struct EVENTLOGRECORD *evlog_pull_record(TALLOC_CTX *mem_ctx,
TDB_CONTEXT *tdb,
uint32_t record_number)
{
struct eventlog_Record_tdb *t;
struct EVENTLOGRECORD *r;
NTSTATUS status;
r = talloc_zero(mem_ctx, struct EVENTLOGRECORD);
if (!r) {
return NULL;
}
t = evlog_pull_record_tdb(r, tdb, record_number);
if (!t) {
talloc_free(r);
return NULL;
}
status = evlog_tdb_entry_to_evt_entry(r, t, r);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(r);
return NULL;
}
r->Length = r->Length2 = ndr_size_EVENTLOGRECORD(r, NULL, 0);
return r;
}
static int DoDumpCommand(int argc, char **argv, bool debugflag, char *exename)
{
ELOG_TDB *etdb;
TALLOC_CTX *mem_ctx = talloc_tos();
const char *tdb_filename;
uint32_t count = 1;
if (argc > 2) {
return -1;
}
tdb_filename = argv[0];
if (argc > 1) {
count = atoi(argv[1]);
}
etdb = elog_open_tdb(argv[0], false, true);
if (!etdb) {
printf("can't open the eventlog TDB (%s)\n", argv[0]);
return -1;
}
while (1) {
struct eventlog_Record_tdb *r;
char *s;
r = evlog_pull_record_tdb(mem_ctx, etdb->tdb, count);
if (!r) {
break;
}
printf("displaying record: %d\n", count);
s = NDR_PRINT_STRUCT_STRING(mem_ctx, eventlog_Record_tdb, r);
if (s) {
printf("%s\n", s);
talloc_free(s);
}
count++;
}
elog_close_tdb(etdb, false);
return 0;
}
NTSTATUS evlog_convert_tdb_to_evt(TALLOC_CTX *mem_ctx,
ELOG_TDB *etdb,
DATA_BLOB *blob_p,
uint32_t *num_records_p)
{
NTSTATUS status = NT_STATUS_OK;
enum ndr_err_code ndr_err;
DATA_BLOB blob;
uint32_t num_records = 0;
struct EVENTLOG_EVT_FILE evt;
uint32_t count = 1;
size_t endoffset = 0;
ZERO_STRUCT(evt);
while (1) {
struct eventlog_Record_tdb *r;
struct EVENTLOGRECORD e;
r = evlog_pull_record_tdb(mem_ctx, etdb->tdb, count);
if (!r) {
break;
}
status = evlog_tdb_entry_to_evt_entry(mem_ctx, r, &e);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
endoffset += ndr_size_EVENTLOGRECORD(&e, NULL, 0);
ADD_TO_ARRAY(mem_ctx, struct EVENTLOGRECORD, e, &evt.records, &num_records);
count++;
}
evt.hdr.StartOffset = 0x30;
evt.hdr.EndOffset = evt.hdr.StartOffset + endoffset;
evt.hdr.CurrentRecordNumber = count;
evt.hdr.OldestRecordNumber = 1;
evt.hdr.MaxSize = tdb_fetch_int32(etdb->tdb, EVT_MAXSIZE);
evt.hdr.Flags = 0;
evt.hdr.Retention = tdb_fetch_int32(etdb->tdb, EVT_RETENTION);
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(EVENTLOGHEADER, &evt.hdr);
}
evt.eof.BeginRecord = 0x30;
evt.eof.EndRecord = evt.hdr.StartOffset + endoffset;
evt.eof.CurrentRecordNumber = evt.hdr.CurrentRecordNumber;
evt.eof.OldestRecordNumber = evt.hdr.OldestRecordNumber;
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(EVENTLOGEOF, &evt.eof);
}
ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, &evt,
(ndr_push_flags_fn_t)ndr_push_EVENTLOG_EVT_FILE);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
goto done;
}
*blob_p = blob;
*num_records_p = num_records;
done:
return status;
}
