зеркало из https://github.com/microsoft/WinLog.git
Winlog: Update code files from source CDP with MIT license, include public files, change root folder
This commit is contained in:
Родитель
ec6f237a15
Коммит
4a1c1d4338
|
@ -0,0 +1,22 @@
|
|||
# Set the default behavior, in case people don't have core.autocrlf set.
|
||||
* text=auto
|
||||
|
||||
# Use text conventions for commonly used text extensions.
|
||||
*.csv text
|
||||
*.ini text
|
||||
*.json text
|
||||
*.txt text
|
||||
*.xml text
|
||||
|
||||
# Denote all files that are truly binary and should not be modified.
|
||||
*.dll binary
|
||||
*.exe binary
|
||||
*.gz binary
|
||||
*.ico binary
|
||||
*.jpg binary
|
||||
*.lib binary
|
||||
*.pdb binary
|
||||
*.pdf binary
|
||||
*.png binary
|
||||
*.wim binary
|
||||
*.zip binary
|
|
@ -0,0 +1,390 @@
|
|||
###
|
||||
OneBranch Specific
|
||||
###
|
||||
|
||||
# Everything outside the src directory
|
||||
/source/.packages
|
||||
|
||||
# Build generated files in src
|
||||
/source/**/objd/**/*
|
||||
/source/**/obj/**/*
|
||||
/source/**/bin/**/*
|
||||
/source/**/gen/**/*
|
||||
/source/**/*.nuspec
|
||||
/source/**/StyleCop.Cache
|
||||
/source/**/[Ll]ogs/**/stdout.txt
|
||||
/source/**/[Ll]ogs/**/stderr.txt
|
||||
*.binlog
|
||||
|
||||
# QuickBuild and Build Exe
|
||||
/source/**/build*.dbb
|
||||
/source/**/build*.evt
|
||||
/source/**/build*.log
|
||||
/source/**/build*.trc
|
||||
/source/**/build*.trc.txt
|
||||
/source/**/__tracer/
|
||||
/source/**/QLogs/
|
||||
QuickBuild.log
|
||||
|
||||
# MSBuild's log file
|
||||
msbuild.log
|
||||
|
||||
# VSMSBuild generated files in CoreXT
|
||||
*.sln
|
||||
*.projhash*
|
||||
*.slnhash*
|
||||
|
||||
# Build.exe
|
||||
*.err
|
||||
*.wrn
|
||||
*.log
|
||||
*.prf
|
||||
*.trc
|
||||
buildd.dbb
|
||||
build.dbb
|
||||
buildd.evt
|
||||
build.evt
|
||||
|
||||
# CloudBuild
|
||||
BuildSessionInfo.json
|
||||
QBuildResultStats.txt
|
||||
QLogs
|
||||
|
||||
|
||||
###
|
||||
Secret Disclosure Risks
|
||||
From: AzSec@microsoft.com
|
||||
###
|
||||
|
||||
# *.pfx
|
||||
*.[Pp][Ff][Xx]
|
||||
|
||||
# *.key
|
||||
*.[Kk][Ee][Yy]
|
||||
|
||||
# *.sst
|
||||
*.[Ss][Ss][Tt]
|
||||
|
||||
# *.p12
|
||||
*.[Pp]12
|
||||
|
||||
# *.pvk
|
||||
*.[Pp][Vv][Kk]
|
||||
|
||||
# wdsconfig.xml
|
||||
[Ww][Dd][Ss][Cc][Oo][Nn][Ff][Ii][Gg].[Xx][Mm][Ll]
|
||||
|
||||
# wdsdeploy.xml
|
||||
[Ww][Dd][Ss][Dd][Ee][Pp][Ll][Oo][Yy].[Xx][Mm][Ll]
|
||||
|
||||
# accounts.xml
|
||||
[Aa][Cc][Cc][Oo][Uu][Nn][Tt][Ss].[Xx][Mm][Ll]
|
||||
|
||||
# deploymentsecrets.xml
|
||||
[Dd][Ee][Pp][Ll][Oo][Yy][Mm][Ee][Nn][Tt][Ss][Ee][Cc][Rr][Ee][Tt][Ss].[Xx][Mm][Ll]
|
||||
[Ss][Yy][Ss][Pp][Rr][Ee][Pp].[Ii][Nn][Ff]
|
||||
|
||||
# Unix tools, Vim/Emacs included
|
||||
*~
|
||||
*.swp
|
||||
|
||||
# Office
|
||||
~$*
|
||||
|
||||
###
|
||||
|
||||
# Repository Bloat Risks
|
||||
*.7[Zz]
|
||||
*.[Bb][Ii][Nn]
|
||||
*.[Cc][Aa][Bb]
|
||||
*.[Dd][Ll][Ll]
|
||||
*.[Dd][Mm][Pp]
|
||||
*.[Ee][Tt][Ll]
|
||||
*.[Ee][Xx][Ee]
|
||||
*.[Gg][Zz]
|
||||
*.[Ll][Ii][Bb]
|
||||
*.[Mm][Ss][Ii]
|
||||
*.[Mm][Ss][Uu]
|
||||
*.[Nn][Uu][Pp][Kk][Gg]
|
||||
*.[Pp][Dd][Bb]
|
||||
*.[Rr][Aa][Rr]
|
||||
*.[Ss][Oo]
|
||||
*.[Vv][Hh][Dd]
|
||||
*.[Ww][Ii][Mm]
|
||||
*.[Zz][Ii][Pp]
