/* Start the event logging for each el */ int startEL(char *app, os_el *el) { DWORD NumberOfRecords = 0; /* Open the event log */ el->h = OpenEventLog(NULL, app); if (!el->h) { merror(EVTLOG_OPEN, ARGV0, app); return (-1); } el->name = app; if (GetOldestEventLogRecord(el->h, &el->record) == 0) { /* Unable to read oldest event log record */ merror(EVTLOG_GETLAST, ARGV0, app); CloseEventLog(el->h); el->h = NULL; return (-1); } if (GetNumberOfEventLogRecords(el->h, &NumberOfRecords) == 0) { merror(EVTLOG_GETLAST, ARGV0, app); CloseEventLog(el->h); el->h = NULL; return (-1); } if (NumberOfRecords <= 0) { return (0); } return ((int)NumberOfRecords); }
BOOL ClearEvents(VOID) { HANDLE hEventLog; WCHAR szFileName[MAX_PATH]; WCHAR szMessage[MAX_LOADSTRING]; ZeroMemory(szFileName, sizeof(szFileName)); ZeroMemory(szMessage, sizeof(szMessage)); LoadStringW(hInst, IDS_CLEAREVENTS_MSG, szMessage, MAX_LOADSTRING); sfn.lpstrFile = szFileName; sfn.nMaxFile = MAX_PATH; switch (MessageBoxW(hwndMainWindow, szMessage, szTitle, MB_YESNOCANCEL | MB_ICONINFORMATION)) { case IDCANCEL: { return FALSE; } case IDNO: { sfn.lpstrFile = NULL; break; } case IDYES: { if (!GetSaveFileNameW(&sfn)) { return FALSE; } break; } } hEventLog = OpenEventLogW(lpComputerName, lpSourceLogName); if (!hEventLog) { ShowLastWin32Error(); return FALSE; } if (!ClearEventLogW(hEventLog, sfn.lpstrFile)) { ShowLastWin32Error(); CloseEventLog(hEventLog); return FALSE; } CloseEventLog(hEventLog); return TRUE; }
static void test_oldest(void) { HANDLE handle; BOOL ret; DWORD oldest; const char backup[] = "backup.evt"; SetLastError(0xdeadbeef); ret = GetOldestEventLogRecord(NULL, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); oldest = 0xdeadbeef; ret = GetOldestEventLogRecord(NULL, &oldest); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n"); handle = OpenEventLogA(NULL, "Application"); SetLastError(0xdeadbeef); ret = GetOldestEventLogRecord(handle, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); oldest = 0xdeadbeef; ret = GetOldestEventLogRecord(handle, &oldest); ok(ret, "Expected success\n"); ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n"); CloseEventLog(handle); /* Make a backup eventlog to work with */ if (create_backup(backup)) { handle = OpenBackupEventLogA(NULL, backup); todo_wine ok(handle != NULL, "Expected a handle\n"); /* Does GetOldestEventLogRecord work with backup eventlogs? */ oldest = 0xdeadbeef; ret = GetOldestEventLogRecord(handle, &oldest); todo_wine { ok(ret, "Expected success\n"); ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n"); } CloseEventLog(handle); DeleteFileA(backup); } }
static void test_open_close(void) { HANDLE handle; BOOL ret; SetLastError(0xdeadbeef); ret = CloseEventLog(NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE || GetLastError() == ERROR_NOACCESS, /* W2K */ "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenEventLogA(NULL, NULL); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenEventLogA("IDontExist", NULL); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenEventLogA("IDontExist", "deadbeef"); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); /* This one opens the Application log */ handle = OpenEventLogA(NULL, "deadbeef"); ok(handle != NULL, "Expected a handle\n"); ret = CloseEventLog(handle); ok(ret, "Expected success\n"); /* Close a second time */ SetLastError(0xdeadbeef); ret = CloseEventLog(handle); todo_wine { ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); } /* Empty servername should be read as local server */ handle = OpenEventLogA("", "Application"); ok(handle != NULL, "Expected a handle\n"); CloseEventLog(handle); handle = OpenEventLogA(NULL, "Application"); ok(handle != NULL, "Expected a handle\n"); CloseEventLog(handle); }
VOID SaveProtocol(VOID) { HANDLE hEventLog; WCHAR szFileName[MAX_PATH]; ZeroMemory(szFileName, sizeof(szFileName)); sfn.lpstrFile = szFileName; sfn.nMaxFile = MAX_PATH; if (!GetSaveFileNameW(&sfn)) { return; } hEventLog = OpenEventLogW(lpComputerName, lpSourceLogName); if (!hEventLog) { ShowLastWin32Error(); return; } if (!BackupEventLogW(hEventLog, szFileName)) { ShowLastWin32Error(); } CloseEventLog(hEventLog); }
/* close event logger */ static int zbx_close_eventlog(HANDLE eventlog_handle) { if (NULL != eventlog_handle) CloseEventLog(eventlog_handle); return SUCCEED; }
static void test_info(void) { HANDLE handle; BOOL ret; DWORD needed; BYTE buffer[2 * sizeof(EVENTLOG_FULL_INFORMATION)]; EVENTLOG_FULL_INFORMATION *efi = (void *)buffer; if (!pGetEventLogInformation) { /* NT4 */ win_skip("GetEventLogInformation is not available\n"); return; } SetLastError(0xdeadbeef); ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); handle = OpenEventLogA(NULL, "Application"); SetLastError(0xdeadbeef); ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed); ok(!ret, "Expected failure\n"); ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); needed = 0xdeadbeef; efi->dwFull = 0xdeadbeef; ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, &needed); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError()); ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed); ok(efi->dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n"); /* Not that we care, but on success last error is set to ERROR_IO_PENDING */ efi->dwFull = 0xdeadbeef; needed = sizeof(buffer); ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, needed, &needed); ok(ret, "Expected success\n"); ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed); ok(efi->dwFull == 0 || efi->dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi->dwFull); CloseEventLog(handle); }
BOOL My_CloseEventLog() { HANDLE hEventLog=NULL; BOOL returnVal_Real = NULL; BOOL returnVal_Intercepted = NULL; DWORD error_Real = 0; DWORD error_Intercepted = 0; __try{ disableInterception(); returnVal_Real = CloseEventLog (hEventLog); error_Real = GetLastError(); enableInterception(); returnVal_Intercepted = CloseEventLog (hEventLog); error_Intercepted = GetLastError(); }__except(puts("in filter"), 1){puts("exception caught");} return ((returnVal_Real == returnVal_Intercepted) && (error_Real == error_Intercepted)); }
//--------------------------------------------------------------------- // OpenEventLog/CloseEventLogを対にするクラス //--------------------------------------------------------------------- //--------------------------------------------------------------------- // イベントログを開く //--------------------------------------------------------------------- BOOL kjm::eventlog::OpenEventLog( LPCTSTR lpUNCServerName, LPCTSTR lpSourceName ) { // すでに開いているかもしれないので、閉じる CloseEventLog(); m_unc_server_name = ( lpUNCServerName ) ? lpUNCServerName : ""; m_source_name = ( lpSourceName ) ? lpSourceName : ""; m_hEventLog = ::OpenEventLog( lpUNCServerName, lpSourceName ); return ( m_hEventLog ) ? TRUE : FALSE; }
