Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/mickem/nscp
Browse files Browse the repository at this point in the history
  • Loading branch information
@mickem
mickem committed Feb 27, 2016
2 parents 9e08ce8 + 576fa8e commit 057f7bd
Show file tree
Hide file tree
Showing 18 changed files with 381 additions and 178 deletions.
1 change: 1 addition & 0 deletions include/CheckMemory.h
View file
Expand Up @@ -121,6 +121,7 @@ class CheckMemory {
}
return ret;
}
std::string to_string() const { return "mem"; }
private:
int method_;
HMODULE hKernel32;
Expand Down
6 changes: 5 additions & 1 deletion include/parsers/filter/realtime_helper.hpp
View file
Expand Up @@ -147,8 +147,12 @@ namespace parsers {
}
}
if (!has_matched)
NSC_DEBUG_MSG("No filters matched an event");
NSC_DEBUG_MSG("No filters matched: " + data->to_string());
do_process_no_items(current_time);
} catch (const nscp_exception &e) {
NSC_DEBUG_MSG("Realtime processing faillure: " + e.reason());
} catch (const std::exception &e) {
NSC_DEBUG_MSG("Realtime processing faillure: " + utf8::utf8_from_native(e.what()));
} catch (...) {
NSC_DEBUG_MSG("Realtime processing faillure");
}
Expand Down
3 changes: 2 additions & 1 deletion include/parsers/operators.cpp
View file
Expand Up @@ -329,7 +329,8 @@ namespace parsers {
value_container lhs = left->get_value(errors, type_int);
long long val = lhs.get_int();
BOOST_FOREACH(node_type itm, right->get_list_value(errors)) {
if (itm->get_int_value(errors) == val)
long long cmp = itm->get_int_value(errors);
if (cmp == val)
return value_container::create_int(true, lhs.is_unsure);
}
return value_container::create_int(false, lhs.is_unsure);
Expand Down
3 changes: 3 additions & 0 deletions include/parsers/where/value_node.cpp
View file
Expand Up @@ -41,6 +41,9 @@ namespace parsers {
if (type == type_int) {
return value_container::create_int(value_, is_unsure_);
}
if (type == type_string) {
return value_container::create_string(strEx::s::xtos(value_), is_unsure_);
}
errors->error("Failed to convert int to ?: " + value_);
return value_container::create_nil();
}
Expand Down
2 changes: 1 addition & 1 deletion modules/CheckEventLog/CheckEventLog.cpp
View file
Expand Up @@ -223,7 +223,7 @@ void check_legacy(const std::string &logfile, std::string &scan_range, const int
is_scanning = false;
break;
}
modern_filter::match_result ret = filter.match(filter_type::object_type(new eventlog_filter::old_filter_obj(record, truncate_message)));
modern_filter::match_result ret = filter.match(filter_type::object_type(new eventlog_filter::old_filter_obj(logfile, pevlr, ltime, truncate_message)));
if (ret.is_done) {
break;
}
Expand Down
8 changes: 6 additions & 2 deletions modules/CheckEventLog/eventlog_record.hpp
View file
Expand Up @@ -3,13 +3,17 @@
#include "simple_registry.hpp"
#include <boost/tuple/tuple.hpp>
#include <wstring.hpp>
#include <boost/noncopyable.hpp>

class EventLogRecord {
class EventLogRecord : boost::noncopyable {
const EVENTLOGRECORD *pevlr_;
__int64 currentTime_;
std::string file_;
public:
EventLogRecord(std::string file, const EVENTLOGRECORD *pevlr, __int64 currentTime) : file_(file), pevlr_(pevlr), currentTime_(currentTime) {}
EventLogRecord(std::string file, const EVENTLOGRECORD *pevlr, __int64 currentTime) : file_(file), pevlr_(pevlr), currentTime_(currentTime) {
if (pevlr == NULL)
throw nscp_exception("Invalid eventlog record");
}
inline __int64 timeGenerated() const {
return (currentTime_ - pevlr_->TimeGenerated) * 1000;
}
Expand Down
210 changes: 148 additions & 62 deletions modules/CheckEventLog/eventlog_wrapper.cpp
View file
Expand Up @@ -3,37 +3,134 @@
#include <nscapi/nscapi_helper_singleton.hpp>
#include <nscapi/macros.hpp>