|
||||
|
||||
### Begin of VS ignore files from github ####
|
||||
|
||||
## Ignore Visual Studio temporary files, build results, and
|
||||
## files generated by popular Visual Studio add-ons.
|
||||
##
|
||||
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
|
||||
## Retrieved on 2017/01/04 - hash 4f1b03c640ad89096e303423b30ffa09f7e68f2f
|
||||
|
||||
# User-specific files
|
||||
*.suo
|
||||
*.user
|
||||
*.userosscache
|
||||
*.sln.docstates
|
||||
*.vcxproj.filters
|
||||
|
||||
# User-specific files (MonoDevelop/Xamarin Studio)
|
||||
*.userprefs
|
||||
|
||||
# Build results
|
||||
[Dd]ebug/
|
||||
[Dd]ebugPublic/
|
||||
[Rr]elease/
|
||||
[Rr]eleases/
|
||||
x64/
|
||||
x86/
|
||||
bld/
|
||||
[Bb]in/
|
||||
[Oo]bj/
|
||||
[Ll]og/
|
||||
|
||||
# Visual Studio 2015 cache/options directory
|
||||
.vs/
|
||||
# Uncomment if you have tasks that create the project's static files in wwwroot
|
||||
#wwwroot/
|
||||
|
||||
# MSTest test Results
|
||||
[Tt]est[Rr]esult*/
|
||||
[Bb]uild[Ll]og.*
|
||||
|
||||
# NUNIT
|
||||
*.VisualState.xml
|
||||
TestResult.xml
|
||||
|
||||
# Build Results of an ATL Project
|
||||
[Dd]ebugPS/
|
||||
[Rr]eleasePS/
|
||||
dlldata.c
|
||||
|
||||
# .NET Core
|
||||
project.lock.json
|
||||
project.fragment.lock.json
|
||||
artifacts/
|
||||
**/Properties/launchSettings.json
|
||||
|
||||
*_i.c
|
||||
*_p.c
|
||||
*_i.h
|
||||
*.ilk
|
||||
*.meta
|
||||
*.obj
|
||||
*.pch
|
||||
*.pdb
|
||||
*.pgc
|
||||
*.pgd
|
||||
*.rsp
|
||||
*.sbr
|
||||
*.tlb
|
||||
*.tli
|
||||
*.tlh
|
||||
*.tmp
|
||||
*.tmp_proj
|
||||
*.log
|
||||
*.vspscc
|
||||
*.vssscc
|
||||
.builds
|
||||
*.pidb
|
||||
*.svclog
|
||||
*.scc
|
||||
|
||||
# Chutzpah Test files
|
||||
_Chutzpah*
|
||||
|
||||
# Visual C++ cache files
|
||||
ipch/
|
||||
*.aps
|
||||
*.ncb
|
||||
*.opendb
|
||||
*.opensdf
|
||||
*.sdf
|
||||
*.cachefile
|
||||
*.VC.db
|
||||
*.VC.VC.opendb
|
||||
|
||||
# Visual Studio profiler
|
||||
*.psess
|
||||
*.vsp
|
||||
*.vspx
|
||||
*.sap
|
||||
|
||||
# TFS 2012 Local Workspace
|
||||
$tf/
|
||||
|
||||
# Guidance Automation Toolkit
|
||||
*.gpState
|
||||
|
||||
# ReSharper is a .NET coding add-in
|
||||
_ReSharper*/
|
||||
*.[Rr]e[Ss]harper
|
||||
*.DotSettings.user
|
||||
|
||||
# JustCode is a .NET coding add-in
|
||||
.JustCode
|
||||
|
||||
# TeamCity is a build add-in
|
||||
_TeamCity*
|
||||
|
||||
# DotCover is a Code Coverage Tool
|
||||
*.dotCover
|
||||
|
||||
# Visual Studio code coverage results
|
||||
*.coverage
|
||||
*.coveragexml
|
||||
|
||||
# NCrunch
|
||||
