tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-30 01:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

2013-06-20 Ramon Novoa <rnovoa@artica.es>

Browse Source 
* windows/winevt.h: Added to repository. Headers for Wevtapi.dll.

	* modules/pandora_module_logevent.cc,
	  modules/pandora_module_logevent.h,
	  pandora_strutils.cc,
	  pandora_strutils.h: Added support for the new XML based eventing model
	  introduced in Windows Vista.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@8358 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
ramonn 2013-06-20 08:37:35 +00:00
parent 253cd8f5c9
commit de1978c8db
6 changed files with 896 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pandora_agents/win32/ChangeLog
View File

@ -1,3 +1,13 @@
2013-06-20 Ramon Novoa <rnovoa@artica.es>
* windows/winevt.h: Added to repository. Headers for Wevtapi.dll.
* modules/pandora_module_logevent.cc,
modules/pandora_module_logevent.h,
pandora_strutils.cc,
pandora_strutils.h: Added support for the new XML based eventing model
introduced in Windows Vista.
2013-06-14 Ramon Novoa <rnovoa@artica.es> 2013-06-14 Ramon Novoa <rnovoa@artica.es>
* modules/pandora_module_logevent.h, * modules/pandora_module_logevent.h,

263
pandora_agents/win32/modules/pandora_module_logevent.cc
View File

@ -27,9 +27,22 @@
#include "pandora_module_logevent.h" #include "pandora_module_logevent.h"
#include "../windows/pandora_wmi.h" #include "../windows/pandora_wmi.h"
#include "../pandora_windows_service.h" #include "../pandora_windows_service.h"
#include "pandora_module_logevent.h"
#include "pandora_strutils.h"
using namespace Pandora; using namespace Pandora;
using namespace Pandora_Modules; using namespace Pandora_Modules;
using namespace Pandora_Strutils;
// Pointers to Wevtapi.dll functions
static HINSTANCE WINEVENT = NULL;
static EvtQueryT EvtQueryF = NULL;
static EvtNextT EvtNextF = NULL;
static EvtCreateRenderContextT EvtCreateRenderContextF = NULL;
static EvtRenderT EvtRenderF = NULL;
static EvtCloseT EvtCloseF = NULL;
static EvtFormatMessageT EvtFormatMessageF = NULL;
static EvtOpenPublisherMetadataT EvtOpenPublisherMetadataF = NULL;
/** /**
* Creates a Pandora_Module_Logevent object. * Creates a Pandora_Module_Logevent object.
@ -75,6 +88,67 @@ Pandora_Module_Logevent::Pandora_Module_Logevent (string name, string source, st
this->log_event = NULL; this->log_event = NULL;
this->first_run = 1; this->first_run = 1;
this->setKind (module_logevent_str); this->setKind (module_logevent_str);
// Load Wevtapi.dll and some functions
if (WINEVENT == NULL) {
WINEVENT = LoadLibrary("Wevtapi.dll");
if (WINEVENT == NULL) {
// Log to the bedug log, since this is not an error
pandoraDebug ("Error loading library Wevtapi.dll");
return;
}
EvtQueryF = (EvtQueryT) GetProcAddress (WINEVENT, "EvtQuery");
if (EvtQueryF == NULL) {
pandoraLog ("Error loading function EvtQuery from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtNextF = (EvtNextT) GetProcAddress (WINEVENT, "EvtNext");
if (EvtNextF == NULL) {
pandoraLog ("Error loading function EvtNext from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtCreateRenderContextF = (EvtCreateRenderContextT) GetProcAddress (WINEVENT, "EvtCreateRenderContext");
if (EvtCreateRenderContextF == NULL) {
pandoraLog ("Error loading function EvtCreateRenderContext from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtRenderF = (EvtRenderT) GetProcAddress (WINEVENT, "EvtRender");
if (EvtRenderF == NULL) {
pandoraLog ("Error loading function EvtRender from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtCloseF = (EvtCloseT) GetProcAddress (WINEVENT, "EvtClose");
if (EvtCloseF == NULL) {
pandoraLog ("Error loading function EvtClose from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtFormatMessageF = (EvtFormatMessageT) GetProcAddress (WINEVENT, "EvtFormatMessage");
if (EvtFormatMessageF == NULL) {
pandoraLog ("Error loading function EvtFormatMessage from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
EvtOpenPublisherMetadataF = (EvtOpenPublisherMetadataT) GetProcAddress (WINEVENT, "EvtOpenPublisherMetadata");
if (EvtOpenPublisherMetadataF == NULL) {
pandoraLog ("Error loading function EvtOpenPublisherMetadata from Wevtapi.dll");
FreeLibrary (WINEVENT);
WINEVENT = NULL;
return;
}
}
} }
void void
@ -166,7 +240,7 @@ Pandora_Module_Logevent::closeLogEvent () {
*/ */
int int
Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char discard) { Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char discard) {
char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; char message[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1];
struct tm *time_info = NULL; struct tm *time_info = NULL;
time_t epoch; time_t epoch;
BYTE *buffer = NULL, *new_buffer = NULL; BYTE *buffer = NULL, *new_buffer = NULL;
@ -181,6 +255,7 @@ Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char d
TCHAR lp_referenced_domain_name[_MAX_PATH + 1]; TCHAR lp_referenced_domain_name[_MAX_PATH + 1];
DWORD cch_referenced_domain_name = _MAX_PATH + 1; DWORD cch_referenced_domain_name = _MAX_PATH + 1;
SID_NAME_USE pe_use; SID_NAME_USE pe_use;
string description;