eventlog_wrapper::eventlog_wrapper(const std::string &s_name) : hLog(NULL), pBuffer(NULL), bufferSize(0), lastReadSize(0) {
name = find_eventlog_name(s_name);
std::string eventlog_wrapper::find_eventlog_name(const std::string name) {
try {
simple_registry::registry_key key(HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog"));
BOOST_FOREACH(const std::wstring k, key.get_keys()) {
try {
simple_registry::registry_key sub_key(HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\") + k);
std::wstring file = sub_key.get_string(_T("DisplayNameFile"));
int id = sub_key.get_int(_T("DisplayNameID"));
std::string real_name = error::format::message::from_module(utf8::cvt<std::string>(file), id);
strEx::replace(real_name, "\n", "");
strEx::replace(real_name, "\r", "");
if (real_name == name)
return utf8::cvt<std::string>(k);
} catch (simple_registry::registry_exception &e) { e; }
}
return name;
} catch (simple_registry::registry_exception &e) {
return name;
} catch (...) {
return name;
}
}

//////////////////////////////////////////////////////////////////////////
// NEW API impl


eventlog_wrapper_new::eventlog_wrapper_new(const std::string &s_name) {
name = eventlog_wrapper::find_eventlog_name(s_name);
open();
}
eventlog_wrapper_new::~eventlog_wrapper_new() {
if (isOpen())
close();
}

void eventlog_wrapper_new::open() {
hContext = eventlog::EvtCreateRenderContext(0, NULL, eventlog::api::EvtRenderContextSystem);
if (!hContext)
throw nscp_exception("EvtCreateRenderContext failed: " + error::lookup::last_error());
}

void eventlog_wrapper_new::reopen() {
if (hContext)
close();
open();
}

void eventlog_wrapper_new::close() {
hContext.close();
}


bool eventlog_wrapper_new::notify(HANDLE &handle) {
handle = CreateEvent(NULL, TRUE, TRUE, NULL);
if (handle == NULL) {
NSC_LOG_ERROR_STD("Failed to create event: " + utf8::cvt<std::string>(error::lookup::last_error()));
return false;
}

hLog = eventlog::EvtSubscribe(NULL, handle, utf8::cvt<std::wstring>(name).c_str(), NULL, NULL, NULL, NULL, eventlog::api::EvtSubscribeToFutureEvents);
if (!hLog) {
NSC_LOG_ERROR_STD("Failed to subscribe: " + utf8::cvt<std::string>(error::lookup::last_error()));
return false;
}
return true;
}

bool eventlog_wrapper_new::un_notify(HANDLE &handle) {
hLog.close();
if (!CloseHandle(handle)) {
return false;
}
return true;
}

void eventlog_wrapper_new::reset_event(HANDLE &handle) {
ResetEvent(handle);
}


eventlog_filter::filter::object_type eventlog_wrapper_new::read_record(HANDLE &handle) {
eventlog::api::EVT_HANDLE hEvents[1];
DWORD dwReturned = 0;
if (!eventlog::EvtNext(hLog, 1, hEvents, 100, 0, &dwReturned)) {
DWORD status = GetLastError();
if (status == ERROR_NO_MORE_ITEMS || status == ERROR_TIMEOUT)
return eventlog_filter::filter::object_type();
else if (status != ERROR_SUCCESS)
return eventlog_filter::filter::object_type();
}
return eventlog_filter::filter::object_type(new eventlog_filter::new_filter_obj(name, eventlog::evt_handle(hEvents[0]), hContext, 512));
}