_NCrunch_*
|
||||
.*crunch*.local.xml
|
||||
nCrunchTemp_*
|
||||
|
||||
# MightyMoose
|
||||
*.mm.*
|
||||
AutoTest.Net/
|
||||
|
||||
# Web workbench (sass)
|
||||
.sass-cache/
|
||||
|
||||
# Installshield output folder
|
||||
[Ee]xpress/
|
||||
|
||||
# DocProject is a documentation generator add-in
|
||||
DocProject/buildhelp/
|
||||
DocProject/Help/*.HxT
|
||||
DocProject/Help/*.HxC
|
||||
DocProject/Help/*.hhc
|
||||
DocProject/Help/*.hhk
|
||||
DocProject/Help/*.hhp
|
||||
DocProject/Help/Html2
|
||||
DocProject/Help/html
|
||||
|
||||
# Click-Once directory
|
||||
publish/
|
||||
|
||||
# Publish Web Output
|
||||
*.[Pp]ublish.xml
|
||||
*.azurePubxml
|
||||
# TODO: Comment the next line if you want to checkin your web deploy settings
|
||||
# but database connection strings (with potential passwords) will be unencrypted
|
||||
*.pubxml
|
||||
*.publishproj
|
||||
|
||||
# Microsoft Azure Web App publish settings. Comment the next line if you want to
|
||||
# checkin your Azure Web App publish settings, but sensitive information contained
|
||||
# in these scripts will be unencrypted
|
||||
PublishScripts/
|
||||
|
||||
# NuGet Packages
|
||||
*.nupkg
|
||||
# The packages folder can be ignored because of Package Restore
|
||||
**/packages/*
|
||||
# except build/, which is used as an MSBuild target.
|
||||
!**/packages/build/
|
||||
# Uncomment if necessary however generally it will be regenerated when needed
|
||||
#!**/packages/repositories.config
|
||||
# NuGet v3's project.json files produces more ignoreable files
|
||||
*.nuget.props
|
||||
*.nuget.targets
|
||||
|
||||
# Microsoft Azure Build Output
|
||||
csx/
|
||||
*.build.csdef
|
||||
|
||||
# Microsoft Azure Emulator
|
||||
ecf/
|
||||
rcf/
|
||||
|
||||
# Windows Store app package directories and files
|
||||
AppPackages/
|
||||
BundleArtifacts/
|
||||
Package.StoreAssociation.xml
|
||||
_pkginfo.txt
|
||||
|
||||
# Visual Studio cache files
|
||||
# files ending in .cache can be ignored
|
||||
*.[Cc]ache
|
||||
# but keep track of directories ending in .cache
|
||||
!*.[Cc]ache/
|
||||
|
||||
# Others
|
||||
ClientBin/
|
||||
~$*
|
||||
*~
|
||||
*.dbmdl
|
||||
*.dbproj.schemaview
|
||||
*.jfm
|
||||
*.pfx
|
||||
*.publishsettings
|
||||
node_modules/
|
||||
orleans.codegen.cs
|
||||
|
||||
# Since there are multiple workflows, uncomment next line to ignore bower_components
|
||||
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
|
||||
#bower_components/
|
||||
|
||||
# RIA/Silverlight projects
|
||||
Generated_Code/
|
||||
