tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 00:04:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

2010-11-08 Ramon Novoa <rnovoa@artica.es>

Browse Source 
* modules/pandora_module_logevent.cc,
	  modules/pandora_module_logevent.h: Re-wrote the module to avoid
	  using EVENTLOG_SEEK_READ, which seems to cause a lot of trouble.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3561 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
ramonn 2010-11-08 19:26:17 +00:00
parent 7eeb9560a6
commit 42c37e9b35
3 changed files with 100 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pandora_agents/win32/ChangeLog
View File

@ -1,3 +1,9 @@
2010-11-08 Ramon Novoa <rnovoa@artica.es>
* modules/pandora_module_logevent.cc,
modules/pandora_module_logevent.h: Re-wrote the module to avoid
using EVENTLOG_SEEK_READ, which seems to cause a lot of trouble.
2010-11-05 Ramon Novoa <rnovoa@artica.es> 2010-11-05 Ramon Novoa <rnovoa@artica.es>
* installer/pandora.mpi: Updated installation messages. * installer/pandora.mpi: Updated installation messages.

169
pandora_agents/win32/modules/pandora_module_logevent.cc
View File

@ -81,12 +81,12 @@ Pandora_Module_Logevent::run () {
return; return;
} }
// Open log event // Open log event
this->openLogEvent(); this->openLogEvent();
// Read events // Read events
this->getLogEvents (event_list); this->getLogEvents (event_list, 0);
// No data // No data
if (event_list.size () < 1) { if (event_list.size () < 1) {
return; return;
@ -113,6 +113,7 @@ Pandora_Module_Logevent::run () {
*/ */
HANDLE HANDLE
Pandora_Module_Logevent::openLogEvent () { Pandora_Module_Logevent::openLogEvent () {
list<string> event_list;
// Check whether the event log is already open // Check whether the event log is already open
if (this->log_event != NULL) { if (this->log_event != NULL) {
@ -127,7 +128,7 @@ Pandora_Module_Logevent::openLogEvent () {
} }
// Discard existing events // Discard existing events
this->discardLogEvents (); this->getLogEvents (event_list, 1);
return this->log_event; return this->log_event;
} }
@ -147,90 +148,106 @@ Pandora_Module_Logevent::closeLogEvent () {
this->log_event = NULL; this->log_event = NULL;
} }
/**
* Discards existing log events.
*/
void
Pandora_Module_Logevent::discardLogEvents () {
int rc;
BYTE bBuffer[BUFFER_SIZE];
DWORD read, needed;
DWORD oldest_event, newest_event, num_events;
EVENTLOGRECORD *pevlr;
if (this->log_event == NULL) {
return;
}
// Get the offset of the newest event
GetOldestEventLogRecord (this->log_event, &oldest_event);
GetNumberOfEventLogRecords (this->log_event, &num_events);
newest_event = (oldest_event + num_events) - 1;
// Initialize the event record buffer
pevlr = (EVENTLOGRECORD *)&bBuffer;
// Read the newest event, subsequent calls to ReadEventLog will read from here
rc = ReadEventLog(this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEEK_READ,
newest_event, pevlr, BUFFER_SIZE, &read, &needed);
// Something went wrong (we need more information on error 997, ignore it for now)
if (rc != 0 && rc != 997) {
pandoraDebug ("ReadEventLog error %d", GetLastError ());
}
}
/** /**
* Reads available events from the event log. * Reads available events from the event log.
*/ */
int int
Pandora_Module_Logevent::getLogEvents (list<string> &event_list) { Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char discard) {
char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1];
struct tm *time_info = NULL; struct tm *time_info = NULL;
time_t epoch; time_t epoch;
string event; string event;
BYTE buffer[BUFFER_SIZE]; BYTE *buffer = NULL, *new_buffer = NULL;
DWORD read, needed; DWORD to_read, read, needed;
EVENTLOGRECORD *pevlr = NULL; EVENTLOGRECORD *pevlr = NULL;
LPCTSTR source_name; LPCTSTR source_name;
bool rc = false;
DWORD last_error;
if (this->log_event == NULL) { if (this->log_event == NULL) {
return -1; return -1;
} }
// Initialize the event record buffer
to_read = BUFFER_SIZE;
buffer = (BYTE *) malloc (sizeof (BYTE) * BUFFER_SIZE);
if (buffer == NULL) {
return -1;
}
pevlr = (EVENTLOGRECORD *) buffer;
// Read events
while (1) {
rc = ReadEventLog (this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, pevlr, to_read, &read, &needed);
if (!rc) {
// Initialize the event record buffer // Get error details
pevlr = (EVENTLOGRECORD *) &buffer; last_error = GetLastError();
// Read events // Not enough space in the buffer
while (ReadEventLog(this->log_event, EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ, if(last_error == ERROR_INSUFFICIENT_BUFFER) {
0, pevlr, BUFFER_SIZE, &read, &needed)) {
while (read > 0) {
// Retrieve the event description // Initialize the new event record buffer
getEventDescription (pevlr, description); to_read = needed;
new_buffer = (BYTE *) realloc (buffer, sizeof (BYTE) * needed);
if (new_buffer == NULL) {
free ((void *) buffer);
return -1;
}
buffer = new_buffer;
pevlr = (EVENTLOGRECORD *) buffer;
// Filter the event // Try to read the event again
if (filterEvent (pevlr, description) == 0) { continue;
}
// Unknown error
else {
free ((void *) buffer);
return -1;
}
}
// No more events
if (read == 0) {
free ((void *) buffer);
return 0;
}
// Discard existing events
if (discard == 1) {
continue;
}
// Generate a timestamp for the event // Process read events
epoch = pevlr->TimeGenerated; while (read > 0) {
time_info = localtime (&epoch);
strftime (timestamp, TIMESTAMP_LEN + 1, "%Y-%m-%d %H:%M:%S", time_info); // Retrieve the event description
getEventDescription (pevlr, description);
// Add the event to the list
event = timestamp; // Filter the event
event.append (description); if (filterEvent (pevlr, description) == 0) {
event_list.push_back (event);
} // Generate a timestamp for the event
epoch = pevlr->TimeGenerated;
time_info = localtime (&epoch);
strftime (timestamp, TIMESTAMP_LEN + 1, "%Y-%m-%d %H:%M:%S", time_info);
// Add the event to the list
event = timestamp;
event.append (description);
event_list.push_back (event);
}
// Move to the next event // Move to the next event
read -= pevlr->Length; read -= pevlr->Length;
pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length); pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length);
} }
pevlr = (EVENTLOGRECORD *) &buffer; pevlr = (EVENTLOGRECORD *) buffer;
} }
free ((void *) buffer);
return 0; return 0;
} }

3
pandora_agents/win32/modules/pandora_module_logevent.h
View File

@ -49,8 +49,7 @@ namespace Pandora_Modules {
HANDLE openLogEvent (); HANDLE openLogEvent ();
void closeLogEvent (); void closeLogEvent ();
void discardLogEvents (); int getLogEvents (list<string> &event_list, unsigned char discard);
int getLogEvents (list<string> &event_list);
void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time); void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time);
void getEventDescription (PEVENTLOGRECORD pevlr, char *message); void getEventDescription (PEVENTLOGRECORD pevlr, char *message);
int filterEvent (PEVENTLOGRECORD pevlr, string description); int filterEvent (PEVENTLOGRECORD pevlr, string description);