NTSTATUS evlog_evt_entry_to_tdb_entry(TALLOC_CTX *mem_ctx,
const struct EVENTLOGRECORD *e,
struct eventlog_Record_tdb *t)
{
uint32_t i;
ZERO_STRUCTP(t);
t->size = e->Length;
t->reserved = e->Reserved;
t->record_number = e->RecordNumber;
t->time_generated = e->TimeGenerated;
t->time_written = e->TimeWritten;
t->event_id = e->EventID;
t->event_type = e->EventType;
t->num_of_strings = e->NumStrings;
t->event_category = e->EventCategory;
t->reserved_flags = e->ReservedFlags;
t->closing_record_number = e->ClosingRecordNumber;
t->stringoffset = e->StringOffset;
t->sid_length = e->UserSidLength;
t->sid_offset = e->UserSidOffset;
t->data_length = e->DataLength;
t->data_offset = e->DataOffset;
t->source_name_len = 2 * strlen_m_term(e->SourceName);
t->source_name = talloc_strdup(mem_ctx, e->SourceName);
NT_STATUS_HAVE_NO_MEMORY(t->source_name);
t->computer_name_len = 2 * strlen_m_term(e->Computername);
t->computer_name = talloc_strdup(mem_ctx, e->Computername);
NT_STATUS_HAVE_NO_MEMORY(t->computer_name);
/* t->sid_padding; */
if (e->UserSidLength > 0) {
const char *sid_str = NULL;
smb_ucs2_t *dummy = NULL;
sid_str = sid_string_talloc(mem_ctx, &e->UserSid);
t->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, sid_str);
if (t->sid_length == -1) {
return NT_STATUS_NO_MEMORY;
}
t->sid = data_blob_talloc(mem_ctx, (uint8_t *)dummy, t->sid_length);
NT_STATUS_HAVE_NO_MEMORY(t->sid.data);
}
t->strings = talloc_array(mem_ctx, const char *, e->NumStrings);
for (i=0; i < e->NumStrings; i++) {
t->strings[i] = talloc_strdup(t->strings, e->Strings[i]);
NT_STATUS_HAVE_NO_MEMORY(t->strings[i]);
}
t->strings_len = 2 * ndr_size_string_array(t->strings, t->num_of_strings, LIBNDR_FLAG_STR_NULLTERM);
t->data = data_blob_talloc(mem_ctx, e->Data, e->DataLength);
/* t->padding = r->Pad; */
return NT_STATUS_OK;
}
bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb *entry, bool * eor )
{
char *start = NULL, *stop = NULL;
start = line;
/* empty line signyfiying record delimeter, or we're at the end of the buffer */
if ( start == NULL || strlen( start ) == 0 ) {
DEBUG( 6,
( "parse_logentry: found end-of-record indicator.\n" ) );
*eor = True;
return True;
}
if ( !( stop = strchr( line, ':' ) ) ) {
return False;
}
DEBUG( 6, ( "parse_logentry: trying to parse [%s].\n", line ) );
if ( 0 == strncmp( start, "LEN", stop - start ) ) {
/* This will get recomputed later anyway -- probably not necessary */
entry->size = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "RS1", stop - start ) ) {
/* For now all these reserved entries seem to have the same value,
which can be hardcoded to int(1699505740) for now */
entry->reserved = talloc_strdup(mem_ctx, "eLfL");
} else if ( 0 == strncmp( start, "RCN", stop - start ) ) {
entry->record_number = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "TMG", stop - start ) ) {
entry->time_generated = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "TMW", stop - start ) ) {
entry->time_written = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "EID", stop - start ) ) {
entry->event_id = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "ETP", stop - start ) ) {
if ( strstr( start, "ERROR" ) ) {
entry->event_type = EVENTLOG_ERROR_TYPE;
} else if ( strstr( start, "WARNING" ) ) {
entry->event_type = EVENTLOG_WARNING_TYPE;
} else if ( strstr( start, "INFO" ) ) {
entry->event_type = EVENTLOG_INFORMATION_TYPE;
} else if ( strstr( start, "AUDIT_SUCCESS" ) ) {
entry->event_type = EVENTLOG_AUDIT_SUCCESS;
} else if ( strstr( start, "AUDIT_FAILURE" ) ) {
entry->event_type = EVENTLOG_AUDIT_FAILURE;
} else if ( strstr( start, "SUCCESS" ) ) {
entry->event_type = EVENTLOG_SUCCESS;
} else {
/* some other eventlog type -- currently not defined in MSDN docs, so error out */
return False;
}
}
/*
else if(0 == strncmp(start, "NST", stop - start))
{
entry->num_of_strings = atoi(stop + 1);
}
*/
else if ( 0 == strncmp( start, "ECT", stop - start ) ) {
entry->event_category = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "RS2", stop - start ) ) {
entry->reserved_flags = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "CRN", stop - start ) ) {
entry->closing_record_number = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "USL", stop - start ) ) {
entry->sid_length = atoi( stop + 1 );
} else if ( 0 == strncmp( start, "SRC", stop - start ) ) {
stop++;
while ( isspace( stop[0] ) ) {
stop++;
}
entry->source_name_len = strlen_m_term(stop);