if (this->log_event == NULL) { if (this->log_event == NULL) {
return -1; return -1;
@ -246,12 +321,19 @@ Pandora_Module_Logevent::getLogEvents (list<string> &event_list, unsigned char d
while (read > 0) { while (read > 0) {
// Retrieve the event description (LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE) // Retrieve the event description (LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE)
getEventDescription (pevlr, description, 0x20 | 0x02); description = getEventDescriptionXPATH (pevlr);
if (description[0] == '\0') { if (description == "") {
// Retrieve the event description (DONT_RESOLVE_DLL_REFERENCES) getEventDescription (pevlr, message, 0x20 | 0x02);
getEventDescription (pevlr, description, DONT_RESOLVE_DLL_REFERENCES); if (message[0] == '\0') {
if (description[0] == '\0') { // Retrieve the event description (DONT_RESOLVE_DLL_REFERENCES)
strcpy (description, "N/A"); getEventDescription (pevlr, message, DONT_RESOLVE_DLL_REFERENCES);
if (message[0] == '\0') {
description = "N/A";
} else {
description = message;
}
} else {
description = message;
} }
} }
@ -350,7 +432,6 @@ Pandora_Module_Logevent::timestampToSystemtime (string timestamp, SYSTEMTIME *sy
* *
* @param event Event log record. * @param event Event log record.
* @param message Buffer to store the description (at least _MAX_PATH + 1). * @param message Buffer to store the description (at least _MAX_PATH + 1).
* @return 0 if the description could be retrieved, -1 otherwise.
*/ */
void void
Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags) { Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags) {
@ -448,6 +529,170 @@ Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *messa
RegCloseKey(hk); RegCloseKey(hk);
} }
/**
* Retrieves the description of the given event via XPATH.
*
* @param event Event log record.
* @param message Buffer to store the description (at least _MAX_PATH + 1).
*/
string
Pandora_Module_Logevent::getEventDescriptionXPATH (PEVENTLOGRECORD pevlr) {
DWORD status = ERROR_SUCCESS;
EVT_HANDLE hResults = NULL;
wstring pwsQuery;
wstring pwsPath;
EVT_HANDLE hEvents[1];
DWORD dwReturned = 0;
LPWSTR ppValues[] = {L"Event/System/Provider/@Name"};
DWORD count = sizeof(ppValues)/sizeof(LPWSTR);
EVT_HANDLE hContext = NULL;
PEVT_VARIANT pRenderedValues = NULL;
DWORD dwBufferSize = 0;
DWORD dwBufferUsed = 0;
DWORD dwPropertyCount = 0;
LPWSTR pwsMessage = NULL;
EVT_HANDLE hProviderMetadata = NULL;
string query, path, description;
// Wevtapi.dll not available
if (WINEVENT == NULL) {
return description;
}
// Build the XPATH query
query = "Event/System[EventID=" + inttostr(pevlr->EventID & EVENT_ID_MASK) + "]";
pwsQuery = strAnsiToUnicode (query.c_str());
pwsPath = strAnsiToUnicode (this->source.c_str());
// Query for the event
hResults = EvtQueryF (NULL, pwsPath.c_str(), pwsQuery.c_str(), EvtQueryChannelPath | EvtQueryReverseDirection);
if (hResults == NULL) {
pandoraDebug ("EvtQuery error: %d", GetLastError());
return description;
}
// Event not found
if (! EvtNextF(hResults, 1, hEvents, INFINITE, 0, &dwReturned)) {
pandoraDebug ("EvtNext error: %d", GetLastError());
EvtCloseF(hResults);
return description;
}
// Extract data from the event
hContext = EvtCreateRenderContextF(count, (LPCWSTR*)ppValues, EvtRenderContextValues);
if (NULL == hContext) {
pandoraDebug ("EvtCreateRenderContext error: %d", GetLastError());
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
if (! EvtRenderF(hContext, hEvents[0], EvtRenderEventValues, dwBufferSize, pRenderedValues, &dwBufferUsed, &dwPropertyCount)) {
if ((status = GetLastError()) == ERROR_INSUFFICIENT_BUFFER) {
dwBufferSize = dwBufferUsed;
pRenderedValues = (PEVT_VARIANT)malloc(dwBufferSize);
if (pRenderedValues) {
EvtRenderF(hContext, hEvents[0], EvtRenderEventValues, dwBufferSize, pRenderedValues, &dwBufferUsed, &dwPropertyCount);
}
else {
pandoraDebug ("EvtRender error: %d", status);
EvtCloseF(hContext);
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
}
if (ERROR_SUCCESS != (status = GetLastError())) {
pandoraDebug ("EvtRender error: %d", status);
EvtCloseF(hContext);
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
}
// Get the handle to the provider's metadata that contains the message strings
hProviderMetadata = EvtOpenPublisherMetadataF(NULL, pRenderedValues[0].StringVal, NULL, 0, 0);
if (hProviderMetadata == NULL) {
pandoraDebug ("EvtOpenPublisherMetadata error: %d", GetLastError());
free(pRenderedValues);
EvtCloseF(hContext);
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
// Read the event message
pwsMessage = GetMessageString(hProviderMetadata, hEvents[0], EvtFormatMessageEvent);
if (pwsMessage == NULL) {
free(pRenderedValues);
EvtCloseF(hProviderMetadata);
EvtCloseF(hContext);
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
// Save the event message
description = strUnicodeToAnsi (pwsMessage);
// Cleanup
free(pRenderedValues);
EvtCloseF(hProviderMetadata);
EvtCloseF(hContext);
EvtCloseF(hEvents[0]);
EvtCloseF(hResults);
return description;
}
// Gets the specified message string from the event. If the event does not
// contain the specified message, the function returns NULL.
