示例#1
0
static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
					  TALLOC_CTX *mem_ctx,
					  int argc,
					  const char **argv)
{
	NTSTATUS status;
	struct policy_handle handle;
	uint32_t oldest_entry = 0;

	if (argc != 2) {
		printf("Usage: %s logname\n", argv[0]);
		return NT_STATUS_OK;
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
						 &handle,
						 &oldest_entry);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	printf("oldest entry: %d\n", oldest_entry);

 done:
	rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);

	return status;
}
示例#2
0
static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
					TALLOC_CTX *mem_ctx,
					int argc,
					const char **argv)
{
	NTSTATUS status;
	struct policy_handle handle;
	uint32_t number = 0;

	if (argc != 2) {
		printf("Usage: %s logname\n", argv[0]);
		return NT_STATUS_OK;
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
					       &handle,
					       &number);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

	printf("number of records: %d\n", number);

 done:
	rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);

	return status;
}
示例#3
0
static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
				     TALLOC_CTX *mem_ctx,
				     int argc,
				     const char **argv)
{
	NTSTATUS status;
	struct policy_handle handle;
	uint8_t *buffer = NULL;
	uint32_t buf_size = 0;
	uint32_t bytes_needed = 0;

	if (argc != 2) {
		printf("Usage: %s logname\n", argv[0]);
		return NT_STATUS_OK;
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
						   &handle,
						   0, /* level */
						   buffer,
						   buf_size,
						   &bytes_needed);
	if (!NT_STATUS_IS_OK(status) &&
	    !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
		goto done;
	}

	buf_size = bytes_needed;
	buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
	if (!buffer) {
		status = NT_STATUS_NO_MEMORY;
		goto done;
	}

	status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
						   &handle,
						   0, /* level */
						   buffer,
						   buf_size,
						   &bytes_needed);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}

 done:
	rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);

	return status;
}
示例#4
0
static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
				       TALLOC_CTX *mem_ctx,
				       int argc,
				       const char **argv)
{
	NTSTATUS status, result;
	struct policy_handle handle;
	struct lsa_String backup_filename;
	const char *tmp;
	struct dcerpc_binding_handle *b = cli->binding_handle;

	if (argc != 3) {
		printf("Usage: %s logname backupname\n", argv[0]);
		return NT_STATUS_OK;
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
	if (!tmp) {
		status = NT_STATUS_NO_MEMORY;
		goto done;
	}

	init_lsa_String(&backup_filename, tmp);

	status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx,
						 &handle,
						 &backup_filename,
						 &result);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

 done:
	dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);

	return status;
}
示例#5
0
static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
				     TALLOC_CTX *mem_ctx,
				     int argc,
				     const char **argv)
{
	NTSTATUS status = NT_STATUS_OK;
	NTSTATUS result = NT_STATUS_OK;
	struct policy_handle handle;
	struct dcerpc_binding_handle *b = cli->binding_handle;

	uint32_t flags = EVENTLOG_BACKWARDS_READ |
			 EVENTLOG_SEQUENTIAL_READ;
	uint32_t offset = 0;
	uint32_t number_of_bytes = 0;
	uint8_t *data = NULL;
	uint32_t sent_size = 0;
	uint32_t real_size = 0;

	if (argc < 2 || argc > 4) {
		printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
		return NT_STATUS_OK;
	}

	if (argc >= 3) {
		offset = atoi(argv[2]);
	}

	if (argc >= 4) {
		number_of_bytes = atoi(argv[3]);
		data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
		if (!data) {
			goto done;
		}
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	do {

		enum ndr_err_code ndr_err;
		DATA_BLOB blob;
		struct EVENTLOGRECORD r;
		uint32_t size = 0;
		uint32_t pos = 0;

		status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
						       &handle,
						       flags,
						       offset,
						       number_of_bytes,
						       data,
						       &sent_size,
						       &real_size,
						       &result);
		if (!NT_STATUS_IS_OK(status)) {
			return status;
		}
		if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) &&
		    real_size > 0 ) {
			number_of_bytes = real_size;
			data = talloc_array(mem_ctx, uint8_t, real_size);
			if (!data) {
				goto done;
			}
			status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
							       &handle,
							       flags,
							       offset,
							       number_of_bytes,
							       data,
							       &sent_size,
							       &real_size,
							       &result);
			if (!NT_STATUS_IS_OK(status)) {
				return status;
			}
		}

		if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) &&
		    !NT_STATUS_IS_OK(result)) {
			goto done;
		}

		number_of_bytes = 0;

		size = IVAL(data, pos);

		while (size > 0) {

			blob = data_blob_const(data + pos, size);
			/* dump_data(0, blob.data, blob.length); */
			ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
					   (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
			if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
				status = ndr_map_error2ntstatus(ndr_err);
				goto done;
			}

			NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);

			pos += size;

			if (pos + 4 > sent_size) {
				break;
			}

			size = IVAL(data, pos);
		}

		offset++;

	} while (NT_STATUS_IS_OK(result));

 done:
	dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);

	return status;
}
示例#6
0
static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
					       TALLOC_CTX *mem_ctx,
					       int argc,
					       const char **argv)
{
	NTSTATUS status, result;
	struct policy_handle handle;
	struct dcerpc_binding_handle *b = cli->binding_handle;

	uint16_t num_of_strings = 1;
	uint32_t data_size = 0;
	struct lsa_String servername, sourcename;
	struct lsa_String *strings;
	uint8_t *data = NULL;
	uint32_t record_number = 0;
	time_t time_written = 0;

	if (argc != 2) {
		printf("Usage: %s logname\n", argv[0]);
		return NT_STATUS_OK;
	}

	status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
	if (!strings) {
		return NT_STATUS_NO_MEMORY;
	}

	init_lsa_String(&strings[0], "test event written by rpcclient\n");
	init_lsa_String(&servername, NULL);
	init_lsa_String(&sourcename, "rpcclient");

	status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx,
						       &handle,
						       time(NULL),
						       EVENTLOG_INFORMATION_TYPE,
						       0, /* event_category */
						       0, /* event_id */
						       &sourcename,
						       num_of_strings,
						       data_size,
						       &servername,
						       NULL, /* user_sid */
						       &strings,
						       data,
						       0, /* flags */
						       &record_number,
						       &time_written,
						       &result);
	if (!NT_STATUS_IS_OK(status)) {
		goto done;
	}
	if (!NT_STATUS_IS_OK(result)) {
		status = result;
		goto done;
	}

	printf("entry: %d written at %s\n", record_number,
		http_timestring(talloc_tos(), time_written));

 done:
	dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);

	return status;
}