Exemple #1
0
// Read a single record from the event log.
static DWORD ReadRecord(HANDLE hEventLog, PBYTE & pBuffer, DWORD dwRecordNumber, DWORD dwFlags)
{
	DWORD status = ERROR_SUCCESS;
	DWORD dwBytesToRead = sizeof(EVENTLOGRECORD);
	DWORD dwBytesRead = 0;
	DWORD dwMinimumBytesToRead = 0;
	PBYTE pTemp = NULL;

	// The initial size of the buffer is not big enough to read a record, but ReadEventLog
	// requires a valid pointer. The ReadEventLog function will fail and return the required 
	// buffer size; reallocate the buffer to the required size.
	pBuffer= (PBYTE)malloc(sizeof(EVENTLOGRECORD));

	// Get the required buffer size, reallocate the buffer and then read the event record.
	if (!ReadEventLog(hEventLog, dwFlags, dwRecordNumber, pBuffer, dwBytesToRead, &dwBytesRead, &dwMinimumBytesToRead))
	{
		status = GetLastError();
		if (ERROR_INSUFFICIENT_BUFFER == status)
		{
			status = ERROR_SUCCESS;

			pTemp = (PBYTE)realloc(pBuffer, dwMinimumBytesToRead);
			if (NULL == pTemp)
			{
				wprintf(L"Failed to reallocate memory for the record buffer (%d bytes).\n", dwMinimumBytesToRead);
				goto cleanup;
			}

			pBuffer = pTemp;

			dwBytesToRead = dwMinimumBytesToRead;

			if (!ReadEventLog(hEventLog, dwFlags, dwRecordNumber, pBuffer, dwBytesToRead, &dwBytesRead, &dwMinimumBytesToRead))
			{
				wprintf(L"Second ReadEventLog failed with %lu.\n", status = GetLastError());
				goto cleanup;
			}
		}
		else 
		{
			if (ERROR_HANDLE_EOF != status)
			{
				wprintf(L"ReadEventLog failed with %lu.\n", status);
				goto cleanup;
			}
		}
	}

cleanup:

	return status;
}
//-------------------------------------------------
void EventScanAlgorithm::getEvent(const std::string& logName, EVENT_TYPE type)
{
    HANDLE hEventLog;
    EVENTLOGRECORD* eventInfo;
    DWORD noteSize, nextNoteSize;
    BYTE buffer[BUFFER_SIZE];

    static int eventLogCounter = 0;


    hEventLog = OpenEventLog(NULL, std::wstring(logName.begin(), logName.end()).c_str());
    if(hEventLog == NULL)
        std::cout << "Could not open event log!";

    eventInfo = (EVENTLOGRECORD*)&buffer;
    //GetOldestEventLogRecord(hEventLog, &eventLogCounter);


    while(ReadEventLog(hEventLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
                       0, eventInfo, BUFFER_SIZE, &noteSize, &nextNoteSize))
    {
        while(noteSize > 0)
        {
            // Show event that contains a specified type.
            if(eventInfo->EventType & type)
            {
                std::cout << eventLogCounter++;
                showEvent(eventInfo);
            }

            noteSize -= eventInfo->Length;
            eventInfo = (EVENTLOGRECORD*)((LPBYTE)eventInfo + eventInfo->Length); // Next record.

        }
        eventInfo = (EVENTLOGRECORD*)&buffer;
    }
    CloseHandle(hEventLog);
}
Exemple #3
0
bool CWfpNET::EventLog_get(void)
{
	HANDLE h;
    EVENTLOGRECORD *pevlr; 
    BYTE bBuffer[8192]; 
    DWORD dwRead, dwNeeded, dwThisRecord = 0;
	CString tmp, event;
	char *cp;
	char *pSourceName;
	char *pComputerName;

    if((h = OpenEventLog(node.szComputerM, _T("Security"))) == NULL)
	{
		ErrorHandler("OpenEventLog", GetLastError());
		return false;
	}
    
    pevlr = (EVENTLOGRECORD *)&bBuffer; 
 
    // Opening the event log positions the file pointer for this 
    // handle at the beginning of the log. Read the records 
    // sequentially until there are no more. 
 
    while(ReadEventLog(h,                // event log handle 
		EVENTLOG_FORWARDS_READ |  // reads forward 
        EVENTLOG_SEQUENTIAL_READ, // sequential read 
        0,			  // ignored for sequential reads 
        pevlr,        // pointer to buffer 
        8192,		  // size of buffer 
        &dwRead,      // number of bytes read 
        &dwNeeded))   // bytes in next record 
    {
        while(dwRead > 0) 
        { 
            // Print the event identifier, type, and source name. 
            // The source name is just past the end of the 
            // formal structure. 
 
            tmp.Format(_T("\t%02d  Event ID: 0x%08X "), 
                dwThisRecord++, pevlr->EventID);
			event.operator +=(tmp);
			char buf[26];
			ctime_s(buf, 26, (const time_t *)&pevlr->TimeGenerated);
			tmp.Format("Time Generated: %s", buf);
			event.operator +=(tmp);
			ctime_s(buf, 26, (const time_t *)&pevlr->TimeWritten);
			tmp.Format("Time Written: %s", buf);
			event.operator +=(tmp);
			switch(pevlr->EventType)
			{
				case EVENTLOG_ERROR_TYPE: event.operator +=("Error Event\n"); break;
				case EVENTLOG_WARNING_TYPE: event.operator +=("Warning Event\n"); break;
				case EVENTLOG_INFORMATION_TYPE: event.operator +=("Information Event\n"); break;
				case EVENTLOG_AUDIT_SUCCESS: event.operator +=("Success Audit Event\n"); break;
				case EVENTLOG_AUDIT_FAILURE: event.operator +=("Failure Audit Event\n"); break;
				default: event.operator +=("Unknown\n"); break;
			}

			cp = (char *)pevlr;
			cp += sizeof(EVENTLOGRECORD);

			pSourceName = cp;
			cp += strlen(cp)+1;

			pComputerName = cp;
			cp += strlen(cp)+1;

			tmp.Format("SourceName: %s\n", pSourceName);
			event.operator +=(tmp);
			tmp.Format("ComputerName: %s\n", pComputerName);
			event.operator +=(tmp);
			EventLog.Add(event);
            dwRead -= pevlr->Length; 
            pevlr = (EVENTLOGRECORD *)((LPBYTE) pevlr + pevlr->Length); 
        } 
        pevlr = (EVENTLOGRECORD *) &bBuffer; 
	}
	return(1);
}
Exemple #4
0
/** void readel(os_el *el)
 * Reads the event log.
 */
void readel(os_el *el, int printit)
{
    DWORD _evtid = 65535;
    DWORD nstr;
    DWORD user_size;
    DWORD domain_size;
    DWORD read, needed;
    int size_left;
    int str_size;
    int id;

    char mbuffer[BUFFER_SIZE +1];
    LPSTR sstr = NULL;

    char *tmp_str = NULL;
    char *category;
    char *source;
    char *computer_name;
    char *descriptive_msg;

    char el_user[OS_FLSIZE +1];
    char el_domain[OS_FLSIZE +1];
    char el_string[OS_MAXSTR +1];
    char final_msg[OS_MAXSTR +1];
    LPSTR el_sstring[OS_FLSIZE +1];

    /* Er must point to the mbuffer */
    el->er = (EVENTLOGRECORD *) &mbuffer;

    /* Zeroing the values */
    el_string[OS_MAXSTR] = '\0';
    el_user[OS_FLSIZE] = '\0';
    el_domain[OS_FLSIZE] = '\0';
    final_msg[OS_MAXSTR] = '\0';
    el_sstring[0] = NULL;
    el_sstring[OS_FLSIZE] = NULL;


    /* Event log is not open */
    if(!el->h)
    {
        return;
    }

    /* Reading the event log */	
    while(ReadEventLog(el->h,
                EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
                0,
                el->er, BUFFER_SIZE -1, &read, &needed))
    {
        if(!printit)
        {
            /* Setting er to the beginning of the buffer */
            el->er = (EVENTLOGRECORD *)&mbuffer;
            continue;
        }


        while(read > 0)
        {

            /* We need to initialize every variable before the loop */
            category = el_getCategory(el->er->EventType);
            source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
            computer_name = source + strlen(source) + 1;
            descriptive_msg = NULL;


            /* Getting event id. */
            id = (int)el->er->EventID & _evtid;



            /* Initialing domain/user size */
            user_size = 255; domain_size = 255;
            el_domain[0] = '\0';
            el_user[0] = '\0';



            /* We must have some description */
            if(el->er->NumStrings)
            {	
                size_left = OS_MAXSTR - OS_SIZE_1024;	

                sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
                el_string[0] = '\0';

                for (nstr = 0;nstr < el->er->NumStrings;nstr++)
                {
                    str_size = strlen(sstr);
                    if(size_left > 1)
                    {
                        strncat(el_string, sstr, size_left);
                    }

                    tmp_str = strchr(el_string, '\0');
                    if(tmp_str)
                    {
                        *tmp_str = ' ';		
                        tmp_str++; *tmp_str = '\0';
                    }
                    else
                    {
                        merror("%s: Invalid application string (size+)",
                               ARGV0);
                    }
                    size_left-=str_size + 2;

                    if(nstr <= 92)
                    {
                        el_sstring[nstr] = (LPSTR)sstr;
                        el_sstring[nstr +1] = NULL;
                    }

                    sstr = strchr( (LPSTR)sstr, '\0');
                    if(sstr)
                        sstr++;
                    else
                        break;
                }

                /* Get a more descriptive message (if available) */
                if(isVista && strcmp(el->name, "Security") == 0)
                {
                    descriptive_msg = el_vista_getMessage(id, el_sstring);
                }

                else
                {
                    descriptive_msg = el_getMessage(el->er,
                                                    el->name,
                                                    source,
                                                    el_sstring);
                }

                if(descriptive_msg != NULL)
                {
                    /* Remove any \n or \r */
                    /* Replace tabs from the argument field to spaces.
                     * So whenever we have option:\tvalue\t, it will
                     * become option: value\t
                     */
                    tmp_str = descriptive_msg;
                    while(*tmp_str != '\0')
                    {
                        if(*tmp_str == '\n')
                            *tmp_str = ' ';
                        else if(*tmp_str == '\r')
                            *tmp_str = ' ';
                        else if((*tmp_str == ':') && (tmp_str[1] == '\t'))
                        {
                            tmp_str[1] = ' ';
                            tmp_str++;
                        }

                        tmp_str++;
                    }
                }
            }
            else
            {
                strncpy(el_string, "(no message)", 128);	
            }


            /* Getting username */
            if(el->er->UserSidLength)
            {
                SID_NAME_USE account_type;
                if(!LookupAccountSid(NULL,
                                    (SID *)((LPSTR)el->er +
                                    el->er->UserSidOffset),
                                    el_user,
                                    &user_size,
                                    el_domain,
                                    &domain_size,
                                    &account_type))		
                {
                    strncpy(el_user, "(no user)", 255);
                    strncpy(el_domain, "no domain", 255);
                }

            }

            else if(isVista && strcmp(el->name, "Security") == 0)
            {
                int uid_array_id = -1;

                switch(id)
                {
                    case 4624:
                        uid_array_id = 5;
                        break;
                    case 4634:
                        uid_array_id = 1;
                        break;
                    case 4647:
                        uid_array_id = 1;
                        break;
                    case 4769:
                        uid_array_id = 0;
                        break;
                }

                if((uid_array_id >= 0) &&
                   el_sstring[uid_array_id] &&
                   el_sstring[uid_array_id +1])
                {
                    strncpy(el_user, el_sstring[uid_array_id], OS_FLSIZE);
                    strncpy(el_domain, el_sstring[uid_array_id +1], OS_FLSIZE);
                }
                else
                {
                    strncpy(el_user, "(no user)", 255);
                    strncpy(el_domain, "no domain", 255);
                }
            }

            else
            {
                strncpy(el_user, "(no user)", 255);	
                strncpy(el_domain, "no domain", 255);	
            }


            if(printit)
            {
                DWORD _evtid = 65535;
                int id = (int)el->er->EventID & _evtid;

                final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0';
                final_msg[OS_MAXSTR - OS_LOG_HEADER -1] = '\0';

                snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER -1,
                        "WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s",
                        el->name,
                        category,
                        id,
                        source,
                        el_user,
                        el_domain,
                        computer_name,
                        descriptive_msg != NULL?descriptive_msg:el_string);	

                if(SendMSG(logr_queue, final_msg, "WinEvtLog",
                            LOCALFILE_MQ) < 0)
                {
                    merror(QUEUE_SEND, ARGV0);
                }
            }

            if(descriptive_msg != NULL)
            {
                LocalFree(descriptive_msg);
            }

            /* Changing the point to the er */
            read -= el->er->Length;
            el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
        }		

        /* Setting er to the beginning of the buffer */	
        el->er = (EVENTLOGRECORD *)&mbuffer;
    }


    id = GetLastError();
    if(id == ERROR_HANDLE_EOF)
    {
        return;
    }


    /* Event log was cleared. */
    else if(id == ERROR_EVENTLOG_FILE_CHANGED)
    {
        char msg_alert[512 +1];
        msg_alert[512] = '\0';
        merror("%s: WARN: Event log cleared: '%s'", ARGV0, el->name);


        /* Send message about cleared */
        snprintf(msg_alert, 512, "ossec: Event log cleared: '%s'", el->name);
        SendMSG(logr_queue, msg_alert, "WinEvtLog", LOCALFILE_MQ);


        /* Closing the event log and reopenning. */
        CloseEventLog(el->h);
        el->h = NULL;

        /* Reopening. */
        if(startEL(el->name, el) < 0)
        {
            merror("%s: ERROR: Unable to reopen event log '%s'",
                   ARGV0, el->name);
        }
    }

    else
    {
        debug1("%s: WARN: Error reading event log: %d", ARGV0, id);
    }
}
Exemple #5
0
/* get Nth error from event log. 1 is the first. */
static int	zbx_get_eventlog_message(const wchar_t *wsource, HANDLE eventlog_handle, DWORD which, char **out_source,
		char **out_message, unsigned short *out_severity, unsigned long *out_timestamp,
		unsigned long *out_eventid)
{
	const char	*__function_name = "zbx_get_eventlog_message";
	int		buffer_size = 512;
	EVENTLOGRECORD	*pELR = NULL;
	DWORD		dwRead, dwNeeded, dwErr;
	wchar_t 	*pEventMessageFile = NULL, *pParamMessageFile = NULL, *pFile = NULL, *pNextFile = NULL, *pCh,
			*aInsertStrings[MAX_INSERT_STRS];
	HINSTANCE	hLib = NULL, hParamLib = NULL;
	long		i, err = 0;
	int		ret = FAIL;

	zabbix_log(LOG_LEVEL_DEBUG, "In %s() lastlogsize:%lu", __function_name, which);

	*out_source = NULL;
	*out_message = NULL;
	*out_severity = 0;
	*out_timestamp = 0;
	*out_eventid = 0;
	memset(aInsertStrings, 0, sizeof(aInsertStrings));

	pELR = (EVENTLOGRECORD *)zbx_malloc((void *)pELR, buffer_size);

	while (0 == ReadEventLog(eventlog_handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, which,
			pELR, buffer_size, &dwRead, &dwNeeded))
	{
		if (ERROR_INSUFFICIENT_BUFFER != (dwErr = GetLastError()))
		{
			zabbix_log(LOG_LEVEL_DEBUG, "%s(): %s", __function_name, strerror_from_system(dwErr));
			goto out;
		}

		buffer_size = dwNeeded;
		pELR = (EVENTLOGRECORD *)zbx_realloc((void *)pELR, buffer_size);
	}

	*out_severity = pELR->EventType;				/* return event type */
	*out_timestamp = pELR->TimeGenerated;				/* return timestamp */
	*out_eventid = pELR->EventID & 0xffff;
	*out_source = zbx_unicode_to_utf8((wchar_t *)(pELR + 1));	/* copy source name */

	/* get message file names */
	zbx_get_message_files(wsource, (wchar_t *)(pELR + 1), &pEventMessageFile, &pParamMessageFile);

	/* prepare insert string array */
	if (0 < pELR->NumStrings)
	{
		pCh = (wchar_t *)((unsigned char *)pELR + pELR->StringOffset);

		for (i = 0; i < pELR->NumStrings && i < MAX_INSERT_STRS; i++)
		{
			aInsertStrings[i] = pCh;
			pCh += wcslen(pCh) + 1;
		}
	}

	err = FAIL;

	for (pFile = pEventMessageFile; NULL != pFile && err != SUCCEED; pFile = pNextFile)
	{
		if (NULL != (pNextFile = wcschr(pFile, TEXT(';'))))
		{
			*pNextFile = '\0';
			pNextFile++;
		}

		if (NULL != (hLib = zbx_load_message_file(pFile)))
		{
			if (NULL != (*out_message = zbx_format_message(hLib, pELR->EventID, aInsertStrings)))
			{
				err = SUCCEED;

				if (NULL != (hParamLib = zbx_load_message_file(pParamMessageFile)))
				{
					zbx_translate_message_params(out_message, hParamLib);
					FreeLibrary(hParamLib);
				}
			}