// See http://msdn.microsoft.com/en-us/library/windows/desktop/dd996923(v=vs.85).aspx
LPWSTR
Pandora_Module_Logevent::GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId) {
LPWSTR pBuffer = NULL;
DWORD dwBufferSize = 0;
DWORD dwBufferUsed = 0;
DWORD status = 0;
if (!EvtFormatMessageF(hMetadata, hEvent, 0, 0, NULL, FormatId, dwBufferSize, pBuffer, &dwBufferUsed)) {
status = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == status) {
// An event can contain one or more keywords. The function returns keywords
// as a list of keyword strings. To process the list, you need to know the
// size of the buffer, so you know when you have read the last string, or you
// can terminate the list of strings with a second null terminator character
// as this example does.
if ((EvtFormatMessageKeyword == FormatId)) {
pBuffer[dwBufferSize-1] = L'\0';
}
else {
dwBufferSize = dwBufferUsed;
}
pBuffer = (LPWSTR)malloc(dwBufferSize * sizeof(WCHAR));
if (pBuffer) {
EvtFormatMessageF(hMetadata, hEvent, 0, 0, NULL, FormatId, dwBufferSize, pBuffer, &dwBufferUsed);
// Add the second null terminator character.
if ((EvtFormatMessageKeyword == FormatId)) {
pBuffer[dwBufferUsed-1] = L'\0';
}
}
else {
return NULL;
}
}
else {
pandoraDebug ("EvtFormatMessage error: %d", status);
return NULL;
}
}
return pBuffer;
}
/** /**
* Filters the given event according to the module parameters. * Filters the given event according to the module parameters.
* *
@ -460,7 +705,7 @@ Pandora_Module_Logevent::filterEvent (PEVENTLOGRECORD pevlr, string description)
LPCSTR source_name; LPCSTR source_name;
// Event ID filter // Event ID filter
if (this->id > 0 && this->id != (pevlr->EventID & 0x3FFFFFFF)) { if (this->id > 0 && this->id != (pevlr->EventID & EVENT_ID_MASK)) {
return -1; return -1;
} }

16
pandora_agents/win32/modules/pandora_module_logevent.h
View File

@ -24,6 +24,7 @@
#include "pandora_module.h" #include "pandora_module.h"
#include "boost/regex.h" #include "boost/regex.h"
#include "../windows/winevt.h"
// Log event read buffer size // Log event read buffer size
#define BUFFER_SIZE 1024 #define BUFFER_SIZE 1024
@ -31,6 +32,19 @@
// Length of a timestamp string YYYY-MM-DD HH:MM:SS // Length of a timestamp string YYYY-MM-DD HH:MM:SS
#define TIMESTAMP_LEN 19 #define TIMESTAMP_LEN 19
// The EventID property equals the InstanceId with the top two bits masked off.