static void test_clear(void) { HANDLE handle; BOOL ret; const char backup[] = "backup.evt"; const char backup2[] = "backup2.evt"; SetLastError(0xdeadbeef); ret = ClearEventLogA(NULL, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); /* Make a backup eventlog to work with */ if (!create_backup(backup)) return; SetLastError(0xdeadbeef); ret = ClearEventLogA(NULL, backup); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); handle = OpenBackupEventLogA(NULL, backup); todo_wine ok(handle != NULL, "Expected a handle\n"); /* A real eventlog would fail with ERROR_ALREADY_EXISTS */ SetLastError(0xdeadbeef); ret = ClearEventLogA(handle, backup); ok(!ret, "Expected failure\n"); /* The eventlog service runs under an account that doesn't have the necessary * permissions on the users home directory on a default Vista+ system. */ ok(GetLastError() == ERROR_INVALID_HANDLE || GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */ "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); /* Show that ClearEventLog only works for real eventlogs. */ SetLastError(0xdeadbeef); ret = ClearEventLogA(handle, backup2); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n"); SetLastError(0xdeadbeef); ret = ClearEventLogA(handle, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); CloseEventLog(handle); todo_wine ok(DeleteFileA(backup), "Could not delete the backup file\n"); }
static BOOL create_backup(const char *filename) { HANDLE handle; DWORD rc, attribs; DeleteFileA(filename); handle = OpenEventLogA(NULL, "Application"); rc = BackupEventLogA(handle, filename); if (!rc && GetLastError() == ERROR_PRIVILEGE_NOT_HELD) { skip("insufficient privileges to backup the eventlog\n"); CloseEventLog(handle); return FALSE; } ok(rc, "BackupEventLogA failed, le=%u\n", GetLastError()); CloseEventLog(handle); attribs = GetFileAttributesA(filename); todo_wine ok(attribs != INVALID_FILE_ATTRIBUTES, "Expected a backup file attribs=%#x le=%u\n", attribs, GetLastError()); return TRUE; }
/* * Closes the specified event log. * * TLVs: * * req: TLV_TYPE_EVENT_HANDLE - The event log handle */ DWORD request_sys_eventlog_close(Remote * remote, Packet * packet) { Packet * response = packet_create_response(packet); DWORD result = ERROR_SUCCESS; HANDLE hEvent = (HANDLE)packet_get_tlv_value_qword(packet, TLV_TYPE_EVENT_HANDLE); if(CloseEventLog(hEvent) == 0) { result = GetLastError(); } packet_transmit_response(result, remote, response); return ERROR_SUCCESS; }
void logInfo(const char *functionName, const char *text) { #ifndef WIN32 syslog(LOG_INFO, "SoftHSM: %s: %s", functionName, text); #else HANDLE hEventLog = OpenEventLog(NULL, "SoftHSM"); if(hEventLog) { char msg[1024]; char* msgs[1]; snprintf(msg, sizeof(msg), "%s: %s", functionName, text); msgs[0] = msg; ReportEvent(hEventLog, EVENTLOG_INFORMATION_TYPE, 0, 0, NULL, 1, 0, (const char **)msgs, NULL); CloseEventLog(hEventLog); } #endif }
/* open event logger and return number of records */ static int zbx_open_eventlog(LPCTSTR wsource, HANDLE *eventlog_handle, zbx_uint64_t *FirstID, zbx_uint64_t *LastID) { const char *__function_name = "zbx_open_eventlog"; wchar_t reg_path[MAX_PATH]; HKEY hk = NULL; DWORD dwNumRecords, dwOldestRecord; int ret = FAIL; zabbix_log(LOG_LEVEL_DEBUG, "In %s()", __function_name); *eventlog_handle = NULL; /* Get path to eventlog */ StringCchPrintf(reg_path, MAX_PATH, EVENTLOG_REG_PATH TEXT("%s"), wsource); if (ERROR_SUCCESS != RegOpenKeyEx(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &hk)) goto out; RegCloseKey(hk); if (NULL == (*eventlog_handle = OpenEventLog(NULL, wsource))) /* open log file */ goto out; if (0 == GetNumberOfEventLogRecords(*eventlog_handle, &dwNumRecords) || 0 == GetOldestEventLogRecord(*eventlog_handle, &dwOldestRecord)) { CloseEventLog(*eventlog_handle); *eventlog_handle = NULL; goto out; } *FirstID = dwOldestRecord; *LastID = dwOldestRecord + dwNumRecords - 1; zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s FirstID:" ZBX_FS_UI64 " LastID:" ZBX_FS_UI64 " numIDs:%lu", __function_name, zbx_result_string(ret), *FirstID, *LastID, dwNumRecords); ret = SUCCEED; out: zabbix_log(LOG_LEVEL_DEBUG, "End of %s():%s", __function_name, zbx_result_string(ret)); return ret; }
void snmp_disable_syslog_entry(netsnmp_log_handler *logh) { if (!logh || !logh->enabled || logh->type != NETSNMP_LOGHANDLER_SYSLOG) return; #ifdef WIN32 if (logh->magic) { HANDLE eventlog_h = (HANDLE)logh->magic; CloseEventLog(eventlog_h); logh->magic = NULL; } #else closelog(); logh->imagic = 0; #endif netsnmp_disable_this_loghandler(logh); }
int mqtt3_log_close(struct mqtt3_config *config) { if(log_destinations & MQTT3_LOG_SYSLOG){ #ifndef WIN32 closelog(); #else CloseEventLog(syslog_h); #endif } if(log_destinations & MQTT3_LOG_FILE){ if(config->log_fptr){ fclose(config->log_fptr); config->log_fptr = NULL; } } /* FIXME - do something for all destinations! */ return MOSQ_ERR_SUCCESS; }
static void test_backup(void) { HANDLE handle; BOOL ret; const char backup[] = "backup.evt"; const char backup2[] = "backup2.evt"; SetLastError(0xdeadbeef); ret = BackupEventLogA(NULL, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = BackupEventLogA(NULL, backup); ok(!ret, "Expected failure\n"); ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n"); handle = OpenEventLogA(NULL, "Application"); SetLastError(0xdeadbeef); ret = BackupEventLogA(handle, NULL); ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); ret = BackupEventLogA(handle, backup); if (!ret && GetLastError() == ERROR_PRIVILEGE_NOT_HELD) { skip("insufficient privileges for backup tests\n"); CloseEventLog(handle); return; } ok(ret, "Expected success\n"); todo_wine ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n"); /* Try to overwrite */ SetLastError(0xdeadbeef); ret = BackupEventLogA(handle, backup); todo_wine { ok(!ret, "Expected failure\n"); ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %d\n", GetLastError()); } CloseEventLog(handle); /* Can we make a backup of a backup? */ handle = OpenBackupEventLogA(NULL, backup); todo_wine ok(handle != NULL, "Expected a handle\n"); ret = BackupEventLogA(handle, backup2); todo_wine { ok(ret, "Expected success\n"); ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n"); } CloseEventLog(handle); DeleteFileA(backup); DeleteFileA(backup2); }