|
||||
# Backup & report files from converting an old project file
|
||||
# to a newer Visual Studio version. Backup files are not needed,
|
||||
# because we have git ;-)
|
||||
_UpgradeReport_Files/
|
||||
Backup*/
|
||||
UpgradeLog*.XML
|
||||
UpgradeLog*.htm
|
||||
|
||||
# SQL Server files
|
||||
*.mdf
|
||||
*.ldf
|
||||
|
||||
# Business Intelligence projects
|
||||
*.rdl.data
|
||||
*.bim.layout
|
||||
*.bim_*.settings
|
||||
|
||||
# Microsoft Fakes
|
||||
FakesAssemblies/
|
||||
|
||||
# GhostDoc plugin setting file
|
||||
*.GhostDoc.xml
|
||||
|
||||
# Node.js Tools for Visual Studio
|
||||
.ntvs_analysis.dat
|
||||
|
||||
# Visual Studio 6 build log
|
||||
*.plg
|
||||
|
||||
# Visual Studio 6 workspace options file
|
||||
*.opt
|
||||
|
||||
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
|
||||
*.vbw
|
||||
|
||||
# Visual Studio LightSwitch build output
|
||||
**/*.HTMLClient/GeneratedArtifacts
|
||||
**/*.DesktopClient/GeneratedArtifacts
|
||||
**/*.DesktopClient/ModelManifest.xml
|
||||
**/*.Server/GeneratedArtifacts
|
||||
**/*.Server/ModelManifest.xml
|
||||
_Pvt_Extensions
|
||||
|
||||
# Paket dependency manager
|
||||
.paket/paket.exe
|
||||
paket-files/
|
||||
|
||||
# FAKE - F# Make
|
||||
.fake/
|
||||
|
||||
# JetBrains Rider
|
||||
.idea/
|
||||
*.sln.iml
|
||||
|
||||
# CodeRush
|
||||
.cr/
|
||||
|
||||
# Python Tools for Visual Studio (PTVS)
|
||||
__pycache__/
|
||||
*.pyc
|
|
@ -0,0 +1,14 @@
|
|||
# Contributing
|
||||
|
||||
This project welcomes contributions and suggestions. Most contributions require you to
|
||||
agree to a Contributor License Agreement (CLA) declaring that you have the right to,
|
||||
and actually do, grant us the rights to use your contribution. For details, visit
|
||||
https://cla.microsoft.com.
|
||||
|
||||
When you submit a pull request, a CLA-bot will automatically determine whether you need
|
||||
to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
|
||||
instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
|
||||
|
||||
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
|
||||
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
|
||||
or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
||||
|
@ -9,11 +10,12 @@ namespace WinLog
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Diagnostics.Eventing.Reader;
|
||||
using System.Linq;
|
||||
using Newtonsoft.Json;
|
||||
using WinLog.Helpers;
|
||||
|
||||
/// <summary>
|
||||
/// Class that defines the event metadata.
|
||||
/// Class that defines the event metadata.