// See: http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.eventid.aspx
#define EVENT_ID_MASK 0x3FFFFFFF
// Types for pointers to Wevtapi.dll functions
typedef EVT_HANDLE WINAPI (*EvtQueryT) (EVT_HANDLE Session, LPCWSTR Path, LPCWSTR Query, DWORD Flags);
typedef WINBOOL WINAPI (*EvtNextT) (EVT_HANDLE ResultSet, DWORD EventArraySize, EVT_HANDLE* EventArray, DWORD Timeout, DWORD Flags, PDWORD Returned);
typedef EVT_HANDLE WINAPI (*EvtCreateRenderContextT) (DWORD ValuePathsCount, LPCWSTR *ValuePaths, DWORD Flags);
typedef WINBOOL WINAPI (*EvtRenderT) (EVT_HANDLE Context, EVT_HANDLE Fragment, DWORD Flags, DWORD BufferSize, PVOID Buffer, PDWORD BufferUsed, PDWORD PropertyCount);
typedef WINBOOL WINAPI (*EvtCloseT) (EVT_HANDLE Object);
typedef WINBOOL WINAPI (*EvtFormatMessageT) (EVT_HANDLE PublisherMetadata, EVT_HANDLE Event, DWORD MessageId, DWORD ValueCount, PEVT_VARIANT Values, DWORD Flags, DWORD BufferSize, LPWSTR Buffer, PDWORD BufferUsed);
typedef EVT_HANDLE WINAPI (*EvtOpenPublisherMetadataT) (EVT_HANDLE Session, LPCWSTR PublisherIdentity, LPCWSTR LogFilePath, LCID Locale, DWORD Flags);
namespace Pandora_Modules { namespace Pandora_Modules {
/** /**
@ -55,7 +69,9 @@ namespace Pandora_Modules {
int getLogEvents (list<string> &event_list, unsigned char discard); int getLogEvents (list<string> &event_list, unsigned char discard);
void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time); void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time);
void getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags); void getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags);
string getEventDescriptionXPATH (PEVENTLOGRECORD pevlr);
int filterEvent (PEVENTLOGRECORD pevlr, string description); int filterEvent (PEVENTLOGRECORD pevlr, string description);
LPWSTR GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId);
public: public:
Pandora_Module_Logevent (string name, string source, string type, string id, string pattern, string application); Pandora_Module_Logevent (string name, string source, string type, string id, string pattern, string application);

47
pandora_agents/win32/pandora_strutils.cc
View File

@ -63,32 +63,61 @@ Pandora_Strutils::trim (const string str) {
* *
* @return String converted into ANSI code * @return String converted into ANSI code
*/ */
LPSTR string
Pandora_Strutils::strUnicodeToAnsi (LPCWSTR s) { Pandora_Strutils::strUnicodeToAnsi (LPCWSTR s) {
string output;
if (s == NULL) if (s == NULL)
return NULL; return NULL;
int cw = lstrlenW (s); int cw = lstrlenW (s);
if (cw == 0) { if (cw == 0) {
CHAR *psz = new CHAR[1]; return output;
*psz='\0';
return psz;
} }
int cc = WideCharToMultiByte (CP_ACP,0, s, cw, NULL, 0, NULL, NULL); int cc = WideCharToMultiByte (CP_ACP,0, s, cw, NULL, 0, NULL, NULL);
if (cc==0) if (cc==0) {
return NULL; return output;
}
CHAR *psz = new CHAR[cc+1]; CHAR *psz = new CHAR[cc+1];
cc = WideCharToMultiByte (CP_ACP, 0, s, cw, psz, cc, NULL, NULL); cc = WideCharToMultiByte (CP_ACP, 0, s, cw, psz, cc, NULL, NULL);
if (cc == 0) { if (cc == 0) {
delete[] psz; delete[] psz;
return NULL; return output;
} }
psz[cc]='\0'; psz[cc]='\0';
output = psz;
delete[] psz;
return psz; return output;
}
/**
* Convert an ANSI string to a unicode string. Do not forget to
* delete the returned string!
*
* @param s String to convert
*
* @return String converted to Unicode
*/
wstring
Pandora_Strutils::strAnsiToUnicode (LPCSTR s) {
LPWSTR output;
wstring w_output;
int lenW = MultiByteToWideChar(CP_ACP, 0, s, -1, NULL, 0);
if (lenW <= 0) {
return NULL;
}
output = new wchar_t[lenW];
MultiByteToWideChar(CP_ACP, 0, s, -1, output, lenW);
w_output = output;
delete[] output;
return w_output;
} }
/** /**

4
pandora_agents/win32/pandora_strutils.h
View File

@ -44,8 +44,8 @@ namespace Pandora_Strutils {
string trim (const string str); string trim (const string str);
LPSTR strUnicodeToAnsi (LPCWSTR s); string strUnicodeToAnsi (LPCWSTR s);
wstring strAnsiToUnicode (LPCSTR s);
string inttostr (const int i); string inttostr (const int i);
string longtostr (const long i); string longtostr (const long i);
string longtohex (const long i); string longtohex (const long i);

576
pandora_agents/win32/windows/winevt.h Normal file
View File

@ -0,0 +1,576 @@
/**
* This file has no copyright assigned and is placed in the Public Domain.
* This file is part of the mingw-w64 runtime package.
* No warranty is given; refer to the file DISCLAIMER.PD within this package.
