tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-29 16:55:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added filter by code and event type to module_logchannel

Browse Source
This commit is contained in:
fermin831 2017-10-24 12:41:47 +02:00
parent da06d78b1c
commit e748fb025c
2 changed files with 42 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
pandora_agents/win32/modules/pandora_module_logchannel.cc
View File

@ -56,6 +56,8 @@ static EvtUpdateBookmarkT EvtUpdateBookmarkF = NULL;
Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source, string type, string id, string pattern, string application) Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source, string type, string id, string pattern, string application)
: Pandora_Module (name) { : Pandora_Module (name) {
int i; int i;
vector<wstring> query;
vector<wstring>::iterator query_it;
string upper_type = type; string upper_type = type;
// Convert the type string to uppercase // Convert the type string to uppercase
@ -64,21 +66,50 @@ Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source
} }
// Set the type filter // Set the type filter
int type_number = -1;
if (upper_type.compare("ERROR") == 0) { if (upper_type.compare("ERROR") == 0) {
this->type = EVENTLOG_ERROR_TYPE; type_number = EVENTLOG_ERROR_TYPE;
} else if (upper_type.compare("WARNING") == 0) { } else if (upper_type.compare("WARNING") == 0) {
this->type = EVENTLOG_WARNING_TYPE; type_number = EVENTLOG_WARNING_TYPE;
} else if (upper_type.compare("INFORMATION") == 0) { } else if (upper_type.compare("INFORMATION") == 0) {
this->type = EVENTLOG_INFORMATION_TYPE; type_number = EVENTLOG_INFORMATION_TYPE;
} else if (upper_type.compare("AUDIT SUCCESS") == 0) { } else if (upper_type.compare("AUDIT SUCCESS") == 0) {
this->type = EVENTLOG_AUDIT_SUCCESS; type_number = EVENTLOG_AUDIT_SUCCESS;
} else if (upper_type.compare("AUDIT FAILURE") == 0) { } else if (upper_type.compare("AUDIT FAILURE") == 0) {
this->type = EVENTLOG_AUDIT_FAILURE; type_number = EVENTLOG_AUDIT_FAILURE;
} else {
this->type = -1;
} }
// Append type to log query
if (type_number != -1) {
wstringstream ss;
ss << L"*[System[Level='" << type_number << L"']]";
query.push_back(ss.str());
}
// Set the id
int id_number = strtoul (id.c_str (), NULL, 0);
if (id_number != 0) {
wstringstream ss;
ss << L"*[System[EventID='" << id_number << L"']]";
query.push_back(ss.str());
}
// Fill the filter
if (query.size() == 0) {
this->filter = L"*";
} else {
int i = 0;
// Add filters with and
wstring item_query;
while (query.size() > 1) {
item_query = query.back();
query.pop_back();
this->filter += item_query + L" and ";
}
// Append the last value without the and
item_query = query.back();
this->filter += item_query;
}
this->id = strtoul (id.c_str (), NULL, 0);
this->source = source; this->source = source;
this->pattern = pattern; this->pattern = pattern;
if (! pattern.empty ()) { if (! pattern.empty ()) {
@ -87,7 +118,6 @@ Pandora_Module_Logchannel::Pandora_Module_Logchannel (string name, string source
pandoraLog ("Invalid regular expression %s", pattern.c_str ()); pandoraLog ("Invalid regular expression %s", pattern.c_str ());
} }
} }
this->application = application;
this->bookmark_xml = L""; this->bookmark_xml = L"";
this->setKind (module_logchannel_str); this->setKind (module_logchannel_str);
@ -211,7 +241,6 @@ Pandora_Module_Logchannel::initializeLogChannel () {
EVT_HANDLE hResults; EVT_HANDLE hResults;
EVT_HANDLE hBookmark; EVT_HANDLE hBookmark;
DWORD dwReturned = 0; DWORD dwReturned = 0;
string filter = "*";
// Check whether the first bookmark is set // Check whether the first bookmark is set
if (!this->bookmark_xml.empty()) return; if (!this->bookmark_xml.empty()) return;
@ -220,7 +249,7 @@ Pandora_Module_Logchannel::initializeLogChannel () {
hResults = EvtQueryF ( hResults = EvtQueryF (
NULL, NULL,
strAnsiToUnicode (this->source.c_str()).c_str(), strAnsiToUnicode (this->source.c_str()).c_str(),
strAnsiToUnicode (filter.c_str()).c_str(), this->filter.c_str(),
EvtOpenChannelPath | EvtQueryForwardDirection EvtOpenChannelPath | EvtQueryForwardDirection
); );
if (hResults == NULL) { if (hResults == NULL) {
@ -339,8 +368,6 @@ Pandora_Module_Logchannel::getLogEvents (list<LogChannelList> &event_list) {
DWORD status = ERROR_SUCCESS; DWORD status = ERROR_SUCCESS;
SYSTEMTIME eventTime; SYSTEMTIME eventTime;
FILETIME lft, ft; FILETIME lft, ft;
wstring filter = L"*";
//wstring filter = L"*[System[TimeCreated[@SystemTime>='2017-10-19T00:00:00']]]";
bool update_bookmark = false; bool update_bookmark = false;
// An empty bookmark XML means that log cannot be open // An empty bookmark XML means that log cannot be open
@ -350,7 +377,7 @@ Pandora_Module_Logchannel::getLogEvents (list<LogChannelList> &event_list) {
hResults = EvtQueryF ( hResults = EvtQueryF (
NULL, NULL,
strAnsiToUnicode (this->source.c_str()).c_str(), strAnsiToUnicode (this->source.c_str()).c_str(),
filter.c_str(), this->filter.c_str(),
EvtOpenChannelPath | EvtQueryForwardDirection EvtOpenChannelPath | EvtQueryForwardDirection
); );
if (hResults == NULL) { if (hResults == NULL) {
@ -459,7 +486,6 @@ Pandora_Module_Logchannel::getLogEvents (list<LogChannelList> &event_list) {
} }
// Save the event message // Save the event message
pandoraLog("Message: %S.", pwsMessage);
LogChannelList event_item; LogChannelList event_item;
event_item.message = strUnicodeToAnsi(pwsMessage); event_item.message = strUnicodeToAnsi(pwsMessage);
event_item.timestamp= eventTime; event_item.timestamp= eventTime;

5
pandora_agents/win32/modules/pandora_module_logchannel.h
View File

@ -65,12 +65,9 @@ namespace Pandora_Modules {
}; };
private: private:
regex_t regexp; regex_t regexp;
unsigned long id;
int type;
unsigned char first_run;
string source; string source;
string application;
string pattern; string pattern;
wstring filter;
wstring bookmark_xml; wstring bookmark_xml;
HANDLE messages_dll; HANDLE messages_dll;