|
||||
/// </summary>
|
||||
public class EventIdMetrics
|
||||
{
|
||||
|
@ -29,58 +31,58 @@ namespace WinLog
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class that defines the various metrics associated with event uploading.
|
||||
/// Class that defines the various metrics associated with event uploading.
|
||||
/// </summary>
|
||||
public class EventLogUploadResult
|
||||
{
|
||||
/// <summary>
|
||||
/// The number of event records that were uploaded.
|
||||
/// The number of event records that were uploaded.
|
||||
/// </summary>
|
||||
public int EventCount { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The number of events that matched the upload filter criteria.
|
||||
/// The number of events that matched the upload filter criteria.
|
||||
/// </summary>
|
||||
public int FilteredEventCount { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The number of seconds that it took the program to read all of the events from the event source.
|
||||
/// The number of seconds that it took the program to read all of the events from the event source.
|
||||
/// </summary>
|
||||
public double TimeToRead { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The number of seconds that it took to complete uploading the events to the destination.
|
||||
/// The number of seconds that it took to complete uploading the events to the destination.
|
||||
/// </summary>
|
||||
public double TimeToUpload { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Whether the upload completed successfully.
|
||||
/// Whether the upload completed successfully.
|
||||
/// </summary>
|
||||
public bool UploadSuccessful { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The returned error message, if any.
|
||||
/// The returned error message, if any.
|
||||
/// </summary>
|
||||
public string ErrorMessage { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The list of EventIdMetrics uploaded.
|
||||
/// The list of EventIdMetrics uploaded.
|
||||
/// </summary>
|
||||
public Dictionary<string, EventIdMetrics> EventIdMetricsList { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The number of events without User Data.
|
||||
/// The number of events without User Data.
|
||||
/// </summary>
|
||||
public int NullUserDataCount { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// The number of events without extended Event Data.
|
||||
/// The number of events without extended Event Data.
|
||||
/// </summary>
|
||||
public int NullEventDataCount { get; set; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class that defines an event log record for the purposes of the WinLog namespace.
|
||||
/// Class that defines an event log record for the purposes of the WinLog namespace.
|
||||
/// </summary>
|
||||
public class LogRecord
|
||||
{
|
||||
|
@ -93,7 +95,7 @@ namespace WinLog
|
|||
public string Keywords;
|
||||
public DateTime TimeCreated;
|
||||
public long EventRecordId;
|
||||
public Guid Correlation; //missing in LogRecordCdoc
|
||||
public string Correlation; //missing in LogRecordCdoc
|
||||
public int ProcessId;
|
||||
public int ThreadId;
|
||||
public string Channel;
|
||||
|
@ -149,12 +151,7 @@ namespace WinLog
|
|||
Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel");
|
||||
|
||||
Keywords = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Keywords");
|
||||
|
||||
Guid resultCorrelation;
|
||||
if (Guid.TryParse(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation"), out resultCorrelation))
|
||||
{
|
||||
Correlation = resultCorrelation;
|
||||
}
|
||||
Correlation = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation");
|
||||
|
||||
// Variant System properties (not on all Windows Events)
|
||||
string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID");
|
||||
|
@ -172,7 +169,7 @@ namespace WinLog
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class that defines an event log record for the purposes of the Microsoft Cyber Defense Operations Center (CDOC).
|
||||
/// Class that defines an event log record for the purposes of the Microsoft Cyber Defense Operations Center (CDOC).
|
||||
/// </summary>
|
||||
public class LogRecordCdoc
|
||||
{
|
||||
|
@ -251,8 +248,8 @@ namespace WinLog
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class that defines an event log record for the purposes of the WinLog namespace.
|
||||
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
|
||||
/// Class that defines an event log record for the purposes of the WinLog namespace.
|
||||
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
|
||||
/// </summary>
|
||||
public class LogRecordEx
|
||||
{
|
||||
|
@ -286,7 +283,66 @@ namespace WinLog
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class for enabling JSON parsing of events.