			FreeLibrary(hLib);
		}
	}

	zbx_free(pEventMessageFile);
	zbx_free(pParamMessageFile);

	if (SUCCEED != err)
	{
		*out_message = zbx_strdcatf(*out_message, "The description for Event ID:%lu in Source:'%s'"
				" cannot be found. The local computer may not have the necessary registry"
				" information or message DLL files to display messages from a remote computer.",
				*out_eventid, NULL == *out_source ? "" : *out_source);

		if (0 < pELR->NumStrings)
		{
			char	*buf;

			*out_message = zbx_strdcat(*out_message, " The following information is part of the event: ");

			for (i = 0, pCh = (wchar_t *)((unsigned char *)pELR + pELR->StringOffset);
					i < pELR->NumStrings;
					i++, pCh += wcslen(pCh) + 1)
			{
				if (0 < i)
					*out_message = zbx_strdcat(*out_message, "; ");

				buf = zbx_unicode_to_utf8(pCh);
				*out_message = zbx_strdcat(*out_message, buf);
				zbx_free(buf);
			}
		}
	}

	ret = SUCCEED;
out:
	zbx_free(pELR);

	zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret));

	return ret;
}
Exemple #6
0
static void read_event_log(void) {
	DWORD status = ERROR_SUCCESS;
	DWORD bytes_to_read = 0;
	DWORD bytes_read = 0;
	DWORD minimum_bytes_to_read = 0;
	PBYTE temp = NULL;

	if (_record_buffer == NULL) {
		bytes_to_read = MAX_RECORD_BUFFER_SIZE;
		_record_buffer = (PBYTE)malloc(bytes_to_read);

		if (_record_buffer == NULL) {
			report_error("Could not allocate record buffer");

			return;
		}
	}

	while (status == ERROR_SUCCESS) {
		if (!ReadEventLog(_event_log,
		                  EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
		                  0,
		                  _record_buffer,
		                  bytes_to_read,
		                  &bytes_read,
		                  &minimum_bytes_to_read)) {
			status = GetLastError();

			if (status == ERROR_INSUFFICIENT_BUFFER) {
				status = ERROR_SUCCESS;
				temp = (PBYTE)realloc(_record_buffer, minimum_bytes_to_read);

				if (temp == NULL) {
					report_error("Could not reallocate record buffer to %u bytes",
					             minimum_bytes_to_read);

					return;
				}

				_record_buffer = temp;
				bytes_to_read = minimum_bytes_to_read;
			} else if (status != ERROR_HANDLE_EOF) {
				report_error("Could not read event log: %s (%d)",
				             get_error_name(status), status);

				return;
			}
		} else {
			PBYTE record = _record_buffer;
			PBYTE end_of_records = _record_buffer + bytes_read;
			char timestamp[MAX_TIMESTAMP_LENGTH];
			const char *level;
			const char *source;
			const char *message;

			while (record < end_of_records) {
				if (strcmp((const char *)(record + sizeof(EVENTLOGRECORD)), "Brick Daemon") == 0) {
					format_timestamp(((PEVENTLOGRECORD)record)->TimeGenerated, -1,
					                 timestamp, sizeof(timestamp), "-", " ", ":");

					switch (((PEVENTLOGRECORD)record)->EventType) {
					case EVENTLOG_ERROR_TYPE:
						level = "Error";
						break;

					case EVENTLOG_WARNING_TYPE:
						level = "Warn";
						break;

					case EVENTLOG_INFORMATION_TYPE:
						level = "Info";
						break;

					case EVENTLOG_AUDIT_SUCCESS:
						level = "Audit Success";
						break;

					case EVENTLOG_AUDIT_FAILURE:
						level = "Audit Failure";
						break;

					default:
						level = "Unknown";
						break;
					}

					switch (((PEVENTLOGRECORD)record)->EventID) {
					case BRICKD_GENERIC_WARNING:
					case BRICKD_GENERIC_ERROR:
						source = "Generic";
						break;

					case BRICKD_LIBUSB_WARNING:
					case BRICKD_LIBUSB_ERROR:
						source = "Libusb";
						break;

					default:
						source = "Unknown";
						break;
					}

					if (((PEVENTLOGRECORD)record)->NumStrings > 0) {
						message = (const char *)(record + ((PEVENTLOGRECORD)record)->StringOffset);
					} else {
						message = "Unknown";
					}

					append_event_item(timestamp, level, source, message);
				}

				record += ((PEVENTLOGRECORD)record)->Length;
			}
		}
	}
}
Exemple #7
0
/** void readel(os_el *el)
 * Reads the event log.
 */
void readel(os_el *el, int printit)
{
    DWORD nstr;
    DWORD user_size;
    DWORD domain_size;
    DWORD read, needed;
    int size_left;
    int str_size;

    char mbuffer[BUFFER_SIZE];
    LPSTR sstr = NULL;

    char *tmp_str = NULL;
    char *category;
    char *source;
    char *computer_name;
    char *descriptive_msg;

    char el_user[257];
    char el_domain[257];
    char el_string[1025];
    char final_msg[1024];
    LPSTR el_sstring[57];

    /* Er must point to the mbuffer */
    el->er = (EVENTLOGRECORD *) &mbuffer;

    /* Zeroing the last values */
    el_string[1024] = '\0';
    el_user[256] = '\0';
    el_domain[256] = '\0';
    final_msg[1023] = '\0';
    el_sstring[56] = NULL;

    /* Reading the event log */	
    while(ReadEventLog(el->h,
                EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
                0,
                el->er, BUFFER_SIZE -1, &read, &needed))
    {
        while(read > 0)
        {

            /* We need to initialize every variable before the loop */
            category = el_getCategory(el->er->EventType);
            source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
            computer_name = source + strlen(source) + 1;
            descriptive_msg = NULL;


            /* Initialing domain/user size */
            user_size = 255; domain_size = 255;
            el_domain[0] = '\0';
            el_user[0] = '\0';


            /* We must have some description */
            if(el->er->NumStrings)
            {	
                size_left = 1020;	

                sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
                el_string[0] = '\0';

                for (nstr = 0;nstr < el->er->NumStrings;nstr++)
                {
                    str_size = strlen(sstr);	
                    strncat(el_string, sstr, size_left);

                    tmp_str= strchr(el_string, '\0');
                    if(tmp_str)
                    {
                        *tmp_str = ' ';		
                        tmp_str++; *tmp_str = '\0';
                    }
                    size_left-=str_size + 1;

                    if(nstr <= 54)
                        el_sstring[nstr] = (LPSTR)sstr;

                    sstr = strchr( (LPSTR)sstr, '\0');
                    sstr++;
                }

                /* Get a more descriptive message (if available) */
                descriptive_msg = el_getMessage(el->er, el->name, source,
                                                        el_sstring);
                if(descriptive_msg != NULL)
                {
                    /* Remove any \n or \r */
                    tmp_str = descriptive_msg;
                    while((tmp_str = strchr(tmp_str, '\n')))
                    {
                        *tmp_str = ' ';
                        tmp_str++;		
                    }			

                    tmp_str = descriptive_msg;
                    while((tmp_str = strchr(tmp_str, '\r')))
                    {
                        *tmp_str = ' ';
                        tmp_str++;		
                    }			
                }
            }
            else
            {
                strncpy(el_string, "(no message)", 1020);	
            }


            /* Getting username */
            if (el->er->UserSidLength)
            {
                SID_NAME_USE account_type;
                if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset),
                            el_user, &user_size, el_domain, &domain_size, &account_type))		
                {
                    strncpy(el_user, "(no user)", 255);
                    strncpy(el_domain, "no domain", 255);
                }

            }

            else
            {
                strncpy(el_user, "(no user)", 255);	
                strncpy(el_domain, "no domain", 255);	
            }


            if(printit)
            {
                DWORD _evtid = 65535;
                int id = (int)el->er->EventID & _evtid;

                snprintf(final_msg, 1022,
                        "%d WinEvtLog: %s: %s(%d): %s: %s(%s): %s",
        		        (int)el->er->TimeGenerated,	
                        el->name,
                        category,
                        id,
                        source,
                        el_user,
                        el_domain,
                        descriptive_msg != NULL?descriptive_msg:el_string);	

	       	fprintf(fp, "%s\n", final_msg);	
            }

            if(descriptive_msg != NULL)
                LocalFree(descriptive_msg);

            /* Changing the point to the er */
            read -= el->er->Length;
            el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
        }		

