static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status; struct policy_handle handle; uint32_t oldest_entry = 0; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx, &handle, &oldest_entry); if (!NT_STATUS_IS_OK(status)) { goto done; } printf("oldest entry: %d\n", oldest_entry); done: rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle); return status; }
static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status; struct policy_handle handle; uint32_t number = 0; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } status = rpccli_eventlog_GetNumRecords(cli, mem_ctx, &handle, &number); if (!NT_STATUS_IS_OK(status)) { goto done; } printf("number of records: %d\n", number); done: rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle); return status; }
static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status; struct policy_handle handle; uint8_t *buffer = NULL; uint32_t buf_size = 0; uint32_t bytes_needed = 0; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } status = rpccli_eventlog_GetLogInformation(cli, mem_ctx, &handle, 0, /* level */ buffer, buf_size, &bytes_needed); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) { goto done; } buf_size = bytes_needed; buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); if (!buffer) { status = NT_STATUS_NO_MEMORY; goto done; } status = rpccli_eventlog_GetLogInformation(cli, mem_ctx, &handle, 0, /* level */ buffer, buf_size, &bytes_needed); if (!NT_STATUS_IS_OK(status)) { goto done; } done: rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle); return status; }
static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; struct lsa_String backup_filename; const char *tmp; struct dcerpc_binding_handle *b = cli->binding_handle; if (argc != 3) { printf("Usage: %s logname backupname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]); if (!tmp) { status = NT_STATUS_NO_MEMORY; goto done; } init_lsa_String(&backup_filename, tmp); status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx, &handle, &backup_filename, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status = NT_STATUS_OK; NTSTATUS result = NT_STATUS_OK; struct policy_handle handle; struct dcerpc_binding_handle *b = cli->binding_handle; uint32_t flags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ; uint32_t offset = 0; uint32_t number_of_bytes = 0; uint8_t *data = NULL; uint32_t sent_size = 0; uint32_t real_size = 0; if (argc < 2 || argc > 4) { printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]); return NT_STATUS_OK; } if (argc >= 3) { offset = atoi(argv[2]); } if (argc >= 4) { number_of_bytes = atoi(argv[3]); data = talloc_array(mem_ctx, uint8_t, number_of_bytes); if (!data) { goto done; } } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } do { enum ndr_err_code ndr_err; DATA_BLOB blob; struct EVENTLOGRECORD r; uint32_t size = 0; uint32_t pos = 0; status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, &handle, flags, offset, number_of_bytes, data, &sent_size, &real_size, &result); if (!NT_STATUS_IS_OK(status)) { return status; } if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) && real_size > 0 ) { number_of_bytes = real_size; data = talloc_array(mem_ctx, uint8_t, real_size); if (!data) { goto done; } status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, &handle, flags, offset, number_of_bytes, data, &sent_size, &real_size, &result); if (!NT_STATUS_IS_OK(status)) { return status; } } if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) && !NT_STATUS_IS_OK(result)) { goto done; } number_of_bytes = 0; size = IVAL(data, pos); while (size > 0) { blob = data_blob_const(data + pos, size); /* dump_data(0, blob.data, blob.length); */ ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r, (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); goto done; } NDR_PRINT_DEBUG(EVENTLOGRECORD, &r); pos += size; if (pos + 4 > sent_size) { break; } size = IVAL(data, pos); } offset++; } while (NT_STATUS_IS_OK(result)); done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }
static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status, result; struct policy_handle handle; struct dcerpc_binding_handle *b = cli->binding_handle; uint16_t num_of_strings = 1; uint32_t data_size = 0; struct lsa_String servername, sourcename; struct lsa_String *strings; uint8_t *data = NULL; uint32_t record_number = 0; time_t time_written = 0; if (argc != 2) { printf("Usage: %s logname\n", argv[0]); return NT_STATUS_OK; } status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); if (!NT_STATUS_IS_OK(status)) { return status; } strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings); if (!strings) { return NT_STATUS_NO_MEMORY; } init_lsa_String(&strings[0], "test event written by rpcclient\n"); init_lsa_String(&servername, NULL); init_lsa_String(&sourcename, "rpcclient"); status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx, &handle, time(NULL), EVENTLOG_INFORMATION_TYPE, 0, /* event_category */ 0, /* event_id */ &sourcename, num_of_strings, data_size, &servername, NULL, /* user_sid */ &strings, data, 0, /* flags */ &record_number, &time_written, &result); if (!NT_STATUS_IS_OK(status)) { goto done; } if (!NT_STATUS_IS_OK(result)) { status = result; goto done; } printf("entry: %d written at %s\n", record_number, http_timestring(talloc_tos(), time_written)); done: dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); return status; }