|
||||
/// Class that defines an event log record for the purposes of the WinLog namespace.
|
||||
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
|
||||
/// </summary>
|
||||
public class LogRecordRaw
|
||||
{
|
||||
public string Provider { get; set; }
|
||||
|
||||
public int EventId { get; set; }
|
||||
|
||||
public string Version { get; set; }
|
||||
|
||||
public string Level { get; set; }
|
||||
|
||||
public string Task { get; set; }
|
||||
|
||||
public string Opcode { get; set; }
|
||||
|
||||
public DateTime TimeCreated { get; set; }
|
||||
|
||||
public long EventRecordId { get; set; }
|
||||
|
||||
public int ProcessId { get; set; }
|
||||
|
||||
public int ThreadId { get; set; }
|
||||
|
||||
public string Channel { get; set; }
|
||||
|
||||
public string Computer { get; set; }
|
||||
|
||||
public string Security { get; set; }
|
||||
|
||||
public string Keywords { get; set; }
|
||||
|
||||
public string Correlation { get; set; }
|
||||
|
||||
public Dictionary<string, string> EventData { get; set; }
|
||||
|
||||
public LogRecordRaw(EventBookmark bookmark)
|
||||
{
|
||||
Bookmark = bookmark;
|
||||
}
|
||||
|
||||
public LogRecordRaw()
|
||||
{
|
||||
}
|
||||
|
||||
public EventBookmark Bookmark { get; private set; }
|
||||
|
||||
public IDictionary<string, object> ToDictionary(LogRecordRaw logRecordRaw)
|
||||
{
|
||||
IDictionary<string, object> returnValue = logRecordRaw.GetType()
|
||||
.GetProperties()
|
||||
.ToDictionary(prop => prop.Name, prop => prop.GetValue(logRecordRaw, null));
|
||||
|
||||
return returnValue;
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class for enabling JSON parsing of events.
|
||||
/// </summary>
|
||||
public class JsonParseFilter
|
||||
{
|
||||
|
@ -309,7 +365,7 @@ namespace WinLog
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Class defining metadata about where and when a log file was collected.
|
||||
/// Class defining metadata about where and when a log file was collected.
|
||||
/// </summary>
|
||||
public class LogFileLineage
|
||||
{
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
||||
|
@ -45,14 +46,34 @@ namespace WinLog
|
|||
string keywords;
|
||||
providerStringCache.Lookup(eventRecord, out level, out task, out opCode, out keywords);
|
||||
|
||||
return ToLogRecordCdoc(
|
||||
LogRecord logRecord = ToLogRecord(
|
||||
eventRecord.ToXml(),
|
||||
eventRecord.Bookmark,
|
||||
level,
|
||||
task,
|
||||
opCode,
|
||||
eventRecord.ProcessId ?? 0,
|
||||
eventRecord.ThreadId ?? 0);
|
||||
eventRecord.ThreadId ?? 0,
|
||||
keywords);
|
||||
|
||||
return new LogRecordCdoc
|
||||
{
|
||||
EventRecordId = logRecord.EventRecordId,
|
||||
TimeCreated = logRecord.TimeCreated,
|
||||
Computer = logRecord.Computer,
|
||||
ProcessId = logRecord.ProcessId,
|
||||
ThreadId = logRecord.ThreadId,
|
||||
Provider = logRecord.Provider,
|
||||