int CALLBACK WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { int rc; WNDCLASSEX wc; MSG msg; const char *class_name = "brickd_logviewer"; (void)hPrevInstance; (void)lpCmdLine; _hinstance = hInstance; _event_log = OpenEventLog(NULL, "Brick Daemon"); if (_event_log == NULL) { rc = GetLastError(); report_error("Could not open event log: %s (%d)", get_error_name(rc), rc); return 0; } wc.cbSize = sizeof(WNDCLASSEX); wc.style = 0; wc.lpfnWndProc = window_proc; wc.cbClsExtra = 0; wc.cbWndExtra = 0; wc.hInstance = hInstance; wc.hIcon = NULL; wc.hCursor = LoadCursor(NULL, IDC_ARROW); wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1); wc.lpszMenuName = NULL; wc.lpszClassName = class_name; wc.hIconSm = NULL; if (!RegisterClassEx(&wc)) { rc = GetLastError(); report_error("Could not register window class: %s (%d)", get_error_name(rc), rc); CloseEventLog(_event_log); return 0; } _hwnd = CreateWindowEx(WS_EX_APPWINDOW | WS_EX_CLIENTEDGE, class_name, _title, WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 1000, 700, NULL, NULL, hInstance, NULL); if (_hwnd == NULL) { rc = GetLastError(); report_error("Could not create window: %s (%d)", get_error_name(rc), rc); CloseEventLog(_event_log); return 0; } SendMessage(_hwnd, WM_SETICON, ICON_BIG, (LPARAM)LoadIcon(hInstance, MAKEINTRESOURCE(IDI_ICON))); create_menu(); if (init_common_controls() < 0 || create_status_bar() < 0 || create_event_list_view() < 0 || create_debug_list_view() < 0) { CloseEventLog(_event_log); return 0; } set_current_list_view(_event_list_view); ShowWindow(_hwnd, nCmdShow); UpdateWindow(_hwnd); if (CreateThread(NULL, 0, read_named_pipe, NULL, 0, NULL) == NULL) { rc = GetLastError(); report_error("Could not create named pipe thread: %s (%d)", get_error_name(rc), rc); } read_event_log(); SetTimer(_hwnd, 1, 200, (TIMERPROC)NULL); while ((rc = GetMessage(&msg, NULL, 0, 0)) != 0) { if (rc < 0) { rc = GetLastError(); report_error("Could not get window message: %s (%d)", get_error_name(rc), rc); break; } else { TranslateMessage(&msg); DispatchMessage(&msg); } } free(_record_buffer); CloseEventLog(_event_log); return msg.wParam; }
BOOL QueryEventMessages(LPWSTR lpMachineName, LPWSTR lpLogName) { HWND hwndDlg = NULL; HANDLE hEventLog; EVENTLOGRECORD *pevlr; DWORD dwRead, dwNeeded, dwThisRecord, dwTotalRecords = 0, dwCurrentRecord = 0, dwRecordsToRead = 0, dwFlags, dwMaxLength; size_t cchRemaining; LPWSTR lpSourceName; LPWSTR lpComputerName; LPSTR lpData; BOOL bResult = TRUE; /* Read succeeded. */ WCHAR szWindowTitle[MAX_PATH]; WCHAR szStatusText[MAX_PATH]; WCHAR szLocalDate[MAX_PATH]; WCHAR szLocalTime[MAX_PATH]; WCHAR szEventID[MAX_PATH]; WCHAR szEventTypeText[MAX_LOADSTRING]; WCHAR szCategoryID[MAX_PATH]; WCHAR szUsername[MAX_PATH]; WCHAR szEventText[EVENT_MESSAGE_FILE_BUFFER]; WCHAR szCategory[MAX_PATH]; WCHAR szData[MAX_PATH]; PWCHAR lpTitleTemplateEnd; SYSTEMTIME time; LVITEMW lviEventItem; dwFlags = EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ; /* Open the event log. */ hEventLog = OpenEventLogW(lpMachineName, lpLogName); if (hEventLog == NULL) { ShowLastWin32Error(); return FALSE; } lpSourceLogName = lpLogName; lpComputerName = lpMachineName; /* Disable listview redraw */ SendMessage(hwndListView, WM_SETREDRAW, FALSE, 0); /* Clear the list view */ (void)ListView_DeleteAllItems (hwndListView); FreeRecords(); GetOldestEventLogRecord(hEventLog, &dwThisRecord); /* Get the total number of event log records. */ GetNumberOfEventLogRecords (hEventLog , &dwTotalRecords); g_TotalRecords = dwTotalRecords; if (dwTotalRecords > 0) { EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_ENABLED); EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_ENABLED); } else { EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_GRAYED); EnableMenuItem(hMainMenu, IDM_SAVE_PROTOCOL, MF_BYCOMMAND | MF_GRAYED); } g_RecordPtrs = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwTotalRecords * sizeof(PVOID)); /* If we have at least 1000 records show the waiting dialog */ if (dwTotalRecords > 1000) { CloseHandle(CreateThread(NULL, 0, ShowStatusMessageThread, (LPVOID)&hwndDlg, 0, NULL)); } while (dwCurrentRecord < dwTotalRecords) { pevlr = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); g_RecordPtrs[dwCurrentRecord] = pevlr; bResult = ReadEventLog(hEventLog, // Event log handle dwFlags, // Sequential read 0, // Ignored for sequential read pevlr, // Pointer to buffer sizeof(EVENTLOGRECORD), // Size of buffer &dwRead, // Number of bytes read &dwNeeded); // Bytes in the next record if((!bResult) && (GetLastError () == ERROR_INSUFFICIENT_BUFFER)) { HeapFree(GetProcessHeap(), 0, pevlr); pevlr = HeapAlloc(GetProcessHeap(), 0, dwNeeded); g_RecordPtrs[dwCurrentRecord] = pevlr; ReadEventLogW(hEventLog, // event log handle dwFlags, // read flags 0, // offset; default is 0 pevlr, // pointer to buffer dwNeeded, // size of buffer &dwRead, // number of bytes read &dwNeeded); // bytes in next record } while (dwRead > 0) { LoadStringW(hInst, IDS_NOT_AVAILABLE, szUsername, MAX_PATH); LoadStringW(hInst, IDS_NOT_AVAILABLE, szEventText, MAX_PATH); LoadStringW(hInst, IDS_NONE, szCategory, MAX_PATH); // Get the event source name. lpSourceName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD)); // Get the computer name lpComputerName = (LPWSTR)((LPBYTE)pevlr + sizeof(EVENTLOGRECORD) + (wcslen(lpSourceName) + 1) * sizeof(WCHAR)); // This ist the data section of the current event lpData = (LPSTR)((LPBYTE)pevlr + pevlr->DataOffset); // Compute the event type EventTimeToSystemTime(pevlr->TimeWritten, &time); // Get the username that generated the event GetEventUserName(pevlr, szUsername); GetDateFormatW(LOCALE_USER_DEFAULT, DATE_SHORTDATE, &time, NULL, szLocalDate, MAX_PATH); GetTimeFormatW(LOCALE_USER_DEFAULT, 0, &time, NULL, szLocalTime, MAX_PATH); GetEventType(pevlr->EventType, szEventTypeText); GetEventCategory(lpLogName, lpSourceName, pevlr, szCategory); StringCbPrintfW(szEventID, sizeof(szEventID), L"%u", (pevlr->EventID & 0xFFFF)); StringCbPrintfW(szCategoryID, sizeof(szCategoryID), L"%u", pevlr->EventCategory); lviEventItem.mask = LVIF_IMAGE | LVIF_TEXT | LVIF_PARAM; lviEventItem.iItem = 0; lviEventItem.iSubItem = 0; lviEventItem.lParam = (LPARAM)pevlr; lviEventItem.pszText = szEventTypeText; switch (pevlr->EventType) { case EVENTLOG_ERROR_TYPE: lviEventItem.iImage = 2; break; case EVENTLOG_AUDIT_FAILURE: lviEventItem.iImage = 2; break; case EVENTLOG_WARNING_TYPE: lviEventItem.iImage = 1; break; case EVENTLOG_INFORMATION_TYPE: lviEventItem.iImage = 0; break; case EVENTLOG_AUDIT_SUCCESS: lviEventItem.iImage = 0; break; case EVENTLOG_SUCCESS: lviEventItem.iImage = 0; break; } lviEventItem.iItem = ListView_InsertItem(hwndListView, &lviEventItem); ListView_SetItemText(hwndListView, lviEventItem.iItem, 1, szLocalDate); ListView_SetItemText(hwndListView, lviEventItem.iItem, 2, szLocalTime); ListView_SetItemText(hwndListView, lviEventItem.iItem, 3, lpSourceName); ListView_SetItemText(hwndListView, lviEventItem.iItem, 4, szCategory); ListView_SetItemText(hwndListView, lviEventItem.iItem, 5, szEventID); ListView_SetItemText(hwndListView, lviEventItem.iItem, 6, szUsername); //User ListView_SetItemText(hwndListView, lviEventItem.iItem, 7, lpComputerName); //Computer MultiByteToWideChar(CP_ACP, 0, lpData, pevlr->DataLength, szData, MAX_PATH); ListView_SetItemText(hwndListView, lviEventItem.iItem, 8, szData); //Event Text dwRead -= pevlr->Length; pevlr = (EVENTLOGRECORD *)((LPBYTE) pevlr + pevlr->Length); } dwRecordsToRead--; dwCurrentRecord++; } // All events loaded if(hwndDlg) EndDialog(hwndDlg, 0); StringCchPrintfExW(szWindowTitle, sizeof(szWindowTitle) / sizeof(WCHAR), &lpTitleTemplateEnd, &cchRemaining, 0, szTitleTemplate, szTitle, lpLogName); /* i = number of characters written */ /* lpComputerName can be NULL here if no records was read */ dwMaxLength = (DWORD)cchRemaining; if (!lpComputerName) GetComputerNameW(lpTitleTemplateEnd, &dwMaxLength); else StringCchCopyW(lpTitleTemplateEnd, dwMaxLength, lpComputerName); StringCbPrintfW(szStatusText, sizeof(szStatusText), szStatusBarTemplate, lpLogName, dwTotalRecords); // Update the status bar SendMessageW(hwndStatus, SB_SETTEXT, (WPARAM)0, (LPARAM)szStatusText); // Set the window title SetWindowTextW(hwndMainWindow, szWindowTitle); // Resume list view redraw SendMessageW(hwndListView, WM_SETREDRAW, TRUE, 0); // Close the event log. CloseEventLog(hEventLog); return TRUE; }
static void test_readwrite(void) { HANDLE handle; PSID user; DWORD sidsize, count; BOOL ret, sidavailable; BOOL on_vista = FALSE; /* Used to indicate Vista, W2K8 or Win7 */ DWORD i; char *localcomputer = NULL; DWORD size; if (pCreateWellKnownSid) { sidsize = SECURITY_MAX_SID_SIZE; user = HeapAlloc(GetProcessHeap(), 0, sidsize); SetLastError(0xdeadbeef); pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize); sidavailable = TRUE; } else { win_skip("Skipping some SID related tests\n"); sidavailable = FALSE; user = NULL; } /* Write an event with an incorrect event type. This will fail on Windows 7 * but succeed on all others, hence it's not part of the struct. */ handle = OpenEventLogA(NULL, eventlogname); if (!handle) { /* Intermittently seen on NT4 when tests are run immediately after boot */ win_skip("Could not get a handle to the eventlog\n"); goto cleanup; } count = 0xdeadbeef; GetNumberOfEventLogRecords(handle, &count); if (count != 0) { /* Needed for W2K3 without a service pack */ win_skip("We most likely opened the Application eventlog\n"); CloseEventLog(handle); Sleep(2000); handle = OpenEventLogA(NULL, eventlogname); count = 0xdeadbeef; GetNumberOfEventLogRecords(handle, &count); if (count != 0) { win_skip("We didn't open our new eventlog\n"); CloseEventLog(handle); goto cleanup; } } SetLastError(0xdeadbeef); ret = ReportEventA(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL); if (!ret && GetLastError() == ERROR_CRC) { win_skip("Win7 fails when using incorrect event types\n"); ret = ReportEventA(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL); ok(ret, "Expected success : %d\n", GetLastError()); } else { void *buf; DWORD read, needed = 0; EVENTLOGRECORD *record; ok(ret, "Expected success : %d\n", GetLastError()); /* Needed to catch earlier Vista (with no ServicePack for example) */ buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed)) && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, needed, &read, &needed); } if (ret) { record = (EVENTLOGRECORD *)buf; /* Vista and W2K8 return EVENTLOG_SUCCESS, Windows versions before return * the written eventtype (0x20 in this case). */ if (record->EventType == EVENTLOG_SUCCESS) on_vista = TRUE; } HeapFree(GetProcessHeap(), 0, buf); } /* This will clear the eventlog. The record numbering for new * events however differs on Vista SP1+. Before Vista the first * event would be numbered 1, on Vista SP1+ it's higher as we already * had at least one event (more in case of multiple test runs without * a reboot). */ ClearEventLogA(handle, NULL); CloseEventLog(handle); /* Write a bunch of events while using different event sources */ for (i = 0; i < sizeof(read_write)/sizeof(read_write[0]); i++) { DWORD oldest; BOOL run_sidtests = read_write[i].evt_sid & sidavailable; /* We don't need to use RegisterEventSource to report events */ if (i % 2) handle = OpenEventLogA(NULL, read_write[i].evt_src); else handle = RegisterEventSourceA(NULL, read_write[i].evt_src); ok(handle != NULL, "Expected a handle\n"); SetLastError(0xdeadbeef); ret = ReportEventA(handle, read_write[i].evt_type, read_write[i].evt_cat, read_write[i].evt_id, run_sidtests ? user : NULL, read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL); ok(ret, "Expected ReportEvent success : %d\n", GetLastError()); count = 0xdeadbeef; SetLastError(0xdeadbeef); ret = GetNumberOfEventLogRecords(handle, &count); ok(ret, "Expected GetNumberOfEventLogRecords success : %d\n", GetLastError()); todo_wine ok(count == (i + 1), "Expected %d records, got %d\n", i + 1, count); oldest = 0xdeadbeef; ret = GetOldestEventLogRecord(handle, &oldest); ok(ret, "Expected GetOldestEventLogRecord success : %d\n", GetLastError()); todo_wine ok(oldest == 1 || (oldest > 1 && oldest != 0xdeadbeef), /* Vista SP1+, W2K8 and Win7 */ "Expected oldest to be 1 or higher, got %d\n", oldest); if (oldest > 1 && oldest != 0xdeadbeef) on_vista = TRUE; SetLastError(0xdeadbeef); if (i % 2) ret = CloseEventLog(handle); else ret = DeregisterEventSource(handle); ok(ret, "Expected success : %d\n", GetLastError()); } handle = OpenEventLogA(NULL, eventlogname); count = 0xdeadbeef; ret = GetNumberOfEventLogRecords(handle, &count); ok(ret, "Expected success\n"); todo_wine ok(count == i, "Expected %d records, got %d\n", i, count); CloseEventLog(handle); if (count == 0) { skip("No events were written to the eventlog\n"); goto cleanup; } /* Report only once */ if (on_vista) skip("There is no DWORD alignment enforced for UserSid on Vista, W2K8 or Win7\n"); if (on_vista && pGetComputerNameExA) { /* New Vista+ behavior */ size = 0; SetLastError(0xdeadbeef); pGetComputerNameExA(ComputerNameDnsFullyQualified, NULL, &size); localcomputer = HeapAlloc(GetProcessHeap(), 0, size); pGetComputerNameExA(ComputerNameDnsFullyQualified, localcomputer, &size); } else { size = MAX_COMPUTERNAME_LENGTH + 1; localcomputer = HeapAlloc(GetProcessHeap(), 0, size); GetComputerNameA(localcomputer, &size); } /* Read all events from our created eventlog, one by one */ handle = OpenEventLogA(NULL, eventlogname); ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError()); i = 0; for (;;) { void *buf; DWORD read, needed; EVENTLOGRECORD *record; char *sourcename, *computername; int k; char *ptr; BOOL run_sidtests = read_write[i].evt_sid & sidavailable; buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER) { HeapFree(GetProcessHeap(), 0, buf); ok(GetLastError() == ERROR_HANDLE_EOF, "record %d, got %d\n", i, GetLastError()); break; } buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, needed, &read, &needed); ok(ret, "Expected success: %d\n", GetLastError()); record = (EVENTLOGRECORD *)buf; ok(record->Length == read, "Expected %d, got %d\n", read, record->Length); ok(record->Reserved == 0x654c664c, "Expected 0x654c664c, got %d\n", record->Reserved); ok(record->RecordNumber == i + 1 || (on_vista && (record->RecordNumber > i + 1)), "Expected %d or higher, got %d\n", i + 1, record->RecordNumber); ok(record->EventID == read_write[i].evt_id, "Expected %d, got %d\n", read_write[i].evt_id, record->EventID); ok(record->EventType == read_write[i].evt_type, "Expected %d, got %d\n", read_write[i].evt_type, record->EventType); ok(record->NumStrings == read_write[i].evt_numstrings, "Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings); ok(record->EventCategory == read_write[i].evt_cat, "Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory); sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD)); ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n", read_write[i].evt_src, sourcename); computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1); ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n", localcomputer, computername); /* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if * no padding was actually required a 0 DWORD was still used for padding. No * application should be relying on the padding as we are working with offsets * anyway. */ if (!on_vista) { DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1; /* We are already DWORD aligned, there should still be some padding */ if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0) ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n"); ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n"); } if (run_sidtests) { ok(record->UserSidLength == sidsize, "Expected %d, got %d\n", sidsize, record->UserSidLength); } else { ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n"); ok(record->UserSidLength == 0, "Expected 0, got %d\n", record->UserSidLength); } ok(record->DataLength == 0, "Expected 0, got %d\n", record->DataLength); ptr = (char *)((BYTE *)buf + record->StringOffset); for (k = 0; k < record->NumStrings; k++) { ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr); ptr += lstrlenA(ptr) + 1; } ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)), "Expected the closing DWORD to contain the length of the record\n"); HeapFree(GetProcessHeap(), 0, buf); i++; } CloseEventLog(handle); /* Test clearing a real eventlog */ handle = OpenEventLogA(NULL, eventlogname); ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ClearEventLogA(handle, NULL); ok(ret, "Expected success\n"); count = 0xdeadbeef; ret = GetNumberOfEventLogRecords(handle, &count); ok(ret, "Expected success\n"); ok(count == 0, "Expected an empty eventlog, got %d records\n", count); CloseEventLog(handle); cleanup: HeapFree(GetProcessHeap(), 0, localcomputer); HeapFree(GetProcessHeap(), 0, user); }
/*--------------------------[ FindFirstReadPos ]-------------------------- * Find approx start position in the event log to start finding entries from - dont want to start sequentially from the beginning * * Returns: * 0 empty event log, or error ; just go from the beginnning * value record offset *----------------------------------------------------------------------------*/ DWORD FindFirstReadPos(char *name,uint32 lastrun) { DWORD minPos=0; DWORD maxPos; DWORD probe; int status; //char buffer[2048]; uint32 bytes; uint32 next; //EVENTLOGRECORD *record = (EVENTLOGRECORD *)&buffer; HANDLE hLog; if ((hLog = OpenEventLog(NULL, name)) == NULL) return 0; //Find min status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next); if (status==0) { CloseEventLog(hLog); return 0; } minPos=record->RecordNumber; CloseEventLog(hLog); if ((hLog = OpenEventLog(NULL, name)) == NULL) return 0; //Find min status=ernoReadEventLog(hLog, EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next); if (status==0) { CloseEventLog(hLog); return 0; } maxPos=record->RecordNumber; CloseEventLog(hLog); probe=(DWORD)(minPos+0.9*(maxPos-minPos)); while(true) { if ((maxPos-minPos)<200) { return minPos; } if ((hLog = OpenEventLog(NULL, name)) == NULL) return 0; status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,probe, &bytes, &next); CloseEventLog(hLog); if (status==0) { return minPos; } if ( (record->TimeWritten >= lastrun)) { maxPos=record->RecordNumber; } else { minPos=record->RecordNumber; } probe=(DWORD)((minPos+maxPos)/2); } return 0; }
/*--------------------------[ eventlog_read_events ]-------------------------- * Read messages from the event log * * Returns: * success (0) * error (-1) *----------------------------------------------------------------------------*/ int eventlog_read_events(eventlog_data* eventlog, uint32 *lastrun,uint32 *thisrun){ //char buffer[EVENTLOG_BUFFER_LEN]; uint32 bytes; uint32 next; // EVENTLOGRECORD *record = (EVENTLOGRECORD *)eventBuffer; HANDLE hLog; int status; DWORD recordCounter=1; //used to indicate where to read next from eventlog. It does *not* neccessarily mean that post is to be added;eventlog->Recordoffset takes care of that. DWORD startPos; ntsl_event *event; char *source; char *computer; char *strings; struct tm _time,*time; bool ThisIsInitialLoop=true; __try { time=&_time; LabelForResettedEventLog: if ( (lastrun == NULL) || (thisrun == NULL) || (service_halting()) ) return(-1); if ((hLog = OpenEventLog(NULL, eventlog->name)) == NULL) { //ntsl_log_error(NTSL_ERROR_EVENT_LOG_ACCESS, eventlog->name); DEBUGSERVICE(Message,"Failed to open event log %s. Error: %s", eventlog->name,GetLastError()); return(-1); } DEBUGPARSE(Header,"Reading %s event log starting at offset %u.", eventlog->name,eventlog->recordOffset); //find start position if (eventlog->recordOffset==0) { startPos=FindFirstReadPos(eventlog->name,*lastrun); if (startPos==0) { //no help status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,0, &bytes, &next); } else { status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,startPos, &bytes, &next); } if ((status==0)&& (GetLastError() != ERROR_INSUFFICIENT_BUFFER)) { //totally empty eventlog, or error; eject CloseEventLog(hLog); return(0); } eventlog->recordOffset=record->RecordNumber; eventlog->verificationTime=record->TimeGenerated; recordCounter=eventlog->recordOffset; } else { recordCounter=max(eventlog->recordOffset,0); //-1 so that a valid entry is read unless the enventlog has been wiped. } //big loop while ((status=ernoReadEventLog(hLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,recordCounter, &bytes, &next))){ DEBUGPARSE(Message,"Read %u bytes at position %u with return status %d.",bytes,recordCounter, status); if ((ThisIsInitialLoop)&&(eventlog->verificationTime!=record->TimeGenerated)) { //same id as before, but new time! Start from scratch since eventlog has been rotated/deleted DEBUGPARSE(Message,"Verification time mismatch! EventLog cleared? starting from the beginning."); eventlog->recordOffset=0; ThisIsInitialLoop=false; CloseEventLog(hLog); goto LabelForResettedEventLog; //erno only solution to a complete rewrite...(?) } ThisIsInitialLoop=false; //Read successful, hence set to false for the future if (service_halting()) return(-1); while (bytes > 0) { /* If this event happened between the last time we ran, and the current time, and it is one we are interested in, then fill in an ntsl_event structure, and pass it to the engine to log. */ //If match with registry list of filtered event id's, ignore. //record->EventID &=0x0000FFFF; Dum, dum idé. Utan unika, högre delarena blir matchningen mellan id och dll'ens id inte unika--> problem. if ( (record->TimeWritten >= (uint32)*lastrun) && (record->TimeWritten < (uint32)*thisrun) && (eventlog_check_event(eventlog, record->EventType)) && (thisEventIsFilteredOut(record->EventID)==false)) { source = (LPSTR) ((LPBYTE) record + sizeof(EVENTLOGRECORD)); computer = source + strlen(source) + 1; strings = (LPSTR) ((LPBYTE) record + record->StringOffset); __time64_t _TimeGenerated=record->TimeGenerated; localtime_s(time,&_TimeGenerated); //DEBUGPARSE(Message,"Nasta startposition %u. Record %u adderades. lastrun: %u thisrun: %u TimeWritten: %u",eventlog->recordOffset,record->RecordNumber,(uint32)*lastrun,(uint32)*thisrun,record->TimeWritten); if ( (event = (ntsl_event*)malloc0(sizeof(ntsl_event))) == NULL){ ntsl_log_error(NTSL_ERROR_EVENT_MALLOC); return(-1); } event->msg[0] = 0; //erno2005 strcpy_s(event->facilityName,sizeof(event->facilityName),eventlog->name); event->time1970format=record->TimeGenerated; strftime(event->date, NTSL_DATE_LEN, "%b %d %H:%M:%S", time); if (event->date[4] == '0') // Unix style formatting event->date[4] = ' '; strcpy_s(event->host, eventlog_lcase(computer)); strcpy_s(event->source, eventlog_lcase(source)); eventlog_set_event_type(event, record->EventType); eventlog_set_event_priority(event, record->EventType, eventlog); eventlog_set_event_msg(event, eventlog->name, record->EventID, strings, record->NumStrings); eventlog_set_user(event, ((LPBYTE) record + record->UserSidOffset), record->UserSidLength); DEBUGPARSE(Message,"Sending parsed record %u to output: %s",record->RecordNumber, event->msg); engine_process_event(event); event = NULL; } else { //DEBUGPARSE(Message,"Next start position %u. Record %u ignored. lastrun: %u thisrun: %u TimeWritten: %u",eventlog->recordOffset,record->RecordNumber,(uint32)*lastrun,(uint32)*thisrun,record->TimeWritten); } bytes -= record->Length; //DEBUGPARSE(Message,"Bytes remaining in buffer to read is %u.",bytes); if (record->TimeWritten < (uint32)*thisrun) { eventlog->recordOffset=record->RecordNumber; eventlog->verificationTime=record->TimeGenerated; } record = (EVENTLOGRECORD *) ((LPBYTE) record + record->Length); recordCounter++; } //End loop parse received messages in buffer DEBUGPARSE(EndHeader,""); //record = (EVENTLOGRECORD *)eventBuffer; } //end big while loop if ((status==0)&&(ThisIsInitialLoop)) { //this only happens if an entry has been removed, i.e. deleted from eventLog. Start from scratch. DEBUGPARSE(Message,"Id not found! EventLog cleared? starting from the beginning."); eventlog->recordOffset=0; ThisIsInitialLoop=false; CloseEventLog(hLog); goto LabelForResettedEventLog; //erno only solution to a complete rewrite...(?) } } __except( CreateMiniDump( GetExceptionInformation() ), EXCEPTION_EXECUTE_HANDLER ) { logger(Error,"Exception when reading events from %s! Will reattempt reading. Current or previous event text is:%s", eventlog->name, event->msg); Sleep(3000); }
/* イベントログの読み取り */ void ReadLog(void) { DWORD BufSize; DWORD ReadBytes; DWORD NextSize; BOOL bResult; DWORD i; char *cp; char *pSourceName; char *pComputerName; HANDLE hEventLog = NULL; EVENTLOGRECORD *pBuf = NULL; char **Args = NULL; /* イベントログのオープン */ hEventLog = OpenEventLog(NULL, "Application"); if(hEventLog == NULL) { printf("event log can not open.\n"); goto Exit; } for(;;) { /* イベントログのサイズ取得 */ BufSize = 1; pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize); bResult = ReadEventLog( hEventLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, pBuf, BufSize, &ReadBytes, &NextSize); if(!bResult && GetLastError() != ERROR_INSUFFICIENT_BUFFER) break; GlobalFree(pBuf); pBuf = NULL; /* バッファ割り当て */ BufSize = NextSize; pBuf = (EVENTLOGRECORD *)GlobalAlloc(GMEM_FIXED, BufSize); /* イベントログの読み取り */ bResult = ReadEventLog( hEventLog, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, pBuf, BufSize, &ReadBytes, &NextSize); if(!bResult) break; eventlog_record rec( pBuf ); /* 読み取ったイベントの表示 */ printf("レコード番号: %d\n", rec.RecordNumber() ); time_t t = rec.TimeGenerated(); printf("生成時刻: %s", ctime( &t ) ); t = rec.TimeWritten(); printf("書き込み時刻: %s", ctime( &t ) ); printf("イベントID: %08x\n", rec.EventID() ); printf( "イベントの種別: %s\n", rec.EventTypeText().c_str() ); cp = (char *)pBuf; cp += sizeof(EVENTLOGRECORD); pSourceName = cp; cp += strlen(cp)+1; pComputerName = cp; cp += strlen(cp)+1; printf("ソース名: %s\n", rec.SourceName().c_str() ); printf("コンピュータ名: %s\n", rec.ComputerName().c_str() ); /* カテゴリの表示 */ printf("二次カテゴリ: ", pBuf->EventCategory); DispMessage(pSourceName, "CategoryMessageFile", NULL, pBuf->EventCategory); /* メッセージの表示 */ Args = GetArgs(pBuf); printf("メッセージ: "); DispMessage(pSourceName, "EventMessageFile", (const char **)Args, pBuf->EventID); if(Args != NULL) { GlobalFree(Args); Args = NULL; } /* 固有データの表示 */ if(pBuf->DataLength > 0) { printf("固有データ: "); for(i=0; i<pBuf->DataLength; i++) printf("%02x ", *(((unsigned char *)pBuf)+(pBuf->DataOffset)+i)); printf("\n"); } printf("\n"); /* バッファ解放 */ GlobalFree(pBuf); pBuf = NULL; } Exit: /* 後処理 */ if(pBuf != NULL) GlobalFree(pBuf); if(Args != NULL) GlobalFree(Args); if(hEventLog != NULL) CloseEventLog(hEventLog); }