*/
#ifndef _INC_WINEVT
#define _INC_WINEVT
//#if (_WIN32_WINNT >= 0x0600)
#ifdef __cplusplus
extern "C" {
#endif
typedef enum _EVT_CHANNEL_CLOCK_TYPE {
EvtChannelClockTypeSystemTime = 0,
EvtChannelClockTypeQPC = 1
} EVT_CHANNEL_CLOCK_TYPE;
typedef enum _EVT_CHANNEL_CONFIG_PROPERTY_ID {
EvtChannelConfigEnabled = 0,
EvtChannelConfigIsolation = 1,
EvtChannelConfigType = 2,
EvtChannelConfigOwningPublisher = 3,
EvtChannelConfigClassicEventlog = 4,
EvtChannelConfigAccess = 5,
EvtChannelLoggingConfigRetention = 6,
EvtChannelLoggingConfigAutoBackup = 7,
EvtChannelLoggingConfigMaxSize = 8,
EvtChannelLoggingConfigLogFilePath = 9,
EvtChannelPublishingConfigLevel = 10,
EvtChannelPublishingConfigKeywords = 11,
EvtChannelPublishingConfigControlGuid = 12,
EvtChannelPublishingConfigBufferSize = 13,
EvtChannelPublishingConfigMinBuffers = 14,
EvtChannelPublishingConfigMaxBuffers = 15,
EvtChannelPublishingConfigLatency = 16,
EvtChannelPublishingConfigClockType = 17,
EvtChannelPublishingConfigSidType = 18,
EvtChannelPublisherList = 19,
EvtChannelPublishingConfigFileMax = 20,
EvtChannelConfigPropertyIdEND = 21
} EVT_CHANNEL_CONFIG_PROPERTY_ID;
typedef enum _EVT_CHANNEL_ISOLATION_TYPE {
EvtChannelIsolationTypeApplication = 0,
EvtChannelIsolationTypeSystem = 1,
EvtChannelIsolationTypeCustom = 2
} EVT_CHANNEL_ISOLATION_TYPE;
typedef enum _EVT_CHANNEL_REFERENCE_FLAGS {
EvtChannelReferenceImported = 0x1
} EVT_CHANNEL_REFERENCE_FLAGS;
typedef enum _EVT_CHANNEL_SID_TYPE {
EvtChannelSidTypeNone = 0,
EvtChannelSidTypePublishing = 1
} EVT_CHANNEL_SID_TYPE;
typedef enum _EVT_CHANNEL_TYPE {
EvtChannelTypeAdmin = 0,
EvtChannelTypeOperational = 1,
EvtChannelTypeAnalytic = 2,
EvtChannelTypeDebug = 3
} EVT_CHANNEL_TYPE;
typedef enum _EVT_EVENT_METADATA_PROPERTY_ID {
EventMetadataEventID = 0,
EventMetadataEventVersion = 1,
EventMetadataEventChannel = 2,
EventMetadataEventLevel = 3,
EventMetadataEventOpcode = 4,
EventMetadataEventTask = 5,
EventMetadataEventKeyword = 6,
EventMetadataEventMessageID = 7,
EventMetadataEventTemplate = 8,
EvtEventMetadataPropertyIdEND = 9
} EVT_EVENT_METADATA_PROPERTY_ID;
typedef enum _EVT_EVENT_PROPERTY_ID {
EvtEventQueryIDs = 0,
EvtEventPath = 1,
EvtEventPropertyIdEND = 2
} EVT_EVENT_PROPERTY_ID;
typedef enum _EVT_EXPORTLOG_FLAGS {
EvtExportLogChannelPath = 0x1,
EvtExportLogFilePath = 0x2,
EvtExportLogTolerateQueryErrors = 0x1000
} EVT_EXPORTLOG_FLAGS;
typedef enum _EVT_FORMAT_MESSAGE_FLAGS {
EvtFormatMessageEvent = 1,
EvtFormatMessageLevel = 2,
EvtFormatMessageTask = 3,
EvtFormatMessageOpcode = 4,
EvtFormatMessageKeyword = 5,
EvtFormatMessageChannel = 6,
EvtFormatMessageProvider = 7,
EvtFormatMessageId = 8,
EvtFormatMessageXml = 9
} EVT_FORMAT_MESSAGE_FLAGS;
typedef enum _EVT_LOG_PROPERTY_ID {
EvtLogCreationTime = 0,
EvtLogLastAccessTime = 1,
EvtLogLastWriteTime = 2,
EvtLogFileSize = 3,
EvtLogAttributes = 4,
EvtLogNumberOfLogRecords = 5,
EvtLogOldestRecordNumber = 6,
EvtLogFull = 7
} EVT_LOG_PROPERTY_ID;
typedef enum _EVT_LOGIN_CLASS {
EvtRpcLogin = 1
} EVT_LOGIN_CLASS;
typedef enum _EVT_OPEN_LOG_FLAGS {
EvtOpenChannelPath = 0x1,
EvtOpenFilePath = 0x2
} EVT_OPEN_LOG_FLAGS;