EventId = logRecord.EventId,
|
||||
Level = logRecord.Level,
|
||||
Version = logRecord.Version,
|
||||
Channel = logRecord.Channel,
|
||||
Task = logRecord.Task,
|
||||
Opcode = logRecord.Opcode,
|
||||
Security = logRecord.Security,
|
||||
EventData = logRecord.EventData,
|
||||
LogFileLineage = logRecord.LogFileLineage
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
|
@ -65,7 +86,7 @@ namespace WinLog
|
|||
public LogRecordEx ToLogRecordEx(string eventXml,
|
||||
EventBookmark eventBookmark = null)
|
||||
{
|
||||
LogRecordCdoc logRecordCdoc = ToLogRecordCdoc(eventXml, eventBookmark);
|
||||
LogRecord logRecordCdoc = ToLogRecord(eventXml, eventBookmark);
|
||||
|
||||
return new LogRecordEx
|
||||
{
|
||||
|
@ -81,11 +102,90 @@ namespace WinLog
|
|||
Channel = logRecordCdoc.Channel,
|
||||
Task = logRecordCdoc.Task,
|
||||
Opcode = logRecordCdoc.Opcode,
|
||||
Security = logRecordCdoc.Security,
|
||||
EventData = logRecordCdoc.EventData,
|
||||
LogFileLineage = logRecordCdoc.LogFileLineage
|
||||
};
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Converts a Windows EventRecord into a JsonLogRecord, used to insert to Kusto
|
||||
/// </summary>
|
||||
/// <param name="eventRecord">the EventRecord object</param>
|
||||
/// <returns></returns>
|
||||
public IDictionary<string, object> ToLogRecordRaw(EventRecord eventRecord)
|
||||
{
|
||||
if (eventRecord == null)
|
||||
{
|
||||
throw new ArgumentNullException(nameof(eventRecord));
|
||||
}
|
||||
|
||||
string level;
|
||||
string task;
|
||||
string opCode;
|
||||
string keywords;
|
||||
providerStringCache.Lookup(eventRecord, out level, out task, out opCode, out keywords);
|
||||
|
||||
LogRecord logRecordCdoc = ToLogRecord(
|
||||
eventRecord.ToXml(),
|
||||
eventRecord.Bookmark,
|
||||
level,
|
||||
task,
|
||||
opCode,
|
||||
eventRecord.ProcessId ?? 0,
|
||||
eventRecord.ThreadId ?? 0,
|
||||
keywords,
|
||||
true);
|
||||
|
||||
return GetLogRecordRawObject(logRecordCdoc);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Converts a Windows EventRecord into a JsonLogRecordEx, containing an Extended field for use, used to insert to
|
||||
/// Kusto
|
||||
/// </summary>
|
||||
/// <param name="eventXml"></param>
|
||||
/// <param name="eventBookmark"></param>
|
||||
/// <returns></returns>
|
||||
public IDictionary<string, object> ToLogRecordRaw(string eventXml,
|
||||
EventBookmark eventBookmark = null)
|
||||
{
|
||||
LogRecord logRecord = ToLogRecord(eventXml, eventBookmark, string.Empty, string.Empty, string.Empty, 0, 0, string.Empty, true);
|
||||
|
||||
return GetLogRecordRawObject(logRecord);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Common method return a LogRecordRaw object from a LogRecordCDOC object, essentially without a LogFileLineage field
|
||||
/// while using the exact same methodology for parsing as all other parsing.