/* close event logger */ static void zbx_close_eventlog(HANDLE eventlog_handle) { if (NULL != eventlog_handle) CloseEventLog(eventlog_handle); }
/* Close eventlog */ static void EventlogClose(int log) { /* Close log */ CloseEventLog(EventlogList[log].handle); EventlogList[log].handle = NULL; }
LogChannelSyslog::~LogChannelSyslog() { stop(); CloseEventLog( (HANDLE) m_sysdata ); }
/** void readel(os_el *el) * Reads the event log. */ void readel(os_el *el, int printit) { DWORD _evtid = 65535; DWORD nstr; DWORD user_size; DWORD domain_size; DWORD read, needed; int size_left; int str_size; int id; char mbuffer[BUFFER_SIZE +1]; LPSTR sstr = NULL; char *tmp_str = NULL; char *category; char *source; char *computer_name; char *descriptive_msg; char el_user[OS_FLSIZE +1]; char el_domain[OS_FLSIZE +1]; char el_string[OS_MAXSTR +1]; char final_msg[OS_MAXSTR +1]; LPSTR el_sstring[OS_FLSIZE +1]; /* Er must point to the mbuffer */ el->er = (EVENTLOGRECORD *) &mbuffer; /* Zeroing the values */ el_string[OS_MAXSTR] = '\0'; el_user[OS_FLSIZE] = '\0'; el_domain[OS_FLSIZE] = '\0'; final_msg[OS_MAXSTR] = '\0'; el_sstring[0] = NULL; el_sstring[OS_FLSIZE] = NULL; /* Event log is not open */ if(!el->h) { return; } /* Reading the event log */ while(ReadEventLog(el->h, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, el->er, BUFFER_SIZE -1, &read, &needed)) { if(!printit) { /* Setting er to the beginning of the buffer */ el->er = (EVENTLOGRECORD *)&mbuffer; continue; } while(read > 0) { /* We need to initialize every variable before the loop */ category = el_getCategory(el->er->EventType); source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD)); computer_name = source + strlen(source) + 1; descriptive_msg = NULL; /* Getting event id. */ id = (int)el->er->EventID & _evtid; /* Initialing domain/user size */ user_size = 255; domain_size = 255; el_domain[0] = '\0'; el_user[0] = '\0'; /* We must have some description */ if(el->er->NumStrings) { size_left = OS_MAXSTR - OS_SIZE_1024; sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset); el_string[0] = '\0'; for (nstr = 0;nstr < el->er->NumStrings;nstr++) { str_size = strlen(sstr); if(size_left > 1) { strncat(el_string, sstr, size_left); } tmp_str = strchr(el_string, '\0'); if(tmp_str) { *tmp_str = ' '; tmp_str++; *tmp_str = '\0'; } else { merror("%s: Invalid application string (size+)", ARGV0); } size_left-=str_size + 2; if(nstr <= 92) { el_sstring[nstr] = (LPSTR)sstr; el_sstring[nstr +1] = NULL; } sstr = strchr( (LPSTR)sstr, '\0'); if(sstr) sstr++; else break; } /* Get a more descriptive message (if available) */ if(isVista && strcmp(el->name, "Security") == 0) { descriptive_msg = el_vista_getMessage(id, el_sstring); } else { descriptive_msg = el_getMessage(el->er, el->name, source, el_sstring); } if(descriptive_msg != NULL) { /* Remove any \n or \r */ /* Replace tabs from the argument field to spaces. * So whenever we have option:\tvalue\t, it will * become option: value\t */ tmp_str = descriptive_msg; while(*tmp_str != '\0') { if(*tmp_str == '\n') *tmp_str = ' '; else if(*tmp_str == '\r') *tmp_str = ' '; else if((*tmp_str == ':') && (tmp_str[1] == '\t')) { tmp_str[1] = ' '; tmp_str++; } tmp_str++; } } } else { strncpy(el_string, "(no message)", 128); } /* Getting username */ if(el->er->UserSidLength) { SID_NAME_USE account_type; if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset), el_user, &user_size, el_domain, &domain_size, &account_type)) { strncpy(el_user, "(no user)", 255); strncpy(el_domain, "no domain", 255); } } else if(isVista && strcmp(el->name, "Security") == 0) { int uid_array_id = -1; switch(id) { case 4624: uid_array_id = 5; break; case 4634: uid_array_id = 1; break; case 4647: uid_array_id = 1; break; case 4769: uid_array_id = 0; break; } if((uid_array_id >= 0) && el_sstring[uid_array_id] && el_sstring[uid_array_id +1]) { strncpy(el_user, el_sstring[uid_array_id], OS_FLSIZE); strncpy(el_domain, el_sstring[uid_array_id +1], OS_FLSIZE); } else { strncpy(el_user, "(no user)", 255); strncpy(el_domain, "no domain", 255); } } else { strncpy(el_user, "(no user)", 255); strncpy(el_domain, "no domain", 255); } if(printit) { DWORD _evtid = 65535; int id = (int)el->er->EventID & _evtid; final_msg[OS_MAXSTR - OS_LOG_HEADER] = '\0'; final_msg[OS_MAXSTR - OS_LOG_HEADER -1] = '\0'; snprintf(final_msg, OS_MAXSTR - OS_LOG_HEADER -1, "WinEvtLog: %s: %s(%d): %s: %s: %s: %s: %s", el->name, category, id, source, el_user, el_domain, computer_name, descriptive_msg != NULL?descriptive_msg:el_string); if(SendMSG(logr_queue, final_msg, "WinEvtLog", LOCALFILE_MQ) < 0) { merror(QUEUE_SEND, ARGV0); } } if(descriptive_msg != NULL) { LocalFree(descriptive_msg); } /* Changing the point to the er */ read -= el->er->Length; el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length); } /* Setting er to the beginning of the buffer */ el->er = (EVENTLOGRECORD *)&mbuffer; } id = GetLastError(); if(id == ERROR_HANDLE_EOF) { return; } /* Event log was cleared. */ else if(id == ERROR_EVENTLOG_FILE_CHANGED) { char msg_alert[512 +1]; msg_alert[512] = '\0'; merror("%s: WARN: Event log cleared: '%s'", ARGV0, el->name); /* Send message about cleared */ snprintf(msg_alert, 512, "ossec: Event log cleared: '%s'", el->name); SendMSG(logr_queue, msg_alert, "WinEvtLog", LOCALFILE_MQ); /* Closing the event log and reopenning. */ CloseEventLog(el->h); el->h = NULL; /* Reopening. */ if(startEL(el->name, el) < 0) { merror("%s: ERROR: Unable to reopen event log '%s'", ARGV0, el->name); } } else { debug1("%s: WARN: Error reading event log: %d", ARGV0, id); } }