//////////////////////////////////////////////////////////////////////////
// OLD API impl

eventlog_wrapper_old::eventlog_wrapper_old(const std::string &s_name) : hLog(NULL), buffer(1024*10), lastReadSize(0), nextBufferPosition(0) {
name = eventlog_wrapper::find_eventlog_name(s_name);
open();
}
eventlog_wrapper::~eventlog_wrapper() {
eventlog_wrapper_old::~eventlog_wrapper_old() {
if (isOpen())
close();
delete[] pBuffer;
bufferSize = 0;
lastReadSize = 0;
nextBufferPosition = 0;
}
void eventlog_wrapper::open() {
void eventlog_wrapper_old::open() {
hLog = OpenEventLog(NULL, utf8::cvt<std::wstring>(name).c_str());
if (hLog == INVALID_HANDLE_VALUE) {
NSC_LOG_ERROR("Failed to open eventlog: " + error::lookup::last_error());
throw nscp_exception("Failed to open eventlog: " + error::lookup::last_error());
}
seek_end();
}

void eventlog_wrapper::reopen() {
void eventlog_wrapper_old::reopen() {
if (isOpen())
close();
open();
}

void eventlog_wrapper::close() {
void eventlog_wrapper_old::close() {
if (!CloseEventLog(hLog)) {
NSC_LOG_ERROR("Failed to close eventlog: " + error::lookup::last_error());
}
}

bool eventlog_wrapper::get_last_record_number(DWORD* pdwRecordNumber) {
bool eventlog_wrapper_old::get_last_record_number(DWORD* pdwRecordNumber) {
DWORD OldestRecordNumber = 0;
DWORD NumberOfRecords = 0;

Expand All @@ -47,7 +144,7 @@ bool eventlog_wrapper::get_last_record_number(DWORD* pdwRecordNumber) {
return true;
}

bool eventlog_wrapper::get_first_record_number(DWORD* pdwRecordNumber) {
bool eventlog_wrapper_old::get_first_record_number(DWORD* pdwRecordNumber) {
DWORD OldestRecordNumber = 0;

if (!GetOldestEventLogRecord(hLog, &OldestRecordNumber))
Expand All @@ -57,106 +154,92 @@ bool eventlog_wrapper::get_first_record_number(DWORD* pdwRecordNumber) {
return true;
}

bool eventlog_wrapper::notify(HANDLE &handle) {
bool eventlog_wrapper_old::notify(HANDLE &handle) {
handle = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!handle) {
return false;
}
return NotifyChangeEventLog(hLog, handle) == TRUE;
}

bool eventlog_wrapper::un_notify(HANDLE &handle) {
bool eventlog_wrapper_old::un_notify(HANDLE &handle) {
return CloseHandle(handle);
}

bool eventlog_wrapper::re_notify(HANDLE &handle) {
if (!handle) {
return false;
}
return NotifyChangeEventLog(hLog, handle) == TRUE;
void eventlog_wrapper_old::reset_event(HANDLE &handle) {
}

bool eventlog_wrapper::seek_end() {
bool eventlog_wrapper_old::seek_end() {
DWORD dwLastRecordNumber = 0;

if (!get_last_record_number(&dwLastRecordNumber))
return false;

if (read_record(dwLastRecordNumber, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
if (do_record(dwLastRecordNumber, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
return false;
return true;
}

bool eventlog_wrapper::seek_start() {
bool eventlog_wrapper_old::seek_start() {
DWORD dwLastRecordNumber = 0;

if (!get_first_record_number(&dwLastRecordNumber))
return false;

if (read_record(dwLastRecordNumber, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
if (do_record(dwLastRecordNumber, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
return false;
return true;
}

void eventlog_wrapper::resize_buffer(DWORD size) {
if (size <= bufferSize)
void eventlog_wrapper_old::resize_buffer(DWORD size) {
if (size <= buffer.size())
return;
PBYTE tmp = pBuffer;
pBuffer = new BYTE[size];
bufferSize = size;
delete tmp;
buffer.resize(size);
}