        /* Setting er to the beginning of the buffer */	
        el->er = (EVENTLOGRECORD *)&mbuffer;
    }
}
Exemple #8
0
/* get Nth error from event log. 1 is the first. */
static int	zbx_get_eventlog_message(LPCTSTR wsource, HANDLE eventlog_handle, long which, char **out_source, char **out_message,
		unsigned short *out_severity, unsigned long *out_timestamp, unsigned long *out_eventid)
{
	const char	*__function_name = "zbx_get_eventlog_message";
	int		buffer_size = 512;
	EVENTLOGRECORD	*pELR = NULL;
	DWORD		dwRead, dwNeeded, dwErr;
	TCHAR		stat_buf[MAX_PATH], MsgDll[MAX_PATH];
	HKEY		hk = NULL;
	LPTSTR		pFile = NULL, pNextFile = NULL;
	DWORD		szData, Type;
	HINSTANCE	hLib = NULL;				/* handle to the messagetable DLL */
	LPTSTR		pCh, aInsertStrs[MAX_INSERT_STRS];	/* array of pointers to insert */
	LPTSTR		msgBuf = NULL;				/* hold text of the error message */
	char		*buf = NULL;
	long		i, err = 0;
	int		ret = FAIL;

	zabbix_log(LOG_LEVEL_DEBUG, "In %s() which:%ld", __function_name, which);

	*out_source	= NULL;
	*out_message	= NULL;
	*out_severity	= 0;
	*out_timestamp	= 0;
	*out_eventid	= 0;
	memset(aInsertStrs, 0, sizeof(aInsertStrs));

	pELR = (EVENTLOGRECORD *)zbx_malloc((void *)pELR, buffer_size);
retry:
	if (0 == ReadEventLog(eventlog_handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, which,
			pELR, buffer_size, &dwRead, &dwNeeded))
	{
		dwErr = GetLastError();
		if (dwErr == ERROR_INSUFFICIENT_BUFFER)
		{
			buffer_size = dwNeeded;
			pELR = (EVENTLOGRECORD *)zbx_realloc((void *)pELR, buffer_size);
			goto retry;
		}
		else
		{
			zabbix_log(LOG_LEVEL_DEBUG, "%s(): %s", __function_name, strerror_from_system(dwErr));
			goto out;
		}
	}

	*out_severity	= pELR->EventType;			/* return event type */
	*out_timestamp	= pELR->TimeGenerated;			/* return timestamp */
	*out_eventid	= pELR->EventID & 0xffff;
	*out_source	= zbx_unicode_to_utf8((LPTSTR)(pELR + 1));	/* copy source name */

	err = FAIL;

	/* prepare the array of insert strings for FormatMessage - the
	insert strings are in the log entry. */
	for (i = 0, pCh = (LPTSTR)((LPBYTE)pELR + pELR->StringOffset);
			i < pELR->NumStrings && i < MAX_INSERT_STRS;
			i++, pCh += zbx_strlen(pCh) + 1) /* point to next string */
	{
		aInsertStrs[i] = pCh;
	}

	/* Get path to message dll */
	zbx_wsnprintf(stat_buf, MAX_PATH, EVENTLOG_REG_PATH TEXT("%s\\%s"), wsource, (LPTSTR)(pELR + 1));

	if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_LOCAL_MACHINE, stat_buf, 0, KEY_READ, &hk))
	{
		if (ERROR_SUCCESS == RegQueryValueEx(hk, TEXT("EventMessageFile"), NULL, &Type, NULL, &szData))
		{
			buf = zbx_malloc(buf, szData);
			if (ERROR_SUCCESS == RegQueryValueEx(hk, TEXT("EventMessageFile"), NULL, &Type, (LPBYTE)buf, &szData))
				pFile = (LPTSTR)buf;
		}

		RegCloseKey(hk);
	}

	err = FAIL;

	while (NULL != pFile && FAIL == err)
	{
		if (NULL != (pNextFile = zbx_strchr(pFile, ';')))
		{
			*pNextFile = '\0';
			pNextFile++;
		}

		if (ExpandEnvironmentStrings(pFile, MsgDll, MAX_PATH))
		{
			if (NULL != (hLib = LoadLibraryEx(MsgDll, NULL, LOAD_LIBRARY_AS_DATAFILE)))
			{
				/* Format the message from the message DLL with the insert strings */
				if (0 != FormatMessage(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ALLOCATE_BUFFER |
						FORMAT_MESSAGE_ARGUMENT_ARRAY | FORMAT_MESSAGE_FROM_SYSTEM |
						FORMAT_MESSAGE_MAX_WIDTH_MASK,	/* do not generate new line breaks */
						hLib,				/* the messagetable DLL handle */
						pELR->EventID,			/* message ID */
						MAKELANGID(LANG_NEUTRAL, SUBLANG_ENGLISH_US),	/* language ID */
						(LPTSTR)&msgBuf,		/* address of pointer to buffer for message */
						0,
						(va_list *)aInsertStrs))	/* array of insert strings for the message */
				{
					*out_message = zbx_unicode_to_utf8(msgBuf);
					zbx_rtrim(*out_message, "\r\n ");

					/* Free the buffer that FormatMessage allocated for us. */
					LocalFree((HLOCAL)msgBuf);

					err = SUCCEED;
				}
				FreeLibrary(hLib);
			}
		}
		pFile = pNextFile;
	}

	zbx_free(buf);

	if (SUCCEED != err)
	{
		*out_message = zbx_strdcatf(*out_message, "The description for Event ID (%lu) in Source (%s) cannot be found."
				" The local computer may not have the necessary registry information or message DLL files to"
				" display messages from a remote computer.", *out_eventid, NULL == *out_source ? "" : *out_source);
		if (pELR->NumStrings)
			*out_message = zbx_strdcatf(*out_message, " The following information is part of the event: ");
		for (i = 0; i < pELR->NumStrings && i < MAX_INSERT_STRS; i++)
		{
			if (i > 0)
				*out_message = zbx_strdcatf(*out_message, "; ");
			if (aInsertStrs[i])
			{
				buf = zbx_unicode_to_utf8(aInsertStrs[i]);
				*out_message = zbx_strdcatf(*out_message, "%s", buf);
				zbx_free(buf);
			}
		}
	}

	ret = SUCCEED;
out:
	zbx_free(pELR);

	zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret));

	return ret;
}
Exemple #9
0
	/*--------------------------[ ernoReadEventLog ]--------------------------
	* Wrapper to ReadEventLogm which increases buffer size if needed 
	*
	* After this function call, record points to allocated structure. This function will handle any free operation needed, as record struct is static
	*
	*	Returns:
	*		error		0 - use GetLastError
	*		success		bytes read
	*----------------------------------------------------------------------------*/
	int ernoReadEventLog(HANDLE hLog,DWORD flags,DWORD offset, DWORD *BytesRead,DWORD *BytesNeeded) {
		int Status, lastError;
		unsigned int multiple;

		//Allocate standard buffer if needed
		if (eventBuffer==NULL) {
			eventBuffer=(char*)malloc(EVENTLOG_BUFFER_LEN); //Standard size
			if (eventBuffer==NULL) {
				logger(Error,"Failed to allocate standard buffer of %d bytes of memory.",EVENTLOG_BUFFER_LEN);
				return 0; //Error
			}
			eventBufferSize=EVENTLOG_BUFFER_LEN;
		}

		record=(EVENTLOGRECORD *)eventBuffer;

		//Allocate bigger buffer if needed
		//
		//Executes until big enough memory has been allocated and used, or function fails.
		while (true){
			Status=ReadEventLog(hLog, flags,offset, record, eventBufferSize, BytesRead, BytesNeeded);
			if (Status!=0)
				return Status; //We're done

			//Potential problem here
			lastError=GetLastError();
			switch(lastError) {
			case ERROR_INSUFFICIENT_BUFFER:
				free(eventBuffer);
				record=NULL;
				eventBuffer=NULL;
				eventBufferSize=0;
				multiple=2;
				while(EVENTLOG_BUFFER_LEN*multiple<(*BytesNeeded)) {
					multiple=multiple*2;
					if(EVENTLOG_BUFFER_LEN*multiple>3000000) {
						logger(Error,"SyslogAgent rejected suggested needed memory allocation of %d bytes from system to process message. Possible permanent error",*BytesNeeded);
						return 0;
					}
				}
				eventBuffer=(char*)malloc(EVENTLOG_BUFFER_LEN*multiple);
				if (eventBuffer==NULL) {
					logger(Error,"Failed to allocate %d bytes of memory.",EVENTLOG_BUFFER_LEN*multiple);
					return 0; //Error
				}
				record=(EVENTLOGRECORD *)eventBuffer;
				eventBufferSize=EVENTLOG_BUFFER_LEN*multiple;
				continue;
			case ERROR_INVALID_PARAMETER: //read past the end - no more to read
			case ERROR_HANDLE_EOF: //read empty event log - no problems
				*BytesRead=0;
				return 0;
			default:

				DEBUGSERVICE(Message,"ReadEventLog failed with error code %d.",lastError);

				return 0; //Do not want to spam recipient. A better error reporting is needed first...
			}
		}
		return Status;
	}
Exemple #10
0
/* イベントログの読み取り */
void ReadLog(void)
{
	DWORD BufSize;
	DWORD ReadBytes;
	DWORD NextSize;
	BOOL bResult;
	DWORD i;
	char *cp;
	char *pSourceName;
	char *pComputerName;
	HANDLE hEventLog = NULL;
	EVENTLOGRECORD *pBuf = NULL;
	char **Args = NULL;