static void test_read(void) { HANDLE handle; BOOL ret; DWORD count, toread, read, needed; void *buf; SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); read = 0xdeadbeef; SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL); ok(!ret, "Expected failure\n"); ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); needed = 0xdeadbeef; SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed); ok(!ret, "Expected failure\n"); ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); /* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */ SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); buf = NULL; SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); SetLastError(0xdeadbeef); ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); HeapFree(GetProcessHeap(), 0, buf); handle = OpenEventLogA(NULL, "Application"); /* Show that we need the proper dwFlags with a (for the rest) proper call */ buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); todo_wine ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); HeapFree(GetProcessHeap(), 0, buf); /* First check if there are any records (in practice only on Wine: FIXME) */ count = 0; GetNumberOfEventLogRecords(handle, &count); if (!count) { skip("No records in the 'Application' log\n"); CloseEventLog(handle); return; } /* Get the buffer size for the first record */ buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); read = needed = 0xdeadbeef; SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); ok(!ret, "Expected failure\n"); ok(read == 0, "Expected no bytes read\n"); ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n"); ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError()); /* Read the first record */ toread = needed; buf = HeapReAlloc(GetProcessHeap(), 0, buf, toread); read = needed = 0xdeadbeef; SetLastError(0xdeadbeef); ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed); ok(ret, "Expected success\n"); ok(read == toread || broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */ "Expected the requested size to be read\n"); ok(needed == 0, "Expected no extra bytes to be read\n"); HeapFree(GetProcessHeap(), 0, buf); CloseEventLog(handle); }
void EventLogMonitor(void) { DWORD status = ERROR_SUCCESS; DWORD dwWaitReason = 0; DWORD dwLastRecordNumber = 0; int nMonSize = sizeof(event_monitor)/sizeof(struct _EVENT_MONITOR); HANDLE *arrhWaitHandles = (HANDLE*)malloc(nMonSize*sizeof(HANDLE)); g_arrhEventLog = (HANDLE*)malloc(nMonSize*sizeof(HANDLE)); for (int i=0; i<nMonSize; i++) { // Get the DLL that contains the message table string resources for the provider. event_monitor[i].hResource = GetMessageResources(event_monitor[i].resource_dll); if (NULL == event_monitor[i].hResource) { wprintf(L"Fail to load resource file.\n"); } // Get a handle to a manual reset event object that will be signal // when events are written to the log. arrhWaitHandles[i] = CreateEvent(NULL, TRUE, FALSE, NULL); if (NULL == arrhWaitHandles[i]) { wprintf(L"CreateEvent failed with %lu.\n", GetLastError()); } // Open the log file. The source name (provider) must exist as // a subkey of Application. g_arrhEventLog[i] = OpenEventLog(NULL, event_monitor[i].provider_name); //g_arrhEventLog[i] = OpenEventLog(NULL, L"Application"); if (NULL == g_arrhEventLog[i]) { wprintf(L"OpenEventLog failed with 0x%x.\n", GetLastError()); } // Seek to the last record in the event log and read it in order // to position the cursor for reading any new records when the // service notifies you that new records have been written to the // log file. status = SeekToLastRecord(g_arrhEventLog[i]); if (ERROR_SUCCESS != status) { wprintf(L"SeekToLastRecord failed with %lu.\n", status); } // Request notification when events are written to the log. if (!NotifyChangeEventLog(g_arrhEventLog[i], arrhWaitHandles[i])) { wprintf(L"NotifyChangeEventLog failed with %lu.\n", GetLastError()); goto cleanup; } } wprintf(L"Waiting for notification of new events...\n\n"); // Loop until the user presses a key or there is an error. while (true) { if (0 == g_enable_monitor) { break; } dwWaitReason = WaitForMultipleObjects(nMonSize, arrhWaitHandles, FALSE, /*INFINITE*/10*1000); dwWaitReason -= WAIT_OBJECT_0; if (dwWaitReason >= 0 && dwWaitReason < nMonSize) { if (ERROR_SUCCESS != (status = DumpNewRecords(dwWaitReason))) { wprintf(L"DumpNewRecords failed.\n"); break; } wprintf(L"\nWaiting for notification of new events...\n"); ResetEvent(arrhWaitHandles[dwWaitReason]); } else if (dwWaitReason == WAIT_TIMEOUT) { printf("WaitForMultiple Timeout.\n"); } else { if (WAIT_FAILED == dwWaitReason) { wprintf(L"WaitForSingleObject failed with %lu\n", GetLastError()); } break; } } cleanup: for (int i=0; i<nMonSize; i++) { if (g_arrhEventLog[i]) CloseEventLog(g_arrhEventLog[i]); if (arrhWaitHandles[i]) CloseHandle(arrhWaitHandles[i]); if (event_monitor[i].hResource) FreeLibrary(event_monitor[i].hResource); } if (arrhWaitHandles) free(arrhWaitHandles); if (g_arrhEventLog) free(g_arrhEventLog); }
static void test_openbackup(void) { HANDLE handle, handle2, file; DWORD written; const char backup[] = "backup.evt"; const char text[] = "Just some text"; SetLastError(0xdeadbeef); handle = OpenBackupEventLogA(NULL, NULL); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenBackupEventLogA(NULL, "idontexist.evt"); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_FILE_NOT_FOUND, "Expected ERROR_FILE_NOT_FOUND, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenBackupEventLogA("IDontExist", NULL); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); SetLastError(0xdeadbeef); handle = OpenBackupEventLogA("IDontExist", "idontexist.evt"); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); /* Make a backup eventlog to work with */ if (create_backup(backup)) { /* FIXME: Wine stops here */ if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES) { skip("We don't have a backup eventlog to work with\n"); return; } SetLastError(0xdeadbeef); handle = OpenBackupEventLogA("IDontExist", backup); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); /* Empty servername should be read as local server */ handle = OpenBackupEventLogA("", backup); ok(handle != NULL, "Expected a handle\n"); CloseEventLog(handle); handle = OpenBackupEventLogA(NULL, backup); ok(handle != NULL, "Expected a handle\n"); /* Can we open that same backup eventlog more than once? */ handle2 = OpenBackupEventLogA(NULL, backup); ok(handle2 != NULL, "Expected a handle\n"); ok(handle2 != handle, "Didn't expect the same handle\n"); CloseEventLog(handle2); CloseEventLog(handle); DeleteFileA(backup); } /* Is there any content checking done? */ file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL); CloseHandle(file); SetLastError(0xdeadbeef); handle = OpenBackupEventLogA(NULL, backup); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY || GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */ "Expected ERROR_NOT_ENOUGH_MEMORY, got %d\n", GetLastError()); CloseEventLog(handle); DeleteFileA(backup); file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL); WriteFile(file, text, sizeof(text), &written, NULL); CloseHandle(file); SetLastError(0xdeadbeef); handle = OpenBackupEventLogA(NULL, backup); ok(handle == NULL, "Didn't expect a handle\n"); ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, "Expected ERROR_EVENTLOG_FILE_CORRUPT, got %d\n", GetLastError()); CloseEventLog(handle); DeleteFileA(backup); }