std::string eventlog_wrapper::find_eventlog_name(const std::string name) {
try {
simple_registry::registry_key key(HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog"));
BOOST_FOREACH(const std::wstring k, key.get_keys()) {
try {
simple_registry::registry_key sub_key(HKEY_LOCAL_MACHINE, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\") + k);
std::wstring file = sub_key.get_string(_T("DisplayNameFile"));
int id = sub_key.get_int(_T("DisplayNameID"));
std::string real_name = error::format::message::from_module(utf8::cvt<std::string>(file), id);
strEx::replace(real_name, "\n", "");
strEx::replace(real_name, "\r", "");
if (real_name == name)
return utf8::cvt<std::string>(k);
} catch (simple_registry::registry_exception &e) { e; }
}
return name;
} catch (simple_registry::registry_exception &e) {
return name;
} catch (...) {
return name;
eventlog_filter::filter::object_type eventlog_wrapper_old::read_record(HANDLE &handle) {
DWORD status = do_record(0, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ);
if (status != ERROR_SUCCESS && status != ERROR_HANDLE_EOF) {
NSC_LOG_MESSAGE("Assuming eventlog reset (re-reading from start)");
un_notify(handle);
reopen();
notify(handle);
seek_start();
}
}
EVENTLOGRECORD* eventlog_wrapper::read_record_with_buffer() {

__time64_t ltime;
_time64(&ltime);


if (nextBufferPosition >= lastReadSize) {
if (read_record(0, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
return NULL;
if (do_record(0, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ) != ERROR_SUCCESS)
return eventlog_filter::filter::object_type();
}
if (nextBufferPosition >= lastReadSize)
return NULL;
EVENTLOGRECORD *pevlr = reinterpret_cast<EVENTLOGRECORD*>(&pBuffer[nextBufferPosition]);
return eventlog_filter::filter::object_type();
EVENTLOGRECORD *pevlr = buffer.get(nextBufferPosition);
if (pevlr == NULL)
return eventlog_filter::filter::object_type();
nextBufferPosition += pevlr->Length;
return pevlr;
return eventlog_filter::filter::object_type(new eventlog_filter::old_filter_obj(get_name(), pevlr, ltime, 512));
}

DWORD eventlog_wrapper::read_record(DWORD dwRecordNumber, DWORD dwFlags) {
resize_buffer(sizeof(EVENTLOGRECORD));

DWORD eventlog_wrapper_old::do_record(DWORD dwRecordNumber, DWORD dwFlags) {
DWORD status = ERROR_SUCCESS;
DWORD dwBytesToRead = bufferSize;
DWORD dwBytesToRead = buffer.size() - 10;
lastReadSize = 0;
nextBufferPosition = 0;
DWORD dwMinimumBytesToRead = 0;

if (!ReadEventLog(hLog, dwFlags, dwRecordNumber, pBuffer, dwBytesToRead, &lastReadSize, &dwMinimumBytesToRead)) {
if (!ReadEventLog(hLog, dwFlags, dwRecordNumber, (LPBYTE)buffer, dwBytesToRead, &lastReadSize, &dwMinimumBytesToRead)) {
status = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == status) {
status = ERROR_SUCCESS;
resize_buffer(dwMinimumBytesToRead);
dwBytesToRead = bufferSize;
buffer.resize(dwMinimumBytesToRead+20);
dwBytesToRead = buffer.size() - 10;

if (!ReadEventLog(hLog, dwFlags, dwRecordNumber, pBuffer, dwBytesToRead, &lastReadSize, &dwMinimumBytesToRead)) {
if (!ReadEventLog(hLog, dwFlags, dwRecordNumber, (LPBYTE)buffer, dwBytesToRead, &lastReadSize, &dwMinimumBytesToRead)) {
status = GetLastError();
NSC_LOG_ERROR_STD("Failed to read eventlog message: " + utf8::cvt<std::string>(error::lookup::last_error(status)));
return status;
Expand All @@ -171,6 +254,9 @@ DWORD eventlog_wrapper::read_record(DWORD dwRecordNumber, DWORD dwFlags) {
return status;
}


//////////////////////////////////////////////////////////////////////////
//
event_source::event_source(const std::wstring &name) : hLog(NULL) {
open(_T(""), name);
}
Expand Down

0 comments on commit 057f7bd

Please sign in to comment.