1 /* @(#) $Id: ./src/win32/extract-win-el.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
21 #define BUFFER_SIZE 2048*64
22 #define DEFAULT_FILE "C:\\ossec-extracted-evt.log"
25 char *file = DEFAULT_FILE;
26 char *name = "ossec-extract-evtlog.exe";
28 /* Event logging local structure */
43 /** int startEL(char *app, os_el *el)
44 * Starts the event logging for each el
46 int startEL(char *app, os_el *el)
48 /* Opening the event log */
49 el->h = OpenEventLog(NULL, app);
56 GetOldestEventLogRecord(el->h, &el->record);
63 /** char *el_getCategory(int category_id)
64 * Returns a string related to the category id of the log.
66 char *el_getCategory(int category_id)
71 case EVENTLOG_ERROR_TYPE:
74 case EVENTLOG_WARNING_TYPE:
77 case EVENTLOG_INFORMATION_TYPE:
80 case EVENTLOG_AUDIT_SUCCESS:
81 cat = "AUDIT_SUCCESS";
83 case EVENTLOG_AUDIT_FAILURE:
84 cat = "AUDIT_FAILURE";
94 /** int el_getEventDLL(char *evt_name, char *source, char *event)
97 int el_getEventDLL(char *evt_name, char *source, char *event)
106 snprintf(keyname, 254,
107 "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
111 /* Opening registry */
112 if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key)
120 if (RegQueryValueEx(key, "EventMessageFile", NULL,
121 NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS)
133 /** char *el_getmessage()
134 * Returns a descriptive message of the event.
136 char *el_getMessage(EVENTLOGRECORD *er, char *name,
137 char * source, LPTSTR *el_sstring)
141 char event[MAX_PATH +1];
144 LPSTR message = NULL;
148 /* Initializing variables */
149 event[MAX_PATH] = '\0';
152 /* Flags for format event */
153 fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
154 fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
155 fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
157 /* Get the file name from the registry (stored on event) */
158 if(!el_getEventDLL(name, source, event))
165 /* If our event has multiple libraries, try each one of them */
166 while((next_str = strchr(curr_str, ';')))
171 ExpandEnvironmentStrings(curr_str, tmp_str, 255);
172 hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
175 if(!FormatMessage(fm_flags, hevt, er->EventID,
177 (LPTSTR) &message, 0, el_sstring))
183 /* If we have a message, we can return it */
191 ExpandEnvironmentStrings(curr_str, tmp_str, 255);
192 hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
196 if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
198 (LPTSTR) &message, 0, el_sstring)))
204 /* If we have a message, we can return it */
214 /** void readel(os_el *el)
215 * Reads the event log.
217 void readel(os_el *el, int printit)
226 char mbuffer[BUFFER_SIZE];
229 char *tmp_str = NULL;
233 char *descriptive_msg;
237 char el_string[1025];
238 char final_msg[1024];
239 LPSTR el_sstring[57];
241 /* Er must point to the mbuffer */
242 el->er = (EVENTLOGRECORD *) &mbuffer;
244 /* Zeroing the last values */
245 el_string[1024] = '\0';
247 el_domain[256] = '\0';
248 final_msg[1023] = '\0';
249 el_sstring[56] = NULL;
251 /* Reading the event log */
252 while(ReadEventLog(el->h,
253 EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
255 el->er, BUFFER_SIZE -1, &read, &needed))
260 /* We need to initialize every variable before the loop */
261 category = el_getCategory(el->er->EventType);
262 source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
263 computer_name = source + strlen(source) + 1;
264 descriptive_msg = NULL;
267 /* Initialing domain/user size */
268 user_size = 255; domain_size = 255;
273 /* We must have some description */
274 if(el->er->NumStrings)
278 sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
281 for (nstr = 0;nstr < el->er->NumStrings;nstr++)
283 str_size = strlen(sstr);
284 strncat(el_string, sstr, size_left);
286 tmp_str= strchr(el_string, '\0');
290 tmp_str++; *tmp_str = '\0';
292 size_left-=str_size + 1;
295 el_sstring[nstr] = (LPSTR)sstr;
297 sstr = strchr( (LPSTR)sstr, '\0');
301 /* Get a more descriptive message (if available) */
302 descriptive_msg = el_getMessage(el->er, el->name, source,
304 if(descriptive_msg != NULL)
306 /* Remove any \n or \r */
307 tmp_str = descriptive_msg;
308 while((tmp_str = strchr(tmp_str, '\n')))
314 tmp_str = descriptive_msg;
315 while((tmp_str = strchr(tmp_str, '\r')))
324 strncpy(el_string, "(no message)", 1020);
328 /* Getting username */
329 if (el->er->UserSidLength)
331 SID_NAME_USE account_type;
332 if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset),
333 el_user, &user_size, el_domain, &domain_size, &account_type))
335 strncpy(el_user, "(no user)", 255);
336 strncpy(el_domain, "no domain", 255);
343 strncpy(el_user, "(no user)", 255);
344 strncpy(el_domain, "no domain", 255);
350 DWORD _evtid = 65535;
351 int id = (int)el->er->EventID & _evtid;
353 snprintf(final_msg, 1022,
354 "%d WinEvtLog: %s: %s(%d): %s: %s(%s): %s",
355 (int)el->er->TimeGenerated,
362 descriptive_msg != NULL?descriptive_msg:el_string);
364 fprintf(fp, "%s\n", final_msg);
367 if(descriptive_msg != NULL)
368 LocalFree(descriptive_msg);
370 /* Changing the point to the er */
371 read -= el->er->Length;
372 el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
375 /* Setting er to the beginning of the buffer */
376 el->er = (EVENTLOGRECORD *)&mbuffer;
381 /** void win_startel()
382 * Starts the event logging for windows
384 void win_startel(char *evt_log)
386 startEL(evt_log, &el[el_last]);
387 readel(&el[el_last],1);
393 printf(" OSSEC HIDS - Windows event log extract\n");
394 printf("%s -h Shows this help message\n", name);
395 printf("%s -e Extract logs to '%s'\n", name, DEFAULT_FILE);
396 printf("%s -f <file> Extract logs to the file specified\n", name);
400 int main(int argc, char **argv)
403 if((argc == 2)&&(strcmp(argv[1], "-e") == 0))
406 else if((argc == 3)&&(strcmp(argv[1], "-f") == 0))
413 fp = fopen(file, "w");
416 printf("Unable to open file '%s'\n", file);
420 win_startel("Application");
421 win_startel("System");
422 win_startel("Security");