typedef enum _EVT_PUBLISHER_METADATA_PROPERTY_ID {
EvtPublisherMetadataPublisherGuid = 0,
EvtPublisherMetadataResourceFilePath,
EvtPublisherMetadataParameterFilePath,
EvtPublisherMetadataMessageFilePath,
EvtPublisherMetadataHelpLink,
EvtPublisherMetadataPublisherMessageID,
EvtPublisherMetadataChannelReferences,
EvtPublisherMetadataChannelReferencePath,
EvtPublisherMetadataChannelReferenceIndex,
EvtPublisherMetadataChannelReferenceID,
EvtPublisherMetadataChannelReferenceFlags,
EvtPublisherMetadataChannelReferenceMessageID,
EvtPublisherMetadataLevels,
EvtPublisherMetadataLevelName,
EvtPublisherMetadataLevelValue,
EvtPublisherMetadataLevelMessageID,
EvtPublisherMetadataTasks,
EvtPublisherMetadataTaskName,
EvtPublisherMetadataTaskEventGuid,
EvtPublisherMetadataTaskValue,
EvtPublisherMetadataTaskMessageID,
EvtPublisherMetadataOpcodes,
EvtPublisherMetadataOpcodeName,
EvtPublisherMetadataOpcodeValue,
EvtPublisherMetadataOpcodeMessageID,
EvtPublisherMetadataKeywords,
EvtPublisherMetadataKeywordName,
EvtPublisherMetadataKeywordValue,
EvtPublisherMetadataKeywordMessageID,
EvtPublisherMetadataPropertyIdEND
} EVT_PUBLISHER_METADATA_PROPERTY_ID;
typedef enum _EVT_QUERY_FLAGS {
EvtQueryChannelPath = 0x1,
EvtQueryFilePath = 0x2,
EvtQueryForwardDirection = 0x100,
EvtQueryReverseDirection = 0x200,
EvtQueryTolerateQueryErrors = 0x1000
} EVT_QUERY_FLAGS;
typedef enum _EVT_QUERY_PROPERTY_ID {
EvtQueryNames = 0,
EvtQueryStatuses = 1,
EvtQueryPropertyIdEND = 2
} EVT_QUERY_PROPERTY_ID;
typedef enum _EVT_RENDER_CONTEXT_FLAGS {
EvtRenderContextValues = 0,
EvtRenderContextSystem = 1,
EvtRenderContextUser = 2
} EVT_RENDER_CONTEXT_FLAGS;
typedef enum _EVT_RENDER_FLAGS {
EvtRenderEventValues = 0,
EvtRenderEventXml = 1,
EvtRenderBookmark = 2
} EVT_RENDER_FLAGS;
typedef struct _EVT_RPC_LOGIN {
LPWSTR Server;
LPWSTR User;
LPWSTR Domain;
LPWSTR Password;
DWORD Flags;
} EVT_RPC_LOGIN;
typedef enum _EVT_RPC_LOGIN_FLAGS {
EvtRpcLoginAuthDefault = 0,
EvtRpcLoginAuthNegotiate = 1,
EvtRpcLoginAuthKerberos = 2,
EvtRpcLoginAuthNTLM = 3
} EVT_RPC_LOGIN_FLAGS;
typedef enum _EVT_SEEK_FLAGS {
EvtSeekRelativeToFirst = 1,
EvtSeekRelativeToLast = 2,
EvtSeekRelativeToCurrent = 3,
EvtSeekRelativeToBookmark = 4,
EvtSeekOriginMask = 7,
EvtSeekStrict = 0x10000
} EVT_SEEK_FLAGS;
typedef enum _EVT_SUBSCRIBE_FLAGS {
EvtSubscribeToFutureEvents = 1,
EvtSubscribeStartAtOldestRecord = 2,
EvtSubscribeStartAfterBookmark = 3,
EvtSubscribeOriginMask = 0x3,
EvtSubscribeTolerateQueryErrors = 0x1000,
EvtSubscribeStrict = 0x10000
} EVT_SUBSCRIBE_FLAGS;
typedef enum _EVT_SUBSCRIBE_NOTIFY_ACTION {
EvtSubscribeActionError = 0,
EvtSubscribeActionDeliver = 1
} EVT_SUBSCRIBE_NOTIFY_ACTION;
typedef enum _EVT_SYSTEM_PROPERTY_ID {
EvtSystemProviderName = 0,
EvtSystemProviderGuid,
EvtSystemEventID,
EvtSystemQualifiers,
EvtSystemLevel,
EvtSystemTask,
EvtSystemOpcode,
EvtSystemKeywords,
EvtSystemTimeCreated,
EvtSystemEventRecordId,
EvtSystemActivityID,
EvtSystemRelatedActivityID,
EvtSystemProcessID,
EvtSystemThreadID,
EvtSystemChannel,
EvtSystemComputer,
EvtSystemUserID,
EvtSystemVersion,
EvtSystemPropertyIdEND
} EVT_SYSTEM_PROPERTY_ID;
typedef enum _EVT_VARIANT_TYPE {
EvtVarTypeNull = 0,