	/* イベントログのオープン */
	hEventLog = OpenEventLog(NULL, "Application");

	if(hEventLog == NULL) {
		printf("event log can not open.\n");
		goto Exit;
	}

	for(;;) {
		/* イベントログのサイズ取得 */
		BufSize = 1;
		pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize);

		bResult = ReadEventLog(
			hEventLog,
			EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
			0,
			pBuf,
			BufSize,
			&ReadBytes,
			&NextSize);

		if(!bResult && GetLastError() != ERROR_INSUFFICIENT_BUFFER) break;

		GlobalFree(pBuf);
		pBuf = NULL;

		/* バッファ割り当て */
		BufSize = NextSize;
		pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize);

		/* イベントログの読み取り */
		bResult = ReadEventLog(
			hEventLog,
			EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
			0,
			pBuf,
			BufSize,
			&ReadBytes,
			&NextSize);

		if(!bResult) break;

		eventlog_record rec( pBuf );

		/* 読み取ったイベントの表示 */
		printf("レコード番号: %d\n", rec.RecordNumber() );
		time_t t = rec.TimeGenerated();
		printf("生成時刻: %s", ctime( &t ) );
		t = rec.TimeWritten();
		printf("書き込み時刻: %s", ctime( &t ) );
		printf("イベントID: %08x\n", rec.EventID() );

		printf( "イベントの種別: %s\n", rec.EventTypeText().c_str() );

		cp = (char *)pBuf;
		cp += sizeof(EVENTLOGRECORD);

		pSourceName = cp;
		cp += strlen(cp)+1;

		pComputerName = cp;
		cp += strlen(cp)+1;

		printf("ソース名: %s\n", rec.SourceName().c_str() );
		printf("コンピュータ名: %s\n", rec.ComputerName().c_str() );

		/* カテゴリの表示 */
		printf("二次カテゴリ: ", pBuf->EventCategory);
		DispMessage(pSourceName, "CategoryMessageFile", NULL, pBuf->EventCategory);

		/* メッセージの表示 */
		Args = GetArgs(pBuf);

		printf("メッセージ: ");
		DispMessage(pSourceName, "EventMessageFile", (const char **)Args, pBuf->EventID);

		if(Args != NULL) {
			GlobalFree(Args);
			Args = NULL;
		}

		/* 固有データの表示 */
		if(pBuf->DataLength > 0) {
			printf("固有データ: ");
			for(i=0; i<pBuf->DataLength; i++) printf("%02x ", *(((unsigned char *)pBuf)+(pBuf->DataOffset)+i));
			printf("\n");
		}

		printf("\n");

		/* バッファ解放 */
		GlobalFree(pBuf);
		pBuf = NULL;
	}

Exit: /* 後処理 */
	if(pBuf != NULL) GlobalFree(pBuf);
	if(Args != NULL) GlobalFree(Args);
	if(hEventLog != NULL) CloseEventLog(hEventLog);
}
/*
 * Reads one record from an event log
 *
 * TLVs:
 *
 * req: TLV_TYPE_EVENT_HANDLE        - The event log handle
 * req: TLV_TYPE_EVENT_READFLAGS     - The flags for the read operation
 * opt: TLV_TYPE_EVENT_RECORDOFFSET  - The record offset for SEEK operations
 */
DWORD request_sys_eventlog_read(Remote * remote, Packet * packet)
{
	Packet * response = packet_create_response(packet);
	HANDLE hEvent = NULL;
	DWORD readFlags = 0, recordOffset = 0, bytesRead, bytesNeeded;
	DWORD result = ERROR_SUCCESS;
	EVENTLOGRECORD * buf = NULL;
	BYTE * str = NULL;

	hEvent       = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE);
	readFlags    = (DWORD)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_READFLAGS);
	recordOffset = (DWORD)packet_get_tlv_value_uint(packet, TLV_TYPE_EVENT_RECORDOFFSET);

	do {
		if(!hEvent || !readFlags) {
			result = ERROR_INVALID_PARAMETER;
			break;
		}

		/* get the length of the next record, ghettoly */
		if(ReadEventLog(hEvent, readFlags, recordOffset,
		    &bytesRead, 0, &bytesRead, &bytesNeeded
		  ) != 0 || GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
			result = GetLastError();
			// packet_add_raw(response, TLV_TYPE_EVENT_BYTESNEEDED)
			break;
		}

		if((buf = malloc(bytesNeeded)) == NULL) {
			result = ERROR_NOT_ENOUGH_MEMORY;
			break;
		}

		if(ReadEventLog(hEvent, readFlags, recordOffset,
		    buf, bytesNeeded, &bytesRead, &bytesNeeded
		  ) == 0) {
			result = GetLastError();
			// packet_add_raw(response, TLV_TYPE_EVENT_BYTESNEEDED)
			break;
		}

		packet_add_tlv_uint(response, TLV_TYPE_EVENT_RECORDNUMBER, buf->RecordNumber);
		packet_add_tlv_uint(response, TLV_TYPE_EVENT_TIMEGENERATED, buf->TimeGenerated);
		packet_add_tlv_uint(response, TLV_TYPE_EVENT_TIMEWRITTEN, buf->TimeWritten);
		packet_add_tlv_uint(response, TLV_TYPE_EVENT_ID, buf->EventID);
		packet_add_tlv_uint(response, TLV_TYPE_EVENT_TYPE, buf->EventType);
		packet_add_tlv_uint(response, TLV_TYPE_EVENT_CATEGORY, buf->EventCategory);
		
		packet_add_tlv_raw(response, TLV_TYPE_EVENT_DATA, (BYTE *)buf + buf->DataOffset, buf->DataLength);

		str = (BYTE *)buf + buf->StringOffset;
		while(buf->NumStrings > 0) {
			packet_add_tlv_string(response, TLV_TYPE_EVENT_STRING, str);
			/* forward pass the null terminator */
			while(*str++ != 0);
			buf->NumStrings--;
		}

	} while(0);

	packet_transmit_response(result, remote, response);
	
	if(buf)
		free(buf);

	return ERROR_SUCCESS;
}
Exemple #12
0
BOOL
QueryEventMessages(LPWSTR lpMachineName,
                   LPWSTR lpLogName)
{
    HWND hwndDlg = NULL;
    HANDLE hEventLog;
    EVENTLOGRECORD *pevlr;
    DWORD dwRead, dwNeeded, dwThisRecord, dwTotalRecords = 0, dwCurrentRecord = 0, dwRecordsToRead = 0, dwFlags, dwMaxLength;
    size_t cchRemaining;
    LPWSTR lpSourceName;
    LPWSTR lpComputerName;
    LPSTR lpData;
    BOOL bResult = TRUE; /* Read succeeded. */

    WCHAR szWindowTitle[MAX_PATH];
    WCHAR szStatusText[MAX_PATH];
    WCHAR szLocalDate[MAX_PATH];
    WCHAR szLocalTime[MAX_PATH];
    WCHAR szEventID[MAX_PATH];
    WCHAR szEventTypeText[MAX_LOADSTRING];
    WCHAR szCategoryID[MAX_PATH];
    WCHAR szUsername[MAX_PATH];
    WCHAR szEventText[EVENT_MESSAGE_FILE_BUFFER];
    WCHAR szCategory[MAX_PATH];
    WCHAR szData[MAX_PATH];
    PWCHAR lpTitleTemplateEnd;

    SYSTEMTIME time;
    LVITEMW lviEventItem;

    dwFlags = EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ;

    /* Open the event log. */
    hEventLog = OpenEventLogW(lpMachineName,
                             lpLogName);
    if (hEventLog == NULL)
    {
        ShowLastWin32Error();
        return FALSE;
    }

    lpSourceLogName = lpLogName;
    lpComputerName = lpMachineName;

    /* Disable listview redraw */
    SendMessage(hwndListView, WM_SETREDRAW, FALSE, 0);

    /* Clear the list view */
    (void)ListView_DeleteAllItems (hwndListView);
    FreeRecords();

    GetOldestEventLogRecord(hEventLog, &dwThisRecord);

    /* Get the total number of event log records. */
    GetNumberOfEventLogRecords (hEventLog , &dwTotalRecords);
    g_TotalRecords = dwTotalRecords;

    if (dwTotalRecords > 0)
    {
        EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_ENABLED);
        EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_ENABLED);
    }
    else
    {
        EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_GRAYED);
        EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_GRAYED);
    }

    g_RecordPtrs = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwTotalRecords * sizeof(PVOID));

