1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
#include "zabbixw32.h"
#define DllExport __declspec( dllexport )
#define MAX_INSERT_STRS 8
#define MAX_MSG_LENGTH 1024
DllExport long MyOpenEventLog(char *pAppName,HANDLE
*pEventHandle,long *pNumRecords,long *pLatestRecord);
DllExport long MyCloseEventLog(HANDLE hAppLog);
DllExport long MyClearEventLog(HANDLE hAppLog);
DllExport long MyGetAEventLog(char *pAppName,HANDLE hAppLog,long
which,double *pTime,char *pSource,char *pMessage,DWORD *pType,WORD
*pCategory, DWORD *timestamp);
int process_eventlog_new(char *source,int *lastlogsize, char *timestamp, char *src, char *severity, char *message)
{
HANDLE hAppLog;
long nRecords,Latest=1;
long i;
double time;
DWORD t,type;
WORD category;
// open up event log
// if (!MyOpenEventLog("Application",&hAppLog,&nRecords,&Latest))
if (!MyOpenEventLog(source,&hAppLog,&nRecords,&Latest))
{
// for (i = nRecords + 1;--i;++Latest)
for (i = 0; i<nRecords;i++)
{
// if (Latest > nRecords) // need totreat as circular que
// Latest = 1;
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"s","i");
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"d",i);
if(*lastlogsize <= i)
{
// MyGetAEventLog("Application",hAppLog,Latest,&time,src,msg,&type,&category);
if(0 == MyGetAEventLog(source,hAppLog,Latest,&time,src,message,&type,&category,&t))
{
sprintf(timestamp,"%ld",t);
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"s","YO");
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"d",type);
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"d",t);
if(type==EVENTLOG_ERROR_TYPE) type=4;
else if(type==EVENTLOG_AUDIT_FAILURE) type=7;
else if(type==EVENTLOG_AUDIT_SUCCESS) type=8;
else if(type==EVENTLOG_INFORMATION_TYPE) type=1;
else if(type==EVENTLOG_WARNING_TYPE) type=2;
sprintf(severity,"%d",type);
// sprintf(message,"Src = %s, Msg = %s, type = %d, Category = %d\n",src,msg,type,category);
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"d",Latest);
// WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"s",severity);
*lastlogsize = Latest;
MyCloseEventLog(hAppLog);
return 0;
}
}
Latest++;
}
MyCloseEventLog(hAppLog);
}
return 1;
}
// open event logger and return number of records
DllExport long MyOpenEventLog(char *pAppName,HANDLE
*pEventHandle,long *pNumRecords,long *pLatestRecord)
{
HANDLE hAppLog; /* handle to the
application log */
*pEventHandle = 0;
*pNumRecords = 0;
hAppLog = OpenEventLog(NULL,pAppName); // open log file
if (!hAppLog)
return(GetLastError());
GetNumberOfEventLogRecords(hAppLog,(unsigned long*)pNumRecords);// get number of records
GetOldestEventLogRecord(hAppLog,(unsigned long*)pLatestRecord);
*pEventHandle = hAppLog;
return(0);
}
// close event logger
DllExport long MyCloseEventLog(HANDLE hAppLog)
{
if (hAppLog)
CloseEventLog(hAppLog);
return(0);
}
// clear event log
DllExport long MyClearEventLog(HANDLE hAppLog)
{
if (!(ClearEventLog(hAppLog,0)))
return(GetLastError());
return(0);
}
// get Nth error from event log. 1 is the first.
