From 42c37e9b353be8417153ff9111cf5a7f313a50b5 Mon Sep 17 00:00:00 2001 From: ramonn Date: Mon, 8 Nov 2010 19:26:17 +0000 Subject: [PATCH] 2010-11-08 Ramon Novoa * modules/pandora_module_logevent.cc, modules/pandora_module_logevent.h: Re-wrote the module to avoid using EVENTLOG_SEEK_READ, which seems to cause a lot of trouble. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3561 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_agents/win32/ChangeLog | 6 + .../win32/modules/pandora_module_logevent.cc | 169 ++++++++++-------- .../win32/modules/pandora_module_logevent.h | 3 +- 3 files changed, 100 insertions(+), 78 deletions(-) diff --git a/pandora_agents/win32/ChangeLog b/pandora_agents/win32/ChangeLog index 5caab365c4..6f08331d1d 100644 --- a/pandora_agents/win32/ChangeLog +++ b/pandora_agents/win32/ChangeLog @@ -1,3 +1,9 @@ +2010-11-08 Ramon Novoa + + * modules/pandora_module_logevent.cc, + modules/pandora_module_logevent.h: Re-wrote the module to avoid + using EVENTLOG_SEEK_READ, which seems to cause a lot of trouble. + 2010-11-05 Ramon Novoa * installer/pandora.mpi: Updated installation messages. diff --git a/pandora_agents/win32/modules/pandora_module_logevent.cc b/pandora_agents/win32/modules/pandora_module_logevent.cc index 7598c89191..a8b8a3c720 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.cc +++ b/pandora_agents/win32/modules/pandora_module_logevent.cc @@ -81,12 +81,12 @@ Pandora_Module_Logevent::run () { return; } - // Open log event + // Open log event this->openLogEvent(); - // Read events - this->getLogEvents (event_list); - + // Read events + this->getLogEvents (event_list, 0); + // No data if (event_list.size () < 1) { return; @@ -113,6 +113,7 @@ Pandora_Module_Logevent::run () { */ HANDLE Pandora_Module_Logevent::openLogEvent () { + list event_list; // Check whether the event log is already open if (this->log_event != NULL) { @@ -127,7 +128,7 @@ Pandora_Module_Logevent::openLogEvent () { } // Discard existing events - this->discardLogEvents (); + this->getLogEvents (event_list, 1); return this->log_event; } @@ -147,90 +148,106 @@ Pandora_Module_Logevent::closeLogEvent () { this->log_event = NULL; } -/** - * Discards existing log events. - */ -void -Pandora_Module_Logevent::discardLogEvents () { - int rc; - BYTE bBuffer[BUFFER_SIZE]; - DWORD read, needed; - DWORD oldest_event, newest_event, num_events; - EVENTLOGRECORD *pevlr; - - if (this->log_event == NULL) { - return; - } - - // Get the offset of the newest event - GetOldestEventLogRecord (this->log_event, &oldest_event); - GetNumberOfEventLogRecords (this->log_event, &num_events); - newest_event = (oldest_event + num_events) - 1; - - // Initialize the event record buffer - pevlr = (EVENTLOGRECORD *)&bBuffer; - - // Read the newest event, subsequent calls to ReadEventLog will read from here - rc = ReadEventLog(this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ, - newest_event, pevlr, BUFFER_SIZE, &read, &needed); - - // Something went wrong (we need more information on error 997, ignore it for now) - if (rc != 0 && rc != 997) { - pandoraDebug ("ReadEventLog error %d", GetLastError ()); - } -} - /** * Reads available events from the event log. */ int -Pandora_Module_Logevent::getLogEvents (list &event_list) { - char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; - struct tm *time_info = NULL; - time_t epoch; - string event; - BYTE buffer[BUFFER_SIZE]; - DWORD read, needed; - EVENTLOGRECORD *pevlr = NULL; - LPCTSTR source_name; +Pandora_Module_Logevent::getLogEvents (list &event_list, unsigned char discard) { + char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; + struct tm *time_info = NULL; + time_t epoch; + string event; + BYTE *buffer = NULL, *new_buffer = NULL; + DWORD to_read, read, needed; + EVENTLOGRECORD *pevlr = NULL; + LPCTSTR source_name; + bool rc = false; + DWORD last_error; - if (this->log_event == NULL) { - return -1; - } + if (this->log_event == NULL) { + return -1; + } + + // Initialize the event record buffer + to_read = BUFFER_SIZE; + buffer = (BYTE *) malloc (sizeof (BYTE) * BUFFER_SIZE); + if (buffer == NULL) { + return -1; + } + pevlr = (EVENTLOGRECORD *) buffer; + + // Read events + while (1) { + rc = ReadEventLog (this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, pevlr, to_read, &read, &needed); + if (!rc) { - // Initialize the event record buffer - pevlr = (EVENTLOGRECORD *) &buffer; + // Get error details + last_error = GetLastError(); - // Read events - while (ReadEventLog(this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, - 0, pevlr, BUFFER_SIZE, &read, &needed)) { - while (read > 0) { + // Not enough space in the buffer + if(last_error == ERROR_INSUFFICIENT_BUFFER) { - // Retrieve the event description - getEventDescription (pevlr, description); + // Initialize the new event record buffer + to_read = needed; + new_buffer = (BYTE *) realloc (buffer, sizeof (BYTE) * needed); + if (new_buffer == NULL) { + free ((void *) buffer); + return -1; + } + + buffer = new_buffer; + pevlr = (EVENTLOGRECORD *) buffer; - // Filter the event - if (filterEvent (pevlr, description) == 0) { + // Try to read the event again + continue; + } + // Unknown error + else { + free ((void *) buffer); + return -1; + } + } + + // No more events + if (read == 0) { + free ((void *) buffer); + return 0; + } + + // Discard existing events + if (discard == 1) { + continue; + } - // Generate a timestamp for the event - epoch = pevlr->TimeGenerated; - time_info = localtime (&epoch); - strftime (timestamp, TIMESTAMP_LEN + 1, "%Y-%m-%d %H:%M:%S", time_info); - - // Add the event to the list - event = timestamp; - event.append (description); - event_list.push_back (event); - } + // Process read events + while (read > 0) { + + // Retrieve the event description + getEventDescription (pevlr, description); + + // Filter the event + if (filterEvent (pevlr, description) == 0) { + + // Generate a timestamp for the event + epoch = pevlr->TimeGenerated; + time_info = localtime (&epoch); + strftime (timestamp, TIMESTAMP_LEN + 1, "%Y-%m-%d %H:%M:%S", time_info); + + // Add the event to the list + event = timestamp; + event.append (description); + event_list.push_back (event); + } - // Move to the next event - read -= pevlr->Length; - pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); - } + // Move to the next event + read -= pevlr->Length; + pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); + } - pevlr = (EVENTLOGRECORD *) &buffer; - } + pevlr = (EVENTLOGRECORD *) buffer; + } + free ((void *) buffer); return 0; } diff --git a/pandora_agents/win32/modules/pandora_module_logevent.h b/pandora_agents/win32/modules/pandora_module_logevent.h index 3e56ac1777..d9bc2c788a 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.h +++ b/pandora_agents/win32/modules/pandora_module_logevent.h @@ -49,8 +49,7 @@ namespace Pandora_Modules { HANDLE openLogEvent (); void closeLogEvent (); - void discardLogEvents (); - int getLogEvents (list &event_list); + int getLogEvents (list &event_list, unsigned char discard); void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time); void getEventDescription (PEVENTLOGRECORD pevlr, char *message); int filterEvent (PEVENTLOGRECORD pevlr, string description);