|
||||
/// </summary>
|
||||
/// <param name="logRecord"></param>
|
||||
/// <returns></returns>
|
||||
private IDictionary<string, object> GetLogRecordRawObject(LogRecord logRecord)
|
||||
{
|
||||
var instance = new LogRecordRaw
|
||||
{
|
||||
EventRecordId = logRecord.EventRecordId,
|
||||
TimeCreated = logRecord.TimeCreated,
|
||||
Computer = logRecord.Computer,
|
||||
ProcessId = logRecord.ProcessId,
|
||||
ThreadId = logRecord.ThreadId,
|
||||
Provider = logRecord.Provider,
|
||||
EventId = logRecord.EventId,
|
||||
Level = logRecord.Level,
|
||||
Version = logRecord.Version,
|
||||
Channel = logRecord.Channel,
|
||||
Task = logRecord.Task,
|
||||
Opcode = logRecord.Opcode,
|
||||
EventData = logRecord.EventData,
|
||||
Security = logRecord.Security,
|
||||
Keywords = logRecord.Keywords,
|
||||
Correlation = logRecord.Correlation
|
||||
};
|
||||
|
||||
return instance.ToDictionary(instance);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Creates a JsonLogRecord object
|
||||
/// </summary>
|
||||
|
@ -96,15 +196,18 @@ namespace WinLog
|
|||
/// <param name="opCode"></param>
|
||||
/// <param name="processId"></param>
|
||||
/// <param name="threadId"></param>
|
||||
/// <param name="returnEventDataDictionary"></param>
|
||||
/// <returns></returns>
|
||||
public LogRecordCdoc ToLogRecordCdoc(
|
||||
public LogRecord ToLogRecord(
|
||||
string eventXml,
|
||||
EventBookmark eventBookmark,
|
||||
string level = "",
|
||||
string task = "",
|
||||
string opCode = "",
|
||||
int processId = 0,
|
||||
int threadId = 0)
|
||||
int threadId = 0,
|
||||
string keywords = "",
|
||||
bool returnEventDataDictionary = false)
|
||||
{
|
||||
try
|
||||
{
|
||||
|
@ -184,7 +287,7 @@ namespace WinLog
|
|||
|
||||
var serializedLogFileLineage = JsonConvert.SerializeObject(logFileLineage);
|
||||
|
||||
return new LogRecordCdoc()
|
||||
return new LogRecord()
|
||||
{
|
||||
EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]),
|
||||
TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]),
|
||||
|
@ -193,13 +296,15 @@ namespace WinLog
|
|||
ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId,
|
||||
Provider = systemPropertiesDictionary["Provider"].ToString(),
|
||||
EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]),
|
||||
Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
|
||||
Level = level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
|
||||
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"),
|
||||
Channel = systemPropertiesDictionary["Channel"].ToString(),
|
||||
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"),
|
||||
Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
|
||||
Opcode = opCode,
|
||||
EventData = json,
|
||||
Keywords = keywords.Equals(string.Empty) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Keywords") : keywords,
|
||||
Correlation = !string.IsNullOrWhiteSpace(CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Correlation")) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Correlation") : string.Empty,
|
||||
Task = task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
|
||||
Opcode = opCode.Equals(string.Empty) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Opcode") : opCode,
|
||||
EventData = returnEventDataDictionary ? (dynamic)namedProperties : json,
|
||||
LogFileLineage = serializedLogFileLineage
|
||||
};
|
||||
}
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,12 +1,10 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
||||
/// <summary>
|
||||
/// Static helper methods for use in the WinLog namespace.
|
||||
/// </summary>
|
||||
namespace WinLog.Helpers
|
||||
{
|
||||
using System;
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
||||
|
@ -32,6 +33,9 @@ namespace WinLog.Helpers
|
|||
case "Provider":
|
||||
case "TimeCreated":
|
||||
return new KeyValuePair<string, object>(attributeName, xElement.FirstAttribute.Value);
|
||||
case "Correlation":
|
||||
var xAttribute = xElement?.Attribute("ActivityID");
|
||||
return xAttribute != null ? new KeyValuePair<string, object>(attributeName, xAttribute.Value) : new KeyValuePair<string, object>(attributeName, string.Empty);
|
||||
case "Execution":
|
||||
return new KeyValuePair<string, object>(attributeName,
|
||||
string.Format("{0}:{1}", xElement.FirstAttribute.Value,
|
||||
|
@ -46,7 +50,6 @@ namespace WinLog.Helpers
|
|||
case "Opcode":
|
||||
case "Keywords":
|
||||
case "EventRecordID":
|
||||
case "Correlation":
|
||||
case "Channel":
|
||||
case "Computer":
|
||||
return new KeyValuePair<string, object>(attributeName, xElement.Value);
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
Copyright (c) Microsoft Corporation.
|
||||
|
||||
MIT License
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Privacy statement
|
||||
|
||||
This project contain no facility to collect usage, environment, personal information.
|
||||
|
||||
To view Microsoft's complete privacy