EvtVarTypeString = 1,
EvtVarTypeAnsiString = 2,
EvtVarTypeSByte = 3,
EvtVarTypeByte = 4,
EvtVarTypeInt16 = 5,
EvtVarTypeUInt16 = 6,
EvtVarTypeInt32 = 7,
EvtVarTypeUInt32 = 8,
EvtVarTypeInt64 = 9,
EvtVarTypeUInt64 = 10,
EvtVarTypeSingle = 11,
EvtVarTypeDouble = 12,
EvtVarTypeBoolean = 13,
EvtVarTypeBinary = 14,
EvtVarTypeGuid = 15,
EvtVarTypeSizeT = 16,
EvtVarTypeFileTime = 17,
EvtVarTypeSysTime = 18,
EvtVarTypeSid = 19,
EvtVarTypeHexInt32 = 20,
EvtVarTypeHexInt64 = 21,
EvtVarTypeEvtHandle = 32,
EvtVarTypeEvtXml = 35
} EVT_VARIANT_TYPE;
typedef HANDLE EVT_HANDLE;
typedef HANDLE EVT_OBJECT_ARRAY_PROPERTY_HANDLE;
typedef struct _EVT_VARIANT {
union {
WINBOOL BooleanVal;
INT8 SByteVal;
INT16 Int16Val;
INT32 Int32Val;
INT64 Int64Val;
UINT8 ByteVal;
UINT16 UInt16Val;
UINT32 UInt32Val;
UINT64 UInt64Val;
float SingleVal;
double DoubleVal;
ULONGLONG FileTimeVal;
SYSTEMTIME *SysTimeVal;
GUID *GuidVal;
LPCWSTR StringVal;
LPCSTR AnsiStringVal;
PBYTE BinaryVal;
PSID SidVal;
size_t SizeTVal;
EVT_HANDLE EvtHandleVal;
BOOL *BooleanArr;
INT8 *SByteArr;
INT16 *Int16Arr;
INT32 *Int32Arr;
INT64 *Int64Arr;
UINT8 *ByteArr;
UINT16 *UInt16Arr;
UINT32 *UInt32Arr;
UINT64 *UInt64Arr;
float *SingleArr;
double *DoubleArr;
FILETIME *FileTimeArr;
SYSTEMTIME *SysTimeArr;
GUID *GuidArr;
LPWSTR *StringArr;
LPSTR *AnsiStringArr;
PSID *SidArr;
size_t *SizeTArr;
LPCWSTR XmlVal;
LPCWSTR* XmlValArr;
};
DWORD Count;
DWORD Type;
} EVT_VARIANT, *PEVT_VARIANT;
typedef DWORD ( WINAPI *EVT_SUBSCRIBE_CALLBACK )(
EVT_SUBSCRIBE_NOTIFY_ACTION Action,
PVOID UserContext,
EVT_HANDLE Event
);
WINBOOL WINAPI EvtArchiveExportedLog(
EVT_HANDLE Session,
LPCWSTR LogFilePath,
LCID Locale,
DWORD Flags
);
WINBOOL WINAPI EvtCancel(
EVT_HANDLE Object
);
WINBOOL WINAPI EvtClearLog(
EVT_HANDLE Session,
LPCWSTR ChannelPath,
LPCWSTR TargetFilePath,
DWORD Flags
);
WINBOOL WINAPI EvtClose(
EVT_HANDLE Object
);
EVT_HANDLE WINAPI EvtCreateBookmark(
LPCWSTR BookmarkXml
);
EVT_HANDLE WINAPI EvtCreateRenderContext(
DWORD ValuePathsCount,
LPCWSTR *ValuePaths,
DWORD Flags
);
WINBOOL WINAPI EvtExportLog(
EVT_HANDLE Session,
LPCWSTR Path,
LPCWSTR Query,
LPCWSTR TargetFilePath,
DWORD Flags
);
WINBOOL WINAPI EvtFormatMessage(
EVT_HANDLE PublisherMetadata,
EVT_HANDLE Event,
DWORD MessageId,
DWORD ValueCount,
PEVT_VARIANT Values,
DWORD Flags,
DWORD BufferSize,
LPWSTR Buffer,
PDWORD BufferUsed
);
WINBOOL WINAPI EvtGetChannelConfigProperty(
EVT_HANDLE ChannelConfig,
EVT_CHANNEL_CONFIG_PROPERTY_ID PropertyId,
DWORD Flags,
DWORD PropertyValueBufferSize,
PEVT_VARIANT PropertyValueBuffer,
PDWORD PropertyValueBufferUsed
);
WINBOOL WINAPI EvtGetEventInfo(
EVT_HANDLE Event,
EVT_EVENT_PROPERTY_ID PropertyId,
DWORD PropertyValueBufferSize,
PEVT_VARIANT PropertyValueBuffer,
PDWORD PropertyValueBufferUsed
);
WINBOOL WINAPI EvtGetEventMetadataProperty(
EVT_HANDLE EventMetadata,
EVT_EVENT_METADATA_PROPERTY_ID PropertyId,
DWORD Flags,
DWORD EventMetadataPropertyBufferSize,
PEVT_VARIANT EventMetadataPropertyBuffer,
PDWORD EventMetadataPropertyBufferUsed
);
DWORD WINAPI EvtGetExtendedStatus(
DWORD BufferSize,
LPWSTR Buffer,
PDWORD BufferUsed
);
WINBOOL WINAPI EvtGetLogInfo(
EVT_HANDLE Log,