DllExport long MyGetAEventLog(char *pAppName,HANDLE hAppLog,long
which,double *pTime,char *pSource,char *pMessage,DWORD *pType,WORD *pCategory, DWORD *timestamp)
{
EVENTLOGRECORD *pELR;
BYTE bBuffer[1024]; /* hold the event
log record raw data */
DWORD dwRead, dwNeeded;
BOOL bSuccess;
char temp[MAX_PATH];
char MsgDll[MAX_PATH]; /* the name of the
message DLL */
HKEY hk;
DWORD Data;
DWORD Type;
HINSTANCE hLib; /* handle to the
messagetable DLL */
char *pCh,*pFile,*pNextFile;
char *aInsertStrs[MAX_INSERT_STRS]; // array of pointers to insert
long i;
LPTSTR msgBuf; // hold text of the error message that we
long err;
if (!hAppLog)
return(0);
bSuccess = ReadEventLog(hAppLog, /* event-log handle */
EVENTLOG_SEEK_READ | /* read forward */
EVENTLOG_FORWARDS_READ, /* sequential read */
which, /* which record to
read 1 is first */
bBuffer, /* address of buffer */
sizeof(bBuffer), /* size of buffer */
&dwRead, /* count of bytes
read */
&dwNeeded); /* bytes in next
record */
if (!bSuccess)
return(GetLastError());
pELR = (EVENTLOGRECORD*)bBuffer; // point to data
strcpy(pSource,((char*)pELR + sizeof(EVENTLOGRECORD)));// copy source name
// build path to message dll
strcpy(temp,"SYSTEM\\CurrentControlSet\\Services\\EventLog\\");
strcat(temp,pAppName);
strcat(temp,"\\");
strcat(temp,((char*)pELR + sizeof(EVENTLOGRECORD)));
if (RegOpenKey(HKEY_LOCAL_MACHINE, temp, &hk))
return(GetLastError());
Data = MAX_PATH;
if (RegQueryValueEx(hk, /* handle of key
to query */
"EventMessageFile", /* value
name */
NULL, /* must be
NULL */
&Type, /* address of type
value */
(UCHAR*)temp, /* address of
value data */
&Data)) /* length of value
data */
return(GetLastError());
pFile = temp;
err = 1;
for (;;)
{
if ((pNextFile = strchr(pFile,';')))
*pNextFile = 0;
if (!ExpandEnvironmentStrings(pFile, MsgDll, MAX_PATH))
return(GetLastError());
if (!(hLib = LoadLibraryEx(MsgDll, NULL, LOAD_LIBRARY_AS_DATAFILE)))
return(1);
/* prepare the array of insert strings for FormatMessage - the
insert strings are in the log entry. */
pCh = (char *)((LPBYTE)pELR + pELR->StringOffset);
for (i = 0; i < pELR->NumStrings && i < MAX_INSERT_STRS; i++)
{
aInsertStrs[i] = pCh;
pCh += strlen(pCh) + 1; /* point to
next string */
}
/* Format the message from the message DLL with the insert strings */
if (FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE | /* get the
message from the DLL */
FORMAT_MESSAGE_ALLOCATE_BUFFER | /* allocate
the msg buffer for us */
FORMAT_MESSAGE_ARGUMENT_ARRAY | /* lpArgs is
an array of pointers */
60, /* line length
for the mesages */
hLib, /* the
messagetable DLL handle */
pELR->EventID, /* message ID */
MAKELANGID(LANG_NEUTRAL, SUBLANG_ENGLISH_US),/* language ID */
(LPTSTR) &msgBuf, /* address of
pointer to buffer for message */
MAX_MSG_LENGTH, /* maximum
size of the message buffer */
aInsertStrs)) /* array of
insert strings for the message */
break;
FreeLibrary(hLib);
if (!pNextFile) // more files to read ?
{
RegCloseKey(hk);
i = GetLastError();
return(i);
}
pFile = ++pNextFile;
}
strcpy(pMessage,msgBuf); // copy message
*pTime = (double)pELR->TimeGenerated;
*pType = pELR->EventType; // return event type
*pCategory = pELR->EventCategory; // return category
*timestamp=pELR->TimeGenerated;
/* Free the buffer that FormatMessage allocated for us. */
LocalFree((HLOCAL) msgBuf);
/* free the message DLL since we don't know if we'll need it again */
FreeLibrary(hLib);
RegCloseKey(hk);
//WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"s","Y");
//WriteLog(MSG_ACTIVE_CHECKS,EVENTLOG_ERROR_TYPE,"d",*pType);
return(0);
}
|
