NTSTATUS evlog_evt_entry_to_tdb_entry(TALLOC_CTX *mem_ctx, const struct EVENTLOGRECORD *e, struct eventlog_Record_tdb *t) { uint32_t i; ZERO_STRUCTP(t); t->size = e->Length; t->reserved = e->Reserved; t->record_number = e->RecordNumber; t->time_generated = e->TimeGenerated; t->time_written = e->TimeWritten; t->event_id = e->EventID; t->event_type = e->EventType; t->num_of_strings = e->NumStrings; t->event_category = e->EventCategory; t->reserved_flags = e->ReservedFlags; t->closing_record_number = e->ClosingRecordNumber; t->stringoffset = e->StringOffset; t->sid_length = e->UserSidLength; t->sid_offset = e->UserSidOffset; t->data_length = e->DataLength; t->data_offset = e->DataOffset; t->source_name_len = 2 * strlen_m_term(e->SourceName); t->source_name = talloc_strdup(mem_ctx, e->SourceName); NT_STATUS_HAVE_NO_MEMORY(t->source_name); t->computer_name_len = 2 * strlen_m_term(e->Computername); t->computer_name = talloc_strdup(mem_ctx, e->Computername); NT_STATUS_HAVE_NO_MEMORY(t->computer_name); /* t->sid_padding; */ if (e->UserSidLength > 0) { const char *sid_str = NULL; smb_ucs2_t *dummy = NULL; sid_str = sid_string_talloc(mem_ctx, &e->UserSid); t->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, sid_str); if (t->sid_length == -1) { return NT_STATUS_NO_MEMORY; } t->sid = data_blob_talloc(mem_ctx, (uint8_t *)dummy, t->sid_length); NT_STATUS_HAVE_NO_MEMORY(t->sid.data); } t->strings = talloc_array(mem_ctx, const char *, e->NumStrings); for (i=0; i < e->NumStrings; i++) { t->strings[i] = talloc_strdup(t->strings, e->Strings[i]); NT_STATUS_HAVE_NO_MEMORY(t->strings[i]); } t->strings_len = 2 * ndr_size_string_array(t->strings, t->num_of_strings, LIBNDR_FLAG_STR_NULLTERM); t->data = data_blob_talloc(mem_ctx, e->Data, e->DataLength); /* t->padding = r->Pad; */ return NT_STATUS_OK; }
bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb *entry, bool * eor ) { char *start = NULL, *stop = NULL; start = line; /* empty line signyfiying record delimeter, or we're at the end of the buffer */ if ( start == NULL || strlen( start ) == 0 ) { DEBUG( 6, ( "parse_logentry: found end-of-record indicator.\n" ) ); *eor = True; return True; } if ( !( stop = strchr( line, ':' ) ) ) { return False; } DEBUG( 6, ( "parse_logentry: trying to parse [%s].\n", line ) ); if ( 0 == strncmp( start, "LEN", stop - start ) ) { /* This will get recomputed later anyway -- probably not necessary */ entry->size = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "RS1", stop - start ) ) { /* For now all these reserved entries seem to have the same value, which can be hardcoded to int(1699505740) for now */ entry->reserved = talloc_strdup(mem_ctx, "eLfL"); } else if ( 0 == strncmp( start, "RCN", stop - start ) ) { entry->record_number = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "TMG", stop - start ) ) { entry->time_generated = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "TMW", stop - start ) ) { entry->time_written = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "EID", stop - start ) ) { entry->event_id = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "ETP", stop - start ) ) { if ( strstr( start, "ERROR" ) ) { entry->event_type = EVENTLOG_ERROR_TYPE; } else if ( strstr( start, "WARNING" ) ) { entry->event_type = EVENTLOG_WARNING_TYPE; } else if ( strstr( start, "INFO" ) ) { entry->event_type = EVENTLOG_INFORMATION_TYPE; } else if ( strstr( start, "AUDIT_SUCCESS" ) ) { entry->event_type = EVENTLOG_AUDIT_SUCCESS; } else if ( strstr( start, "AUDIT_FAILURE" ) ) { entry->event_type = EVENTLOG_AUDIT_FAILURE; } else if ( strstr( start, "SUCCESS" ) ) { entry->event_type = EVENTLOG_SUCCESS; } else { /* some other eventlog type -- currently not defined in MSDN docs, so error out */ return False; } } /* else if(0 == strncmp(start, "NST", stop - start)) { entry->num_of_strings = atoi(stop + 1); } */ else if ( 0 == strncmp( start, "ECT", stop - start ) ) { entry->event_category = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "RS2", stop - start ) ) { entry->reserved_flags = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "CRN", stop - start ) ) { entry->closing_record_number = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "USL", stop - start ) ) { entry->sid_length = atoi( stop + 1 ); } else if ( 0 == strncmp( start, "SRC", stop - start ) ) { stop++; while ( isspace( stop[0] ) ) { stop++; } entry->source_name_len = strlen_m_term(stop); entry->source_name = talloc_strdup(mem_ctx, stop); if (entry->source_name_len == (uint32_t)-1 || entry->source_name == NULL) { return false; } } else if ( 0 == strncmp( start, "SRN", stop - start ) ) { stop++; while ( isspace( stop[0] ) ) { stop++; } entry->computer_name_len = strlen_m_term(stop); entry->computer_name = talloc_strdup(mem_ctx, stop); if (entry->computer_name_len == (uint32_t)-1 || entry->computer_name == NULL) { return false; } } else if ( 0 == strncmp( start, "SID", stop - start ) ) { smb_ucs2_t *dummy = NULL; stop++; while ( isspace( stop[0] ) ) { stop++; } entry->sid_length = rpcstr_push_talloc(mem_ctx, &dummy, stop); if (entry->sid_length == (uint32_t)-1) { return false; } entry->sid = data_blob_talloc(mem_ctx, dummy, entry->sid_length); if (entry->sid.data == NULL) { return false; } } else if ( 0 == strncmp( start, "STR", stop - start ) ) { size_t tmp_len; int num_of_strings; /* skip past initial ":" */ stop++; /* now skip any other leading whitespace */ while ( isspace(stop[0])) { stop++; } tmp_len = strlen_m_term(stop); if (tmp_len == (size_t)-1) { return false; } num_of_strings = entry->num_of_strings; if (!add_string_to_array(mem_ctx, stop, &entry->strings, &num_of_strings)) { return false; } if (num_of_strings > 0xffff) { return false; } entry->num_of_strings = num_of_strings; entry->strings_len += tmp_len; } else if ( 0 == strncmp( start, "DAT", stop - start ) ) { /* skip past initial ":" */ stop++; /* now skip any other leading whitespace */ while ( isspace( stop[0] ) ) { stop++; } entry->data_length = strlen_m(stop); entry->data = data_blob_talloc(mem_ctx, stop, entry->data_length); if (!entry->data.data) { return false; } } else { /* some other eventlog entry -- not implemented, so dropping on the floor */ DEBUG( 10, ( "Unknown entry [%s]. Ignoring.\n", line ) ); /* For now return true so that we can keep on parsing this mess. Eventually we will return False here. */ return true; } return true; }
static bool _reg_perfcount_get_instance_info(struct PERF_INSTANCE_DEFINITION *inst, TALLOC_CTX *mem_ctx, int instId, struct PERF_OBJECT_TYPE *obj, TDB_CONTEXT *names) { TDB_DATA key, data; char buf[PERFCOUNT_MAX_LEN] = {0}; char temp[32] = {0}; smb_ucs2_t *name = NULL; int pad; /* First grab the instance data from the data file */ snprintf(temp, sizeof(temp), "i%d", instId); _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp); if (!_reg_perfcount_get_counter_data(key, &data)) { DEBUG(3, ("_reg_perfcount_get_counter_data failed\n")); return false; } if(data.dptr == NULL) { DEBUG(3, ("_reg_perfcount_get_instance_info: No instance data for instance [%s].\n", buf)); return False; } inst->counter_data.ByteLength = data.dsize + sizeof(inst->counter_data.ByteLength); inst->counter_data.data = talloc_realloc(mem_ctx, inst->counter_data.data, uint8_t, data.dsize); if(inst->counter_data.data == NULL) return False; memset(inst->counter_data.data, 0, data.dsize); memcpy(inst->counter_data.data, data.dptr, data.dsize); SAFE_FREE(data.dptr); /* Fetch instance name */ snprintf(temp, sizeof(temp), "i%dname", instId); _reg_perfcount_make_key(&key, buf, PERFCOUNT_MAX_LEN, obj->ObjectNameTitleIndex, temp); data = tdb_fetch(names, key); if(data.dptr == NULL) { /* Not actually an error, but possibly unintended? -- just logging FYI */ DEBUG(3, ("_reg_perfcount_get_instance_info: No instance name for instance [%s].\n", buf)); inst->NameLength = 0; } else { memset(buf, 0, PERFCOUNT_MAX_LEN); memcpy(buf, data.dptr, MIN(PERFCOUNT_MAX_LEN-1,data.dsize)); buf[PERFCOUNT_MAX_LEN-1] = '\0'; inst->NameLength = rpcstr_push_talloc(mem_ctx, &name, buf); if (inst->NameLength == (uint32_t)-1 || !name) { SAFE_FREE(data.dptr); return False; } inst->data = talloc_realloc(mem_ctx, inst->data, uint8_t, inst->NameLength); if (inst->data == NULL) { SAFE_FREE(data.dptr); return False; } memcpy(inst->data, name, inst->NameLength); SAFE_FREE(data.dptr); } inst->ParentObjectTitleIndex = 0; inst->ParentObjectTitlePointer = 0; inst->UniqueID = PERF_NO_UNIQUE_ID; inst->NameOffset = 6 * sizeof(uint32_t); inst->ByteLength = inst->NameOffset + inst->NameLength; /* Need to be aligned on a 64-bit boundary here for counter_data */ if((pad = (inst->ByteLength % 8))) { pad = 8 - pad; inst->data = talloc_realloc(mem_ctx, inst->data, uint8_t, inst->NameLength + pad); memset(inst->data + inst->NameLength, 0, pad); inst->ByteLength += pad; } return True; }