    /* If we have at least 1000 records show the waiting dialog */
    if (dwTotalRecords > 1000)
    {
        CloseHandle(CreateThread(NULL,
                                 0,
                                 ShowStatusMessageThread,
                                 (LPVOID)&hwndDlg,
                                 0,
                                 NULL));
    }

    while (dwCurrentRecord < dwTotalRecords)
    {
        pevlr = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
        g_RecordPtrs[dwCurrentRecord] = pevlr;

        bResult = ReadEventLog(hEventLog,  // Event log handle
                               dwFlags,    // Sequential read
                               0,          // Ignored for sequential read
                               pevlr,      // Pointer to buffer
                               sizeof(EVENTLOGRECORD),   // Size of buffer
                               &dwRead,    // Number of bytes read
                               &dwNeeded); // Bytes in the next record
        if((!bResult) && (GetLastError () == ERROR_INSUFFICIENT_BUFFER))
        {
            HeapFree(GetProcessHeap(), 0, pevlr);
            pevlr = HeapAlloc(GetProcessHeap(), 0, dwNeeded);
            g_RecordPtrs[dwCurrentRecord] = pevlr;

            ReadEventLogW(hEventLog,  // event log handle
                         dwFlags,    // read flags
                         0,          // offset; default is 0
                         pevlr,      // pointer to buffer
                         dwNeeded,   // size of buffer
                         &dwRead,    // number of bytes read
                         &dwNeeded); // bytes in next record
        }

        while (dwRead > 0)
        {
            LoadStringW(hInst, IDS_NOT_AVAILABLE, szUsername, MAX_PATH);
            LoadStringW(hInst, IDS_NOT_AVAILABLE, szEventText, MAX_PATH);
            LoadStringW(hInst, IDS_NONE, szCategory, MAX_PATH);

            // Get the event source name.
            lpSourceName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD));

            // Get the computer name
            lpComputerName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD) + (wcslen(lpSourceName) + 1) * sizeof(WCHAR));

            // This ist the data section of the current event
            lpData = (LPSTR)((LPBYTE)pevlr + pevlr->DataOffset);

            // Compute the event type
            EventTimeToSystemTime(pevlr->TimeWritten, &time);

            // Get the username that generated the event
            GetEventUserName(pevlr, szUsername);

            GetDateFormatW(LOCALE_USER_DEFAULT, DATE_SHORTDATE, &time, NULL, szLocalDate, MAX_PATH);
            GetTimeFormatW(LOCALE_USER_DEFAULT, 0, &time, NULL, szLocalTime, MAX_PATH);

            GetEventType(pevlr->EventType, szEventTypeText);
            GetEventCategory(lpLogName, lpSourceName, pevlr, szCategory);

            StringCbPrintfW(szEventID, sizeof(szEventID), L"%u", (pevlr->EventID & 0xFFFF));
            StringCbPrintfW(szCategoryID, sizeof(szCategoryID), L"%u", pevlr->EventCategory);

            lviEventItem.mask = LVIF_IMAGE | LVIF_TEXT | LVIF_PARAM;
            lviEventItem.iItem = 0;
            lviEventItem.iSubItem = 0;
            lviEventItem.lParam = (LPARAM)pevlr;
            lviEventItem.pszText = szEventTypeText;

            switch (pevlr->EventType)
            {
                case EVENTLOG_ERROR_TYPE:
                    lviEventItem.iImage = 2;
                    break;

                case EVENTLOG_AUDIT_FAILURE:
                    lviEventItem.iImage = 2;
                    break;

                case EVENTLOG_WARNING_TYPE:
                    lviEventItem.iImage = 1;
                    break;

                case EVENTLOG_INFORMATION_TYPE:
                    lviEventItem.iImage = 0;
                    break;

                case EVENTLOG_AUDIT_SUCCESS:
                    lviEventItem.iImage = 0;
                    break;

                case EVENTLOG_SUCCESS:
                    lviEventItem.iImage = 0;
                    break;
            }

            lviEventItem.iItem = ListView_InsertItem(hwndListView, &lviEventItem);

            ListView_SetItemText(hwndListView, lviEventItem.iItem, 1, szLocalDate);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 2, szLocalTime);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 3, lpSourceName);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 4, szCategory);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 5, szEventID);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 6, szUsername); //User
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 7, lpComputerName); //Computer
            MultiByteToWideChar(CP_ACP,
                                0,
                                lpData,
                                pevlr->DataLength,
                                szData,
                                MAX_PATH);
            ListView_SetItemText(hwndListView, lviEventItem.iItem, 8, szData); //Event Text

            dwRead -= pevlr->Length;
            pevlr = (EVENTLOGRECORD *)((LPBYTE) pevlr + pevlr->Length);
        }

        dwRecordsToRead--;
        dwCurrentRecord++;
    }

    // All events loaded
    if(hwndDlg)
        EndDialog(hwndDlg, 0);

    StringCchPrintfExW(szWindowTitle,
                       sizeof(szWindowTitle) / sizeof(WCHAR),
                       &lpTitleTemplateEnd,
                       &cchRemaining,
                       0,
                       szTitleTemplate, szTitle, lpLogName); /* i = number of characters written */
    /* lpComputerName can be NULL here if no records was read */
    dwMaxLength = (DWORD)cchRemaining;
    if (!lpComputerName)
        GetComputerNameW(lpTitleTemplateEnd, &dwMaxLength);
    else
        StringCchCopyW(lpTitleTemplateEnd, dwMaxLength, lpComputerName);

    StringCbPrintfW(szStatusText, sizeof(szStatusText), szStatusBarTemplate, lpLogName, dwTotalRecords);

    // Update the status bar
    SendMessageW(hwndStatus, SB_SETTEXT, (WPARAM)0, (LPARAM)szStatusText);

    // Set the window title
    SetWindowTextW(hwndMainWindow, szWindowTitle);

    // Resume list view redraw
    SendMessageW(hwndListView, WM_SETREDRAW, TRUE, 0);

    // Close the event log.
    CloseEventLog(hEventLog);

    return TRUE;
}
Exemple #13
0
/* Get the next eventlog message */
char * EventlogNext(EventList ignore_list[MAX_IGNORED_EVENTS], int log, int * level)
{
	BOOL reopen = FALSE;
	DWORD errnum;
	DWORD needed;
	DWORD loglevel;
	EVENTLOGRECORD * event;
	char * cp;
	char * current;
	char * formatted_string;
	char * message_file;
	char * source;
	char * string_array[EVENTLOG_ARRAY_SZ];
	char * username;
	char hostname[HOSTNAME_SZ];
	char defmsg[ERRMSG_SZ];
	int event_id;
	int i;
	char *index;

	static char message[SYSLOG_DEF_SZ-17];
	static char tstamped_message[SYSLOG_DEF_SZ];

	/* Initialize array to prevent memory exceptions with bad message definitions */
	for(i = 0; i < EVENTLOG_ARRAY_SZ; i++)
		string_array[i]="*";

	/* Are there any records left in buffer */
	while (EventlogList[log].pos == EventlogList[log].count) {

		/* Reset input position */
		EventlogList[log].count = 0;
		EventlogList[log].pos = 0;

		/* Read a record */
		needed = 0;
		if (ReadEventLog(EventlogList[log].handle, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ, EventlogList[log].recnum, EventlogList[log].buffer, sizeof(EventlogList[log].buffer), &EventlogList[log].count, &needed) == 0) {

			/* Check error */
			errnum = GetLastError();
			switch (errnum) {

			/* Message too large... skip over */
			case ERROR_INSUFFICIENT_BUFFER:
				Log(LOG_WARNING, "Eventlog message size too large: \"%s\": %u bytes", EventlogList[log].name, needed);
				EventlogList[log].recnum++;
				break;

			/* Eventlog corrupted (?)... Reopen */
			case ERROR_EVENTLOG_FILE_CORRUPT:
				Log(LOG_INFO, "Eventlog was corrupted: \"%s\"", EventlogList[log].name);
				reopen = TRUE;
				break;

			/* Eventlog files are clearing... Reopen */
			case ERROR_EVENTLOG_FILE_CHANGED:
				Log(LOG_INFO, "Eventlog was cleared: \"%s\"", EventlogList[log].name);
				reopen = TRUE;
				break;

			/* Record not available (yet) */
			case ERROR_INVALID_PARAMETER:
				return NULL;

			/* Normal end of eventlog messages */
			case ERROR_HANDLE_EOF:
				return NULL;

			/* Eventlog probably closing down */
			case RPC_S_UNKNOWN_IF:
				return NULL;

			/* Unknown condition */
			default:
				Log(LOG_ERROR|LOG_SYS, "Eventlog \"%s\" returned error: ", EventlogList[log].name);
				ServiceIsRunning = FALSE;
				return NULL;
			}

			/* Process reopen */
			if (reopen) {
				EventlogClose(log);
				if (EventlogOpen(log)) {
					ServiceIsRunning = FALSE;
					return NULL;
				}
				reopen = FALSE;
			}
		}
	}