EVT_LOG_PROPERTY_ID PropertyId,
DWORD PropertyValueBufferSize,
PEVT_VARIANT PropertyValueBuffer,
PDWORD PropertyValueBufferUsed
);
WINBOOL WINAPI EvtGetObjectArrayProperty(
EVT_OBJECT_ARRAY_PROPERTY_HANDLE ObjectArray,
DWORD PropertyId,
DWORD ArrayIndex,
DWORD Flags,
DWORD PropertyValueBufferSize,
PEVT_VARIANT PropertyValueBuffer,
PDWORD PropertyValueBufferUsed
);
WINBOOL WINAPI EvtGetObjectArraySize(
EVT_OBJECT_ARRAY_PROPERTY_HANDLE ObjectArray,
PDWORD ObjectArraySize
);
WINBOOL WINAPI EvtGetPublisherMetadataProperty(
EVT_HANDLE PublisherMetadata,
EVT_PUBLISHER_METADATA_PROPERTY_ID PropertyId,
DWORD Flags,
DWORD PublisherMetadataPropertyBufferSize,
PEVT_VARIANT PublisherMetadataPropertyBuffer,
PDWORD PublisherMetadataPropertyBufferUsed
);
WINBOOL WINAPI EvtGetQueryInfo(
EVT_HANDLE QueryOrSubscription,
EVT_QUERY_PROPERTY_ID PropertyId,
DWORD PropertyValueBufferSize,
PEVT_VARIANT PropertyValueBuffer,
PDWORD PropertyValueBufferUsed
);
WINBOOL WINAPI EvtNext(
EVT_HANDLE ResultSet,
DWORD EventArraySize,
EVT_HANDLE* EventArray,
DWORD Timeout,
DWORD Flags,
PDWORD Returned
);
WINBOOL WINAPI EvtNextChannelPath(
EVT_HANDLE ChannelEnum,
DWORD ChannelPathBufferSize,
LPWSTR ChannelPathBuffer,
PDWORD ChannelPathBufferUsed
);
EVT_HANDLE WINAPI EvtNextEventMetadata(
EVT_HANDLE EventMetadataEnum,
DWORD Flags
);
WINBOOL WINAPI EvtNextPublisherId(
EVT_HANDLE PublisherEnum,
DWORD PublisherIdBufferSize,
LPWSTR PublisherIdBuffer,
PDWORD PublisherIdBufferUsed
);
EVT_HANDLE WINAPI EvtOpenChannelConfig(
EVT_HANDLE Session,
LPCWSTR ChannelPath,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenChannelEnum(
EVT_HANDLE Session,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenEventMetadataEnum(
EVT_HANDLE PublisherMetadata,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenLog(
EVT_HANDLE Session,
LPCWSTR Path,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenPublisherEnum(
EVT_HANDLE Session,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenPublisherMetadata(
EVT_HANDLE Session,
LPCWSTR PublisherIdentity,
LPCWSTR LogFilePath,
LCID Locale,
DWORD Flags
);
EVT_HANDLE WINAPI EvtOpenSession(
EVT_LOGIN_CLASS LoginClass,
PVOID Login,
DWORD Timeout,
DWORD Flags
);
EVT_HANDLE WINAPI EvtQuery(
EVT_HANDLE Session,
LPCWSTR Path,
LPCWSTR Query,
DWORD Flags
);
WINBOOL WINAPI EvtRender(
EVT_HANDLE Context,
EVT_HANDLE Fragment,
DWORD Flags,
DWORD BufferSize,
PVOID Buffer,
PDWORD BufferUsed,
PDWORD PropertyCount
);
WINBOOL WINAPI EvtSaveChannelConfig(
EVT_HANDLE ChannelConfig,
DWORD Flags
);
WINBOOL WINAPI EvtSeek(
EVT_HANDLE ResultSet,
LONGLONG Position,
EVT_HANDLE Bookmark,
DWORD Timeout,
DWORD Flags
);
WINBOOL WINAPI EvtSetChannelConfigProperty(
EVT_HANDLE ChannelConfig,
EVT_CHANNEL_CONFIG_PROPERTY_ID PropertyId,
DWORD Flags,
PEVT_VARIANT PropertyValue
);
EVT_HANDLE WINAPI EvtSubscribe(
EVT_HANDLE Session,
HANDLE SignalEvent,
LPCWSTR ChannelPath,
LPCWSTR Query,
EVT_HANDLE Bookmark,
PVOID context,
EVT_SUBSCRIBE_CALLBACK Callback,
DWORD Flags
);
WINBOOL WINAPI EvtUpdateBookmark(
EVT_HANDLE Bookmark,
EVT_HANDLE Event
);
#ifdef __cplusplus
}
#endif
//#endif /*(_WIN32_WINNT >= 0x0600)*/
#endif /*_INC_TDH*/