static bool test_OpenEventLog(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
struct policy_handle handle;
struct eventlog_CloseEventLog cr;
if (!get_policy_handle(tctx, p, &handle))
return false;
cr.in.handle = cr.out.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_CloseEventLog(p, tctx, &cr),
"CloseEventLog failed");
return true;
}
static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
struct lsa_String backup_filename;
const char *tmp;
struct dcerpc_binding_handle *b = cli->binding_handle;
if (argc != 3) {
printf("Usage: %s logname backupname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
if (!tmp) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
init_lsa_String(&backup_filename, tmp);
status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx,
&handle,
&backup_filename,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
uint32_t oldest_entry = 0;
struct dcerpc_binding_handle *b = cli->binding_handle;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = dcerpc_eventlog_GetOldestRecord(b, mem_ctx,
&handle,
&oldest_entry,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
printf("oldest entry: %d\n", oldest_entry);
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static bool test_GetNumRecords(struct torture_context *tctx, struct dcerpc_pipe *p)
{
struct eventlog_GetNumRecords r;
struct eventlog_CloseEventLog cr;
struct policy_handle handle;
if (!get_policy_handle(tctx, p, &handle))
return false;
r.in.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_GetNumRecords(p, tctx, &r),
"GetNumRecords failed");
torture_comment(tctx, talloc_asprintf(tctx, "%d records\n", *r.out.number));
cr.in.handle = cr.out.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_CloseEventLog(p, tctx, &cr),
"CloseEventLog failed");
return true;
}
static bool test_ClearEventLog(struct dcerpc_pipe *p, TALLOC_CTX *tctx)
{
struct eventlog_ClearEventLogW r;
struct eventlog_CloseEventLog cr;
struct policy_handle handle;
if (!get_policy_handle(tctx, p, &handle))
return false;
r.in.handle = &handle;
r.in.unknown = NULL;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_ClearEventLogW(p, tctx, &r),
"ClearEventLog failed");
cr.in.handle = cr.out.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_CloseEventLog(p, tctx, &cr),
"CloseEventLog failed");
return true;
}
static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status = NT_STATUS_OK;
NTSTATUS result = NT_STATUS_OK;
struct policy_handle handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
uint32_t flags = EVENTLOG_BACKWARDS_READ |
EVENTLOG_SEQUENTIAL_READ;
uint32_t offset = 0;
uint32_t number_of_bytes = 0;
uint8_t *data = NULL;
uint32_t sent_size = 0;
uint32_t real_size = 0;
if (argc < 2 || argc > 4) {
printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc >= 3) {
offset = atoi(argv[2]);
}
if (argc >= 4) {
number_of_bytes = atoi(argv[3]);
data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
if (!data) {
goto done;
}
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
do {
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct EVENTLOGRECORD r;
uint32_t size = 0;
uint32_t pos = 0;
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) &&
real_size > 0 ) {
number_of_bytes = real_size;
data = talloc_array(mem_ctx, uint8_t, real_size);
if (!data) {
goto done;
}
status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
&handle,
flags,
offset,
number_of_bytes,
data,
&sent_size,
&real_size,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) &&
!NT_STATUS_IS_OK(result)) {
goto done;
}
number_of_bytes = 0;
size = IVAL(data, pos);
while (size > 0) {
blob = data_blob_const(data + pos, size);
/* dump_data(0, blob.data, blob.length); */
ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
(ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
goto done;
}
NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
pos += size;
if (pos + 4 > sent_size) {
break;
}
size = IVAL(data, pos);
}
offset++;
} while (NT_STATUS_IS_OK(result));
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
uint8_t *buffer = NULL;
uint32_t buf_size = 0;
uint32_t bytes_needed = 0;
struct dcerpc_binding_handle *b = cli->binding_handle;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = dcerpc_eventlog_GetLogInformation(b, mem_ctx,
&handle,
0, /* level */
buffer,
buf_size,
&bytes_needed,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) {
goto done;
}
buf_size = bytes_needed;
buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
if (!buffer) {
status = NT_STATUS_NO_MEMORY;
goto done;
}
status = dcerpc_eventlog_GetLogInformation(b, mem_ctx,
&handle,
0, /* level */
buffer,
buf_size,
&bytes_needed,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
int argc,
const char **argv)
{
NTSTATUS status, result;
struct policy_handle handle;
struct dcerpc_binding_handle *b = cli->binding_handle;
uint16_t num_of_strings = 1;
uint32_t data_size = 0;
struct lsa_String servername, sourcename;
struct lsa_String *strings;
uint8_t *data = NULL;
uint32_t record_number = 0;
time_t time_written = 0;
if (argc != 2) {
printf("Usage: %s logname\n", argv[0]);
return NT_STATUS_OK;
}
status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
if (!strings) {
return NT_STATUS_NO_MEMORY;
}
init_lsa_String(&strings[0], "test event written by rpcclient\n");
init_lsa_String(&servername, NULL);
init_lsa_String(&sourcename, "rpcclient");
status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx,
&handle,
time(NULL),
EVENTLOG_INFORMATION_TYPE,
0, /* event_category */
0, /* event_id */
&sourcename,
num_of_strings,
data_size,
&servername,
NULL, /* user_sid */
&strings,
data,
0, /* flags */
&record_number,
&time_written,
&result);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (!NT_STATUS_IS_OK(result)) {
status = result;
goto done;
}
printf("entry: %d written at %s\n", record_number,
http_timestring(talloc_tos(), time_written));
done:
dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
return status;
}
static bool test_ReadEventLog(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
NTSTATUS status;
struct eventlog_ReadEventLogW r;
struct eventlog_CloseEventLog cr;
struct policy_handle handle;
if (!get_policy_handle(tctx, p, &handle))
return false;
r.in.offset = 0;
r.in.handle = &handle;
r.in.flags = EVENTLOG_BACKWARDS_READ|EVENTLOG_SEQUENTIAL_READ;
while (1) {
DATA_BLOB blob;
struct eventlog_Record rec;
struct ndr_pull *ndr;
/* Read first for number of bytes in record */
r.in.number_of_bytes = 0;
r.out.data = NULL;
status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r);
if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_END_OF_FILE)) {
break;
}
torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed");
torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_BUFFER_TOO_SMALL,
"ReadEventLog failed");
/* Now read the actual record */
r.in.number_of_bytes = *r.out.real_size;
r.out.data = talloc_size(tctx, r.in.number_of_bytes);
status = dcerpc_eventlog_ReadEventLogW(p, tctx, &r);
torture_assert_ntstatus_ok(tctx, status, "ReadEventLog failed");
/* Decode a user-marshalled record */
blob.length = *r.out.sent_size;
blob.data = talloc_steal(tctx, r.out.data);
ndr = ndr_pull_init_blob(&blob, tctx);
status = ndr_pull_eventlog_Record(
ndr, NDR_SCALARS|NDR_BUFFERS, &rec);
NDR_PRINT_DEBUG(eventlog_Record, &rec);
torture_assert_ntstatus_ok(tctx, status,
"ReadEventLog failed parsing event log record");
r.in.offset++;
}
cr.in.handle = cr.out.handle = &handle;
torture_assert_ntstatus_ok(tctx,
dcerpc_eventlog_CloseEventLog(p, tctx, &cr),
"CloseEventLog failed");
return true;
}