	/* Increase record number */
	EventlogList[log].recnum++;

	/* Get position into buffer */
	current = EventlogList[log].buffer + EventlogList[log].pos;

	/* Get pointer to current event record */
	event = (EVENTLOGRECORD *) current;

	/* Advance position */
	EventlogList[log].pos += event->Length;

	/* Get source and event id */
	source = current + sizeof(*event);
	event_id = (int) HRESULT_CODE(event->EventID);
	
	/* Check Event Info Against Ignore List */
	if (IgnoreSyslogEvent(ignore_list, source, event_id)) {
		if (LogInteractive)
			printf("IGNORING_EVENT: SOURCE=%s & ID=%i\n", source, event_id);
		return NULL;
	}
	
	/* Check number of strings */
	if (event->NumStrings > COUNT_OF(string_array)) {

		/* Too many strings */
		Log(LOG_WARNING, "Eventlog message has too many strings to print message: \"%s\": %u strings", EventlogList[log].name, event->NumStrings);
		formatted_string = NULL;
	} else {

		/* Convert strings to arrays */
		cp = current + event->StringOffset;
		for (i = 0; i < event->NumStrings; i++) {
			string_array[i] = cp;
			while (*cp++ != '\0');
		}

		message_file = LookupMessageFile(EventlogList[log].name, source, event->EventID);

		if (message_file == NULL) {
			/* Cannot load resources */
			formatted_string = NULL;
		} else {
			/* Format eventlog message */
			formatted_string = FormatLibraryMessage(message_file, event->EventID, string_array);
		}
	}

	/* Create a default message if resources or formatting didn't work */
	if (formatted_string == NULL) {
		_snprintf_s(defmsg, sizeof(defmsg), _TRUNCATE,
			"(Facility: %u, Status: %s)",
			HRESULT_FACILITY(event->EventID),
			FAILED(event->EventID) ? "Failure" : "Success"
		);
		formatted_string = defmsg;
	}

	/* replace every space in source by underscores */
	index = source;
	while( *index ) {
		if( *index == ' ' ) {
			*index = '_';
		}
		index++;
	}

	/* Format source and event ID number */
	if(SyslogIncludeTag) {
		_snprintf_s(message, sizeof(message), _TRUNCATE,
			"%s: %s: %u: ",
			SyslogTag,
			source,
			HRESULT_CODE(event->EventID)
		);
	} else {
		_snprintf_s(message, sizeof(message), _TRUNCATE,
			"%s: %u: ",
			source,
			HRESULT_CODE(event->EventID)
		);
	}

	/* Convert user */
	if (event->UserSidLength > 0) {
		username = GetUsername((SID *) (current + event->UserSidOffset));
		if (username) {
			strncat_s(message, sizeof(message), username, _TRUNCATE);
			strncat_s(message, sizeof(message), ": ", _TRUNCATE);
		}
	}

	/* Add formatted string to base message */
	strncat_s(message, sizeof(message), formatted_string, _TRUNCATE);

	/* Select syslog level */
	switch (event->EventType) {
		case EVENTLOG_ERROR_TYPE:
			loglevel = SYSLOG_ERR;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;
		case EVENTLOG_WARNING_TYPE:
			loglevel = SYSLOG_WARNING;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;
		case EVENTLOG_INFORMATION_TYPE:
			loglevel = SYSLOG_NOTICE;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;
		case EVENTLOG_AUDIT_SUCCESS:
            strncat_s(message, sizeof(message), "AUDIT_SUCCESS ", _TRUNCATE);
			loglevel = SYSLOG_NOTICE;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;
		case EVENTLOG_AUDIT_FAILURE:
            strncat_s(message, sizeof(message), "AUDIT_FAILURE ", _TRUNCATE);
			loglevel = SYSLOG_ERR;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;

		/* Everything else */
		case EVENTLOG_SUCCESS:
		default:
			loglevel = SYSLOG_NOTICE;
			*level = SYSLOG_BUILD(SyslogFacility, loglevel);
			break;
	}

	/* If event is not being ignored, make sure it is severe enough to be logged */
	if (SyslogLogLevel != 0)
		if (SyslogLogLevel < loglevel-1)
			return NULL;

	/* Add hostname for RFC compliance (RFC 3164) */
	/* if -a then use the fqdn bound to our IP address. If none, use the IP address */
	if (ProgramUseIPAddress == TRUE) {
		strcpy_s(hostname, HOSTNAME_SZ, ProgramHostName);
	} else {
		if (ExpandEnvironmentStrings("%COMPUTERNAME%", hostname, COUNT_OF(hostname)) == 0) {
			strcpy_s(hostname, COUNT_OF(hostname), "HOSTNAME_ERR");
			Log(LOG_ERROR|LOG_SYS, "Cannot expand %COMPUTERNAME%");
	    }
    }
	
	/* Query and Add timestamp from EventLog, add hostname, */
	/* and finally the message to the string */
	_snprintf_s(tstamped_message, sizeof(tstamped_message), _TRUNCATE,
		"%s %s %s",
		TimeToString(event->TimeGenerated),
		hostname,
		message
	);

	/* Return formatted message */
	return tstamped_message;
}
int read_windows_sys_log::ReadSystemEventLog(const char *Src, Value &value) 
{
	value["t"] = "win_system_log";
	
	DWORD read_len, next_len; 
	char Buffer[256], Data[4096], *pchar; 
	HANDLE Handle = OpenEventLog(NULL, Src);

	if (Handle==NULL)
	{
		CloseHandle(Handle);
		return -1;
	}
	while(ReadEventLog(Handle, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,1, (EVENTLOGRECORD*)Data, sizeof(Data), &read_len, &next_len))
	{
		Value log_object;
		for(short i=0; i<read_len;) 
		{
			//printf("%d\n",read_len);
			EVENTLOGRECORD *ptr = (EVENTLOGRECORD*)(Data+i);
			switch(ptr->EventType) //事件类型  
			{
			case EVENTLOG_SUCCESS:
				pchar= "成功";  
				break; 
			case EVENTLOG_ERROR_TYPE:
				pchar= "错误";
				break; 
			case EVENTLOG_WARNING_TYPE:
				pchar= "警告";
				break; 
			case EVENTLOG_INFORMATION_TYPE:
				pchar= "信息";
				break; 
			case EVENTLOG_AUDIT_SUCCESS:
				pchar= "审计成功";
				break; 
			case EVENTLOG_AUDIT_FAILURE:
				pchar= "审计失败";
				break; 
			default:
				continue; 
			}
			//sprintf(Buffer, "事件\t%u\n", (short)(ptr->EventID)); //事件ID  
			//Result += Buffer;
			log_object["事件"] = boost::lexical_cast<string>(ptr->EventID);

			/*sprintf(Buffer, "类型\t%s\n", pchar); 
			Result += Buffer; */
			log_object["类型"] = boost::lexical_cast<string>(pchar);

			//time_t timep;
			//struct tm *p;
			//time(&timep);
			//p = localtime(&timep);
			//tm *ptm = localtime(&timep);

			tm *ptm = localtime((const time_t *)(&(ptr->TimeWritten)));    //取得当地时间
			sprintf(Buffer, "%.4hd-%.2hd-%.2hd %.2hd:%.2hd:%.2hd",
						ptm->tm_year+1900, ptm->tm_mon+1, ptm->tm_mday,
							ptm->tm_hour, ptm->tm_min, ptm->tm_sec);
			//Result += Buffer;
			log_object["时间"] = Buffer;


			pchar = Data + sizeof(EVENTLOGRECORD); //pchar指向SourceName[]
			//sprintf(Buffer, "来源\t%s\n", pchar); //事件来源 
			//Result += Buffer;
			log_object["来源"] = pchar;


			//pchar += strlen(pchar) + 1; //pchar指向ComputerName[]
			//sprintf(Buffer, "计算机\t%s\n", pchar); //机器名
			//Result += Buffer;
			log_object["计算机"] = pchar;

			pchar += strlen(pchar) + 1;	// pchar指向UserSid
			if(ptr->UserSidLength > 0)
			{
				char Name[64];
				DWORD Length = sizeof(SID), Length1 = sizeof(Buffer);
				SID_NAME_USE Type = SidTypeUser;
				SID *sid = (SID *)(Data + ptr->UserSidOffset);
				if(LookupAccountSid(NULL, sid, Name, &Length, Buffer, &Length1, &Type))
				{
					//查找用户名
					//sprintf(Buffer, "用户\t%s\n", Name); //用户名  
					//Result+=Buffer; 
					log_object["用户"] = Name;

