static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle;
uint32_t oldest_entry = 0;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
&handle,
&oldest_entry);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
printf("oldest entry: %d\n", oldest_entry);
done:
rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
return status;
}
static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle;
uint32_t number = 0;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
&handle,
&number);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
printf("number of records: %d\n", number);
done:
rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
return status;
}
static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status;
struct policy_handle handle;
uint8_t *buffer = NULL;
uint32_t buf_size = 0;
uint32_t bytes_needed = 0;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
&handle,
0, /* level */
buffer,
buf_size,
&bytes_needed);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
goto done;
}
buf_size = bytes_needed;
buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
if (!buffer) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
&handle,
0, /* level */
buffer,
buf_size,
&bytes_needed);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
done:
rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
return status;
}
static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
struct lsa_String backup_filename;
const char *tmp;
struct dcerpc_binding_handle *b = cli->binding_handle;
if (argc != 3) {
printf("Usage: %s logname backupname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
if (!tmp) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
init_lsa_String(&backup_filename, tmp);
status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx,
&handle,
&backup_filename,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status = NT_STATUS_OK;
NTSTATUS result = NT_STATUS_OK;
struct policy_handle handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
uint32_t flags = EVENTLOG_BACKWARDS_READ |
EVENTLOG_SEQUENTIAL_READ;
uint32_t offset = 0;
uint32_t number_of_bytes = 0;
uint8_t *data = NULL;
uint32_t sent_size = 0;
uint32_t real_size = 0;
if (argc < 2 || argc > 4) {
printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc >= 3) {
offset = atoi(argv[2]);
}
if (argc >= 4) {
number_of_bytes = atoi(argv[3]);
data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
if (!data) {
goto done;
}
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
do {
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct EVENTLOGRECORD r;
uint32_t size = 0;
uint32_t pos = 0;
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) &&
real_size > 0 ) {
number_of_bytes = real_size;
data = talloc_array(mem_ctx, uint8_t, real_size);
if (!data) {
goto done;
}
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) &&
!NT_STATUS_IS_OK(result)) {
goto done;
}
number_of_bytes = 0;
size = IVAL(data, pos);
while (size > 0) {
blob = data_blob_const(data + pos, size);
/* dump_data(0, blob.data, blob.length); */
ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
(ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
goto done;
}
NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
pos += size;
if (pos + 4 > sent_size) {
break;
}
size = IVAL(data, pos);
}
offset++;
} while (NT_STATUS_IS_OK(result));
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
uint16_t num_of_strings = 1;
uint32_t data_size = 0;
struct lsa_String servername, sourcename;
struct lsa_String *strings;
uint8_t *data = NULL;
uint32_t record_number = 0;
time_t time_written = 0;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
if (!strings) {
return NT_STATUS_NO_MEMORY;
}
init_lsa_String(&strings[0], "test event written by rpcclient\n");
init_lsa_String(&servername, NULL);
init_lsa_String(&sourcename, "rpcclient");
status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx,
&handle,
time(NULL),
EVENTLOG_INFORMATION_TYPE,
0, /* event_category */
0, /* event_id */
&sourcename,
num_of_strings,
data_size,
&servername,
NULL, /* user_sid */
&strings,
data,
0, /* flags */
&record_number,
&time_written,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
printf("entry: %d written at %s\n", record_number,
http_timestring(talloc_tos(), time_written));
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
