1 /* @(#) $Id: extract-win-el.c,v 1.7 2009/06/24 18:53:10 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
20 #define BUFFER_SIZE 2048*64
21 #define DEFAULT_FILE "C:\\ossec-extracted-evt.log"
24 char *file = DEFAULT_FILE;
25 char *name = "ossec-extract-evtlog.exe";
27 /* Event logging local structure */
42 /** int startEL(char *app, os_el *el)
43 * Starts the event logging for each el
45 int startEL(char *app, os_el *el)
47 /* Opening the event log */
48 el->h = OpenEventLog(NULL, app);
55 GetOldestEventLogRecord(el->h, &el->record);
62 /** char *el_getCategory(int category_id)
63 * Returns a string related to the category id of the log.
65 char *el_getCategory(int category_id)
70 case EVENTLOG_ERROR_TYPE:
73 case EVENTLOG_WARNING_TYPE:
76 case EVENTLOG_INFORMATION_TYPE:
79 case EVENTLOG_AUDIT_SUCCESS:
80 cat = "AUDIT_SUCCESS";
82 case EVENTLOG_AUDIT_FAILURE:
83 cat = "AUDIT_FAILURE";
93 /** int el_getEventDLL(char *evt_name, char *source, char *event)
96 int el_getEventDLL(char *evt_name, char *source, char *event)
105 snprintf(keyname, 254,
106 "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
110 /* Opening registry */
111 if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key)
119 if (RegQueryValueEx(key, "EventMessageFile", NULL,
120 NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS)
132 /** char *el_getmessage()
133 * Returns a descriptive message of the event.
135 char *el_getMessage(EVENTLOGRECORD *er, char *name,
136 char * source, LPTSTR *el_sstring)
140 char event[MAX_PATH +1];
143 LPSTR message = NULL;
147 /* Initializing variables */
148 event[MAX_PATH] = '\0';
151 /* Flags for format event */
152 fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
153 fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
154 fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
156 /* Get the file name from the registry (stored on event) */
157 if(!el_getEventDLL(name, source, event))
164 /* If our event has multiple libraries, try each one of them */
165 while((next_str = strchr(curr_str, ';')))
170 ExpandEnvironmentStrings(curr_str, tmp_str, 255);
171 hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
174 if(!FormatMessage(fm_flags, hevt, er->EventID,
176 (LPTSTR) &message, 0, el_sstring))
182 /* If we have a message, we can return it */
190 ExpandEnvironmentStrings(curr_str, tmp_str, 255);
191 hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
195 if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
197 (LPTSTR) &message, 0, el_sstring)))
203 /* If we have a message, we can return it */
213 /** void readel(os_el *el)
214 * Reads the event log.
216 void readel(os_el *el, int printit)
225 char mbuffer[BUFFER_SIZE];
228 char *tmp_str = NULL;
232 char *descriptive_msg;
236 char el_string[1025];
237 char final_msg[1024];
238 LPSTR el_sstring[57];
240 /* Er must point to the mbuffer */
241 el->er = (EVENTLOGRECORD *) &mbuffer;
243 /* Zeroing the last values */
244 el_string[1024] = '\0';
246 el_domain[256] = '\0';
247 final_msg[1023] = '\0';
248 el_sstring[56] = NULL;
250 /* Reading the event log */
251 while(ReadEventLog(el->h,
252 EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
254 el->er, BUFFER_SIZE -1, &read, &needed))
259 /* We need to initialize every variable before the loop */
260 category = el_getCategory(el->er->EventType);
261 source = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
262 computer_name = source + strlen(source) + 1;
263 descriptive_msg = NULL;
266 /* Initialing domain/user size */
267 user_size = 255; domain_size = 255;
272 /* We must have some description */
273 if(el->er->NumStrings)
277 sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
280 for (nstr = 0;nstr < el->er->NumStrings;nstr++)
282 str_size = strlen(sstr);
283 strncat(el_string, sstr, size_left);
285 tmp_str= strchr(el_string, '\0');
289 tmp_str++; *tmp_str = '\0';
291 size_left-=str_size + 1;
294 el_sstring[nstr] = (LPSTR)sstr;
296 sstr = strchr( (LPSTR)sstr, '\0');
300 /* Get a more descriptive message (if available) */
301 descriptive_msg = el_getMessage(el->er, el->name, source,
303 if(descriptive_msg != NULL)
305 /* Remove any \n or \r */
306 tmp_str = descriptive_msg;
307 while((tmp_str = strchr(tmp_str, '\n')))
313 tmp_str = descriptive_msg;
314 while((tmp_str = strchr(tmp_str, '\r')))
323 strncpy(el_string, "(no message)", 1020);
327 /* Getting username */
328 if (el->er->UserSidLength)
330 SID_NAME_USE account_type;
331 if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset),
332 el_user, &user_size, el_domain, &domain_size, &account_type))
334 strncpy(el_user, "(no user)", 255);
335 strncpy(el_domain, "no domain", 255);
342 strncpy(el_user, "(no user)", 255);
343 strncpy(el_domain, "no domain", 255);
349 DWORD _evtid = 65535;
350 int id = (int)el->er->EventID & _evtid;
352 snprintf(final_msg, 1022,
353 "%d WinEvtLog: %s: %s(%d): %s: %s(%s): %s",
354 (int)el->er->TimeGenerated,
361 descriptive_msg != NULL?descriptive_msg:el_string);
363 fprintf(fp, "%s\n", final_msg);
366 if(descriptive_msg != NULL)
367 LocalFree(descriptive_msg);
369 /* Changing the point to the er */
370 read -= el->er->Length;
371 el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
374 /* Setting er to the beginning of the buffer */
375 el->er = (EVENTLOGRECORD *)&mbuffer;
380 /** void win_startel()
381 * Starts the event logging for windows
383 void win_startel(char *evt_log)
385 startEL(evt_log, &el[el_last]);
386 readel(&el[el_last],1);
392 printf(" OSSEC HIDS - Windows event log extract\n");
393 printf("%s -h Shows this help message\n", name);
394 printf("%s -e Extract logs to '%s'\n", name, DEFAULT_FILE);
395 printf("%s -f <file> Extract logs to the file specified\n", name);
399 int main(int argc, char **argv)
402 if((argc == 2)&&(strcmp(argv[1], "-e") == 0))
405 else if((argc == 3)&&(strcmp(argv[1], "-f") == 0))
412 fp = fopen(file, "w");
415 printf("Unable to open file '%s'\n", file);
419 win_startel("Application");
420 win_startel("System");
421 win_startel("Security");