				}
			}
			if(ptr->DataOffset > ptr->StringOffset) //获取事件描述 
			{
				//Result += "[描述]\t"; 
				pchar = Data + i + ptr->StringOffset; 
				for(short j = 0; j < ptr->NumStrings; j++) 
				{
					//Result += pchar; 
					if(j < ptr->NumStrings-1)
						//Result += ' '; 
					pchar += strlen(pchar) + 1;
				} 
				//Result += '\n'; 
				// Result+="[数据]/n"; 
				log_object["[描述]"] = pchar;
			}
			//Result+='\n';
			i+=ptr->Length;
		}

		value["System_log_array"].append(log_object);
	}
	//fwrite(Result.c_str(),Result.length(),1,pFile);
	CloseEventLog(Handle);
	return 0;
}
Exemple #15
0
void main()
{
    HANDLE			hEventLog;
    EVENTLOGRECORD* pEventLogRecord = 0;
    EVENTRECORD*	pER = 0;
    CHAR			szFilePath[_MAX_PATH];
    CHAR			szDate[9];
    DWORD			dwBytesRead, dwBytesNeeded;
    DWORD			dwEventLogRecords, dwTemp;
    FILE*			fp;

    // get current date
    GetCurrentDate(szDate);

    // get file path
    if (!(GetFilePath(szFilePath)))
        strcpy(szFilePath, "");

    // format file name
    sprintf(szFileName, "%s%s%s", szFilePath, szDate, ".LOG");

    // open security event log on local machine
    printf("Opening Security Event Log for Reading...\n");
    if (!(hEventLog = OpenEventLog(NULL, "Security"))) {
        printf("Error Opening Event Log.\n");
        return;
    }

    // open event file
    printf("Opening Event File %s for Writing...\n", szFileName);
    if ((fp = fopen(szFileName, "w+t")) == NULL) {
        printf("Error Opening Event File.\n");
        return;
    }

    // find the number of event log records
    GetNumberOfEventLogRecords(hEventLog, &dwEventLogRecords);

    // read data and output to file
    printf("Writing Data To File...\n");

    for (dwTemp = 1; dwTemp <= dwEventLogRecords; dwTemp++) {
        if (!(pEventLogRecord = (EVENTLOGRECORD*)malloc(16384)))
            return;

        // read records from event log
        if (!(ReadEventLog(hEventLog,		// event log handle
                           EVENTLOG_SEEK_READ |
                           EVENTLOG_FORWARDS_READ,		// get specified record
                           dwTemp,
                           pEventLogRecord,			// buffer address
                           16384,						// max size
                           &dwBytesRead,				// number of bytes read
                           &dwBytesNeeded)))			// number of bytes needed
            ShowError();

        // read record information
        if (dwBytesRead) {
            if (ShouldWriteRecord(pEventLogRecord->TimeWritten)) {
                // allocate memory for event record
                if (!(pER = (EVENTRECORD*)malloc(sizeof(EVENTRECORD)))) {
                    printf("Error allocating memory for record.\n");
                    if (pEventLogRecord) free (pEventLogRecord);
                    return;
                }

                // set event record into structure
                SetEventRecord(pEventLogRecord, pER);

                // write data to file
                fprintf(fp, "%d\t%s\t%s\t%s\t%s\n%s\n", pER->EventID, pER->szEventDate,
                        pER->szEventType, pER->szSourceName, pER->szComputerName,
                        pER->pMessage);

                // free allocated memory
                if (pER) free(pER);
            }
        }
        // free allocated buffer
        if (pEventLogRecord) free (pEventLogRecord);
    }

    printf("Closing Files...\n");

    // release event log handle
    CloseEventLog(hEventLog);

    // close event file
    _flushall();
    fclose(fp);

    // send message
    printf("Sending messages...\n");
    SendMail();
}
Exemple #16
0
DWORD WINAPI
eventLogMonitorThreadProc(LPVOID elm_info_param)
{
    EVENTLOGRECORD *pevlr; 
    BYTE bBuffer[BUFFER_SIZE] = { 0 }; 
    DWORD dwRead, dwNeeded, res;
    DWORD reported_next_record, num_records;
    BOOL skip_first = FALSE;
    HANDLE log = NULL, event = NULL;
    WCHAR msgbuf[BUFFER_SIZE];

    eventlogmon_info *elm_info = (eventlogmon_info *) elm_info_param;
  
    control = 0;

    log = OpenEventLog(NULL, L_COMPANY_NAME);
    if (log == NULL) {
        (*elm_info->cb_err)(ELM_ERR_FATAL, 
                            L"Could not open the " L_COMPANY_NAME L" event log."); 
        goto exit_elm_thread_error;
    }
    
    event = CreateEvent(NULL, FALSE, FALSE, NULL);
    NotifyChangeEventLog(log, event);   
    
    pevlr = (EVENTLOGRECORD *) &bBuffer; 

    if (!GetNumberOfEventLogRecords(log, &num_records) ||
        !GetOldestEventLogRecord(log, &reported_next_record)) {
        _snwprintf(msgbuf, BUFFER_SIZE_ELEMENTS(msgbuf),
                   L"error %d getting eventlog info", GetLastError());
        (*elm_info->cb_err)(ELM_ERR_FATAL, msgbuf);
        goto exit_elm_thread_error;
    }

    /* FIXME: we don't handle the situation when the eventlog was cleared,
     *  but our pointer is less than the number of new records. for this
     *  we'll probably have to store a timestamp, and compare against the
     *  event record at next_record. */
    if (((int)elm_info->next_record) < 0) {
        elm_info->next_record = reported_next_record;
    } 
    else if (elm_info->next_record > (reported_next_record + num_records + 1)) {
        /* looks like the eventlog was cleared since we last checked
         *  it. issue a warning and reset */
        elm_info->next_record = reported_next_record;
        (*elm_info->cb_err)(ELM_ERR_CLEARED, L"Eventlog was cleared!\n");
    }
    else {
        /* we need to ensure we SEEK to a valid record; but since
         * it's already been reported, don't report it again. */
        elm_info->next_record--;
        skip_first = TRUE;
    }

    /* first seek to the last record 
     * EVENTLOG_FORWARDS_READ indicates we will get messages in
     *  chronological order.
     * FIXME: test to make sure that this works properly on
     *  overwrite-wrapped logs */
    if (!ReadEventLog(log,                
                      EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,
                      elm_info->next_record,
                      pevlr,
                      BUFFER_SIZE,
                      &dwRead,
                      &dwNeeded)) {
        dwRead = 0;
        dwNeeded = 0;
    }

    for(;;) {        
        do {
            /* case 5813: if pevlr->Length is 0, we'll have an infinite
             * loop. this could possibly happen if drive is full?
             * just abort if we detect it. */
            while (dwRead > 0 && pevlr->Length > 0) {
                
                if (format_messages && !skip_first) {

                    res = get_formatted_message(pevlr, msgbuf, BUFFER_SIZE);
                    if (res != ERROR_SUCCESS) {
                        _snwprintf(msgbuf, BUFFER_SIZE_ELEMENTS(msgbuf),
                                   L"FormatMessage error %d\n", res);
                        (*elm_info->cb_err)(ELM_ERR_WARN, msgbuf);
                    }
                    else {
                        /* invoke the callback */
                        (*elm_info->cb_format)(pevlr->RecordNumber, 
                                               pevlr->EventType, 
                                               msgbuf, pevlr->TimeGenerated);
                    }
                } else if(!skip_first) {
                    /* xref case 3065: insurance */
                    if (pevlr->RecordNumber != 0 ||
                        pevlr->TimeGenerated != 0) {
                        /* raw callback */
                        (*elm_info->cb_raw)(pevlr);
                    }
                } else {
                    skip_first = FALSE;
                }

                dwRead -= pevlr->Length; 
                pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); 
            }
            
            pevlr = (EVENTLOGRECORD *) &bBuffer; 
        } while (ReadEventLog(log,                
                              EVENTLOG_FORWARDS_READ |  
                              EVENTLOG_SEQUENTIAL_READ, 
                              0,            
                              pevlr,        
                              BUFFER_SIZE,  
                              &dwRead,      
                              &dwNeeded));
        
        if((res = GetLastError()) != ERROR_HANDLE_EOF) {
            //FIXME: assert GetLastError() is appropriate
            _snwprintf(msgbuf, BUFFER_SIZE_ELEMENTS(msgbuf),
                       L"Unexpected error %d reading event log\n", res);
            (*elm_info->cb_err)(ELM_ERR_WARN, msgbuf);
        }

        if (do_once)
            break;

        /* the event is auto-reset.
           timeout because NotifyChangeEventLog is not reliable. */
        WaitForSingleObject(event, MINIPULSE);

        if(control)
            break;
    }
    
exit_elm_thread_error:

    if (log != NULL)
        CloseEventLog(log); 

    if (event != NULL)
        CloseHandle(event);

    free(elm_info);

    /* FIXME: need ExitThread()? */
    return 0;
}