entry->source_name = talloc_strdup(mem_ctx, stop);
if (entry->source_name_len == (uint32_t)-1 ||
entry->source_name == NULL) {
return false;
}
} else if ( 0 == strncmp( start, "SRN", stop - start ) ) {
stop++;
while ( isspace( stop[0] ) ) {
stop++;
}
entry->computer_name_len = strlen_m_term(stop);
entry->computer_name = talloc_strdup(mem_ctx, stop);
if (entry->computer_name_len == (uint32_t)-1 ||
entry->computer_name == NULL) {
return false;
}
} else if ( 0 == strncmp( start, "SID", stop - start ) ) {
smb_ucs2_t *dummy = NULL;
stop++;
while ( isspace( stop[0] ) ) {
stop++;
}
entry->sid_length = rpcstr_push_talloc(mem_ctx,
&dummy,
stop);
if (entry->sid_length == (uint32_t)-1) {
return false;
}
entry->sid = data_blob_talloc(mem_ctx, dummy, entry->sid_length);
if (entry->sid.data == NULL) {
return false;
}
} else if ( 0 == strncmp( start, "STR", stop - start ) ) {
size_t tmp_len;
int num_of_strings;
/* skip past initial ":" */
stop++;
/* now skip any other leading whitespace */
while ( isspace(stop[0])) {
stop++;
}
tmp_len = strlen_m_term(stop);
if (tmp_len == (size_t)-1) {
return false;
}
num_of_strings = entry->num_of_strings;
if (!add_string_to_array(mem_ctx, stop, &entry->strings,
&num_of_strings)) {
return false;
}
if (num_of_strings > 0xffff) {
return false;
}
entry->num_of_strings = num_of_strings;
entry->strings_len += tmp_len;
} else if ( 0 == strncmp( start, "DAT", stop - start ) ) {
/* skip past initial ":" */
stop++;
/* now skip any other leading whitespace */
while ( isspace( stop[0] ) ) {
stop++;
}
entry->data_length = strlen_m(stop);
entry->data = data_blob_talloc(mem_ctx, stop, entry->data_length);
if (!entry->data.data) {
return false;
}
} else {
/* some other eventlog entry -- not implemented, so dropping on the floor */
DEBUG( 10, ( "Unknown entry [%s]. Ignoring.\n", line ) );
/* For now return true so that we can keep on parsing this mess. Eventually
we will return False here. */
return true;
}
return true;
}
static bool _reg_perfcount_get_instance_info(struct PERF_INSTANCE_DEFINITION *inst,
TALLOC_CTX *mem_ctx,
int instId,
struct PERF_OBJECT_TYPE *obj,
TDB_CONTEXT *names)
{
TDB_DATA key, data;
char buf[PERFCOUNT_MAX_LEN] = {0};
char temp[32] = {0};
smb_ucs2_t *name = NULL;
int pad;
/* First grab the instance data from the data file */
snprintf(temp, sizeof(temp), "i%d", instId);
_reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp);
if (!_reg_perfcount_get_counter_data(key, &data)) {
DEBUG(3, ("_reg_perfcount_get_counter_data failed\n"));
return false;
}
if(data.dptr == NULL)
{
DEBUG(3, ("_reg_perfcount_get_instance_info: No instance data for instance [%s].\n",
buf));
return False;
}
inst->counter_data.ByteLength = data.dsize + sizeof(inst->counter_data.ByteLength);
inst->counter_data.data = talloc_realloc(mem_ctx,
inst->counter_data.data,
uint8_t,
data.dsize);
if(inst->counter_data.data == NULL)
return False;
memset(inst->counter_data.data, 0, data.dsize);
memcpy(inst->counter_data.data, data.dptr, data.dsize);
SAFE_FREE(data.dptr);
/* Fetch instance name */
snprintf(temp, sizeof(temp), "i%dname", instId);
_reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp);
data = tdb_fetch(names, key);
if(data.dptr == NULL)
{
/* Not actually an error, but possibly unintended? -- just logging FYI */
DEBUG(3, ("_reg_perfcount_get_instance_info: No instance name for instance [%s].\n",
buf));
inst->NameLength = 0;
}
else
{
memset(buf, 0, PERFCOUNT_MAX_LEN);
memcpy(buf, data.dptr, MIN(PERFCOUNT_MAX_LEN-1,data.dsize));
buf[PERFCOUNT_MAX_LEN-1] = '\0';
inst->NameLength = rpcstr_push_talloc(mem_ctx, &name, buf);
if (inst->NameLength == (uint32_t)-1 || !name) {
SAFE_FREE(data.dptr);
return False;
}
inst->data = talloc_realloc(mem_ctx,
inst->data,
uint8_t,
inst->NameLength);
if (inst->data == NULL) {
SAFE_FREE(data.dptr);
return False;
}
memcpy(inst->data, name, inst->NameLength);
SAFE_FREE(data.dptr);
}
inst->ParentObjectTitleIndex = 0;
inst->ParentObjectTitlePointer = 0;
inst->UniqueID = PERF_NO_UNIQUE_ID;
inst->NameOffset = 6 * sizeof(uint32_t);
inst->ByteLength = inst->NameOffset + inst->NameLength;
/* Need to be aligned on a 64-bit boundary here for counter_data */
if((pad = (inst->ByteLength % 8)))
{
pad = 8 - pad;
inst->data = talloc_realloc(mem_ctx,
inst->data,
uint8_t,
inst->NameLength + pad);
memset(inst->data + inst->NameLength, 0, pad);
inst->ByteLength += pad;
}
return True;
}