tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Get the log time to put the properly timestamp on XML on module_logchannel

This commit is contained in:
fermin831 2017-10-24 11:32:43 +02:00
parent a235abb903
commit da06d78b1c
2 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pandora_agents/win32/modules/pandora_module_logchannel.cc
View File

@ -176,8 +176,8 @@ Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source
void void
Pandora_Module_Logchannel::run () { Pandora_Module_Logchannel::run () {
list<string> event_list; list<LogChannelList> event_list;
list<string>::iterator event; list<LogChannelList>::iterator event;
SYSTEMTIME system_time; SYSTEMTIME system_time;
// Run // Run
@ -198,7 +198,7 @@ Pandora_Module_Logchannel::run () {
for (event = event_list.begin (); event != event_list.end(); ++event) { for (event = event_list.begin (); event != event_list.end(); ++event) {
// Store the data // Store the data
this->setOutput (*event); this->setOutput (event->message, &(event->timestamp));
} }
} }
@ -322,7 +322,7 @@ Pandora_Module_Logchannel::cleanBookmark () {
* Reads available events from the event log. * Reads available events from the event log.
*/ */
void void
Pandora_Module_Logchannel::getLogEvents (list<string> &event_list) { Pandora_Module_Logchannel::getLogEvents (list<LogChannelList> &event_list) {
EVT_HANDLE hResults = NULL; EVT_HANDLE hResults = NULL;
EVT_HANDLE hBookmark = NULL; EVT_HANDLE hBookmark = NULL;
EVT_HANDLE hEvents[1]; EVT_HANDLE hEvents[1];
@ -330,13 +330,15 @@ Pandora_Module_Logchannel::getLogEvents (list<string> &event_list) {
PEVT_VARIANT pRenderedValues = NULL; PEVT_VARIANT pRenderedValues = NULL;
EVT_HANDLE hProviderMetadata = NULL; EVT_HANDLE hProviderMetadata = NULL;
LPWSTR pwsMessage = NULL; LPWSTR pwsMessage = NULL;
LPWSTR ppValues[] = {L"Event/System/Provider/@Name"}; LPWSTR ppValues[] = {L"Event/System/Provider/@Name", L"Event/System/TimeCreated/@SystemTime"};
DWORD count = sizeof(ppValues)/sizeof(LPWSTR); DWORD count = sizeof(ppValues)/sizeof(LPWSTR);
DWORD dwReturned = 0; DWORD dwReturned = 0;
DWORD dwBufferSize = 0; DWORD dwBufferSize = 0;
DWORD dwBufferUsed = 0; DWORD dwBufferUsed = 0;
DWORD dwPropertyCount = 0; DWORD dwPropertyCount = 0;
DWORD status = ERROR_SUCCESS; DWORD status = ERROR_SUCCESS;
SYSTEMTIME eventTime;
FILETIME lft, ft;
wstring filter = L"*"; wstring filter = L"*";
//wstring filter = L"*[System[TimeCreated[@SystemTime>='2017-10-19T00:00:00']]]"; //wstring filter = L"*[System[TimeCreated[@SystemTime>='2017-10-19T00:00:00']]]";
bool update_bookmark = false; bool update_bookmark = false;
@ -419,6 +421,17 @@ Pandora_Module_Logchannel::getLogEvents (list<string> &event_list) {
} }
} }
// Get the SYSTEMTIME of log
ULONGLONG ullTimeStamp = pRenderedValues[1].FileTimeVal;
ft.dwHighDateTime = (DWORD)((ullTimeStamp >> 32) & 0xFFFFFFFF);
ft.dwLowDateTime = (DWORD)(ullTimeStamp & 0xFFFFFFFF);
// Time format conversions
if (!FileTimeToLocalFileTime(&ft, &lft)){
pandoraDebug("UTC FILETIME to LOCAL FILETIME error: %d.", GetLastError());
} else if (!FileTimeToSystemTime(&lft, &eventTime)){
pandoraDebug("FILETIME to SYSTEMTIME error: %d.", GetLastError());
}
// Get the handle to the provider's metadata that contains the message strings // Get the handle to the provider's metadata that contains the message strings
hProviderMetadata = EvtOpenPublisherMetadataF(NULL, pRenderedValues[0].StringVal, NULL, 0, 0); hProviderMetadata = EvtOpenPublisherMetadataF(NULL, pRenderedValues[0].StringVal, NULL, 0, 0);
if (hProviderMetadata == NULL) { if (hProviderMetadata == NULL) {
@ -447,7 +460,10 @@ Pandora_Module_Logchannel::getLogEvents (list<string> &event_list) {
// Save the event message // Save the event message
pandoraLog("Message: %S.", pwsMessage); pandoraLog("Message: %S.", pwsMessage);
event_list.push_back (strUnicodeToAnsi(pwsMessage)); LogChannelList event_item;
event_item.message = strUnicodeToAnsi(pwsMessage);
event_item.timestamp= eventTime;
event_list.push_back (event_item);
// Clean up some used vars // Clean up some used vars
EvtCloseF(hContext); EvtCloseF(hContext);

6
pandora_agents/win32/modules/pandora_module_logchannel.h
View File

@ -59,6 +59,10 @@ namespace Pandora_Modules {
*/ */
class Pandora_Module_Logchannel : public Pandora_Module { class Pandora_Module_Logchannel : public Pandora_Module {
struct LogChannelList {
string message;
SYSTEMTIME timestamp;
};
private: private:
regex_t regexp; regex_t regexp;
unsigned long id; unsigned long id;
@ -72,7 +76,7 @@ namespace Pandora_Modules {
void initializeLogChannel (); void initializeLogChannel ();
bool updateBookmarkXML (EVT_HANDLE hBookmark); bool updateBookmarkXML (EVT_HANDLE hBookmark);
void getLogEvents (list<string> &event_list); void getLogEvents (list<LogChannelList> &event_list);
void cleanBookmark (); void cleanBookmark ();
LPWSTR GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId); LPWSTR GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId);