DEBUG, "EvtOpenPublisherMetadata failed with %d: no description availabel", GetLastError());
*out_message = zbx_strdup(NULL, "");
}
*out_eventid = eventlog_array[1].UInt16Val;
*out_severity = eventlog_array[2].ByteVal;
*out_timestamp = (unsigned long)((eventlog_array[3].FileTimeVal - sec_1970) / 10000000);
*lastlogsize = eventlog_array[4].UInt64Val;
ret = SUCCEED;
finish:
zbx_free(tmp_str);
zbx_free(tmp_wstr);
zbx_free(event_query);
zbx_free(eventlog_array);
if (FAIL == ret)
{
zbx_free(*out_source);
zbx_free(*out_message);
}
if (providermetadata_handle)
EvtClose(providermetadata_handle);
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret));
return ret;
}
int get_eventlog_keywords(void *v, zbx_uint64_t *out_keywords)
{
const char *__function_name = "zbx_get_event_keyword";
int ret = FAIL;
zbx_eventlog_context *context = v;
LPWSTR query = L"/Event/System/Keywords";
PEVT_VARIANT eventlog_array = NULL;
DWORD dwReturned = 0, dwValuesCount = 0, dwBufferSize = 0;
unsigned long status = ERROR_SUCCESS;
zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __function_name);
*out_keywords = 0;
context = v;
if (context == NULL)
{
zabbix_log(LOG_LEVEL_WARNING, "invalid context");
goto finish;
}
if (context->keyword_context_handle == NULL)
{
context->keyword_context_handle = EvtCreateRenderContext(1, &query, EvtRenderContextValues);
if (context->keyword_context_handle == NULL)
{
zabbix_log(LOG_LEVEL_WARNING, "can't create render context");
goto finish;
}
}
if (!EvtRender(context->keyword_context_handle, context->each_handle, EvtRenderEventValues,
dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount))
{
if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
{
dwBufferSize = dwReturned;
if (NULL == (eventlog_array = (PEVT_VARIANT)zbx_malloc(eventlog_array, dwBufferSize)))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender malloc failed");
goto finish;
}
if (!EvtRender(context->keyword_context_handle, context->each_handle, EvtRenderEventValues,
dwBufferSize, eventlog_array, &dwReturned, &dwValuesCount))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed");
goto finish;
}
}
if (ERROR_SUCCESS != (status = GetLastError()))
{
zabbix_log(LOG_LEVEL_WARNING, "EvtRender failed with %d", GetLastError());
goto finish;
}
}
*out_keywords = eventlog_array[0].UInt64Val;
ret = SUCCEED;
finish:
zbx_free(eventlog_array);
zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret));
return ret;
}
/**
* @brief Enumerate all the events in the result set.
* @param eventHandle A handle to an event.
*
* @return returns Print event status.
*/
DWORD EventLogReader::PrintEvent(EVT_HANDLE eventHandle)
{
EVT_HANDLE context = nullptr;
PEVT_VARIANT renderedValues = nullptr;
DWORD status = ERROR_SUCCESS;
do
{
// Identify the components of the event that you want to render. In this case,
// render the system section of the event.
context = EvtCreateRenderContext(0, nullptr, EvtRenderContextSystem);
if (context == nullptr)
{
status = GetLastError();
break;
}
// When you render the user data or system section of the event, you must specify
// the EvtRenderEventValues flag. The function returns an array of variant values
// for each element in the user data or system section of the event. For user data
// or event data, the values are returned in the same order as the elements are
// defined in the event. For system data, the values are returned in the order defined
// in the EVT_SYSTEM_PROPERTY_ID enumeration.
DWORD bufferSize = 0;
DWORD bufferUsed = 0;
DWORD propertyCount = 0;
if (!EvtRender(context, eventHandle, EvtRenderEventValues, bufferSize, renderedValues, &bufferUsed, &propertyCount))
{
status = GetLastError();
if (status == ERROR_INSUFFICIENT_BUFFER)
{
bufferSize = bufferUsed;
renderedValues = (PEVT_VARIANT)malloc(bufferSize);
if (renderedValues != nullptr)
{
EvtRender(context, eventHandle, EvtRenderEventValues, bufferSize, renderedValues, &bufferUsed, &propertyCount);
status = GetLastError();
}
else
{
status = ERROR_OUTOFMEMORY;
break;
}
}
if (status != ERROR_SUCCESS)
break;
}
std::map<std::string, std::string> eventData;
std::wstring tempBuf = (renderedValues[EvtSystemProviderName].StringVal) ? renderedValues[EvtSystemProviderName].StringVal : L"";
eventData["providername"] = base::wstring_to_string(tempBuf);
if (renderedValues[EvtSystemProviderGuid].GuidVal != nullptr)
{
WCHAR guid[50] = {0};
StringFromGUID2(*(renderedValues[EvtSystemProviderGuid].GuidVal), guid, sizeof(guid) / sizeof(WCHAR));
eventData["providerguid"] = base::wstring_to_string(guid);
}
DWORD eventId = renderedValues[EvtSystemEventID].UInt16Val;
if (renderedValues[EvtSystemQualifiers].Type == EvtVarTypeNull)
eventId = MAKELONG(renderedValues[EvtSystemEventID].UInt16Val, renderedValues[EvtSystemQualifiers].UInt16Val);
char buf[1024] = { 0 };
snprintf(buf, sizeof(buf), "%lu", eventId);
eventData["eventid"] = buf;
snprintf(buf, sizeof(buf), "%u", (renderedValues[EvtSystemVersion].Type == EvtVarTypeNull) ? 0 : renderedValues[EvtSystemVersion].ByteVal);
eventData["version"] = buf;
snprintf(buf, sizeof(buf), "%u", (renderedValues[EvtSystemLevel].Type == EvtVarTypeNull) ? 0 : renderedValues[EvtSystemLevel].ByteVal);
eventData["level"] = buf;
snprintf(buf, sizeof(buf), "%hu", (renderedValues[EvtSystemTask].Type == EvtVarTypeNull) ? 0 : renderedValues[EvtSystemTask].ByteVal);
eventData["task"] = buf;
snprintf(buf, sizeof(buf), "%u", (renderedValues[EvtSystemOpcode].Type == EvtVarTypeNull) ? 0 : renderedValues[EvtSystemOpcode].UInt16Val);
eventData["opcode"] = buf;
snprintf(buf, sizeof(buf), "%0x%I64x", (renderedValues[EvtSystemKeywords].Type == EvtVarTypeNull) ? 0 : renderedValues[EvtSystemOpcode].UInt64Val);
eventData["keywords"] = buf;
ULONGLONG ullTimeStamp = renderedValues[EvtSystemTimeCreated].FileTimeVal;
FILETIME ft;
ft.dwHighDateTime = (DWORD)((ullTimeStamp >> 32) & 0xFFFFFFFF);
ft.dwLowDateTime = (DWORD)(ullTimeStamp & 0xFFFFFFFF);
SYSTEMTIME st;
FileTimeToSystemTime(&ft, &st);
ULONGLONG ullNanoseconds = (ullTimeStamp % 10000000) * 100; // Display nanoseconds instead of milliseconds for higher resolution
snprintf(buf, sizeof(buf), "%02d/%02d/%02d %02d:%02d:%02d.%I64u", st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, ullNanoseconds);
eventData["timecreated"] = buf;
snprintf(buf, sizeof(buf), "%I64u", renderedValues[EvtSystemEventRecordId].UInt64Val);
eventData["eventrecordid"] = buf;
if (renderedValues[EvtSystemActivityID].Type != EvtVarTypeNull)
{
WCHAR guid[50] = { 0 };
StringFromGUID2(*(renderedValues[EvtSystemActivityID].GuidVal), guid, sizeof(guid) / sizeof(WCHAR));;
eventData["activityid"] = base::wstring_to_string(guid);
}
if (renderedValues[EvtSystemRelatedActivityID].Type != EvtVarTypeNull)
{
WCHAR guid[50] = { 0 };
StringFromGUID2(*(renderedValues[EvtSystemRelatedActivityID].GuidVal), guid, sizeof(guid) / sizeof(WCHAR));;
eventData["relatedactivityid"] = base::wstring_to_string(guid);
}
snprintf(buf, sizeof(buf), "%lu", renderedValues[EvtSystemProcessID].UInt32Val);
eventData["processid"] = buf;
snprintf(buf, sizeof(buf), "%lu", renderedValues[EvtSystemThreadID].UInt32Val);
eventData["threadid"] = buf;
tempBuf = (renderedValues[EvtSystemChannel].Type == EvtVarTypeNull) ? renderedValues[EvtSystemChannel].StringVal : L"";
eventData["channel"] = base::wstring_to_string(tempBuf);
eventData["computer"] = base::wstring_to_string(renderedValues[EvtSystemComputer].StringVal);
if (renderedValues[EvtSystemUserID].Type != EvtVarTypeNull)
{
LPWSTR pwsSid = nullptr;
if (ConvertSidToStringSid(renderedValues[EvtSystemUserID].SidVal, &pwsSid))
{
eventData["secuserid"] = base::wstring_to_string(pwsSid);
LocalFree(pwsSid);
}
}
// Get the handle to the provider's metadata that contains the message strings.
EVT_HANDLE providerMetadata = EvtOpenPublisherMetadata(nullptr, renderedValues[EvtSystemProviderName].StringVal, nullptr, 0, 0);
if (providerMetadata == nullptr)
break;
eventData["message"] = GetMessageString(providerMetadata, eventHandle);
_printResultsCallback(eventData);
} while (false);
if (context)
EvtClose(context);
if (renderedValues)
free(renderedValues);
return status;
}
