From e748fb025cc6ff97c95adc28b81d0cb0512858dd Mon Sep 17 00:00:00 2001 From: fermin831 Date: Tue, 24 Oct 2017 12:41:47 +0200 Subject: [PATCH] Added filter by code and event type to module_logchannel --- .../modules/pandora_module_logchannel.cc | 56 ++++++++++++++----- .../win32/modules/pandora_module_logchannel.h | 5 +- 2 files changed, 42 insertions(+), 19 deletions(-) diff --git a/pandora_agents/win32/modules/pandora_module_logchannel.cc b/pandora_agents/win32/modules/pandora_module_logchannel.cc index 8652e33b83..b29b6f5531 100755 --- a/pandora_agents/win32/modules/pandora_module_logchannel.cc +++ b/pandora_agents/win32/modules/pandora_module_logchannel.cc @@ -56,6 +56,8 @@ static EvtUpdateBookmarkT EvtUpdateBookmarkF = NULL; Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source, string type, string id, string pattern, string application) : Pandora_Module (name) { int i; + vector query; + vector::iterator query_it; string upper_type = type; // Convert the type string to uppercase @@ -64,21 +66,50 @@ Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source } // Set the type filter + int type_number = -1; if (upper_type.compare("ERROR") == 0) { - this->type = EVENTLOG_ERROR_TYPE; + type_number = EVENTLOG_ERROR_TYPE; } else if (upper_type.compare("WARNING") == 0) { - this->type = EVENTLOG_WARNING_TYPE; + type_number = EVENTLOG_WARNING_TYPE; } else if (upper_type.compare("INFORMATION") == 0) { - this->type = EVENTLOG_INFORMATION_TYPE; + type_number = EVENTLOG_INFORMATION_TYPE; } else if (upper_type.compare("AUDIT SUCCESS") == 0) { - this->type = EVENTLOG_AUDIT_SUCCESS; + type_number = EVENTLOG_AUDIT_SUCCESS; } else if (upper_type.compare("AUDIT FAILURE") == 0) { - this->type = EVENTLOG_AUDIT_FAILURE; - } else { - this->type = -1; + type_number = EVENTLOG_AUDIT_FAILURE; } + // Append type to log query + if (type_number != -1) { + wstringstream ss; + ss << L"*[System[Level='" << type_number << L"']]"; + query.push_back(ss.str()); + } + + // Set the id + int id_number = strtoul (id.c_str (), NULL, 0); + if (id_number != 0) { + wstringstream ss; + ss << L"*[System[EventID='" << id_number << L"']]"; + query.push_back(ss.str()); + } + + // Fill the filter + if (query.size() == 0) { + this->filter = L"*"; + } else { + int i = 0; + // Add filters with and + wstring item_query; + while (query.size() > 1) { + item_query = query.back(); + query.pop_back(); + this->filter += item_query + L" and "; + } + // Append the last value without the and + item_query = query.back(); + this->filter += item_query; + } - this->id = strtoul (id.c_str (), NULL, 0); this->source = source; this->pattern = pattern; if (! pattern.empty ()) { @@ -87,7 +118,6 @@ Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source pandoraLog ("Invalid regular expression %s", pattern.c_str ()); } } - this->application = application; this->bookmark_xml = L""; this->setKind (module_logchannel_str); @@ -211,7 +241,6 @@ Pandora_Module_Logchannel::initializeLogChannel () { EVT_HANDLE hResults; EVT_HANDLE hBookmark; DWORD dwReturned = 0; - string filter = "*"; // Check whether the first bookmark is set if (!this->bookmark_xml.empty()) return; @@ -220,7 +249,7 @@ Pandora_Module_Logchannel::initializeLogChannel () { hResults = EvtQueryF ( NULL, strAnsiToUnicode (this->source.c_str()).c_str(), - strAnsiToUnicode (filter.c_str()).c_str(), + this->filter.c_str(), EvtOpenChannelPath | EvtQueryForwardDirection ); if (hResults == NULL) { @@ -339,8 +368,6 @@ Pandora_Module_Logchannel::getLogEvents (list &event_list) { DWORD status = ERROR_SUCCESS; SYSTEMTIME eventTime; FILETIME lft, ft; - wstring filter = L"*"; - //wstring filter = L"*[System[TimeCreated[@SystemTime>='2017-10-19T00:00:00']]]"; bool update_bookmark = false; // An empty bookmark XML means that log cannot be open @@ -350,7 +377,7 @@ Pandora_Module_Logchannel::getLogEvents (list &event_list) { hResults = EvtQueryF ( NULL, strAnsiToUnicode (this->source.c_str()).c_str(), - filter.c_str(), + this->filter.c_str(), EvtOpenChannelPath | EvtQueryForwardDirection ); if (hResults == NULL) { @@ -459,7 +486,6 @@ Pandora_Module_Logchannel::getLogEvents (list &event_list) { } // Save the event message - pandoraLog("Message: %S.", pwsMessage); LogChannelList event_item; event_item.message = strUnicodeToAnsi(pwsMessage); event_item.timestamp= eventTime; diff --git a/pandora_agents/win32/modules/pandora_module_logchannel.h b/pandora_agents/win32/modules/pandora_module_logchannel.h index 9ee79d3433..3d0efd2959 100755 --- a/pandora_agents/win32/modules/pandora_module_logchannel.h +++ b/pandora_agents/win32/modules/pandora_module_logchannel.h @@ -65,12 +65,9 @@ namespace Pandora_Modules { }; private: regex_t regexp; - unsigned long id; - int type; - unsigned char first_run; string source; - string application; string pattern; + wstring filter; wstring bookmark_xml; HANDLE messages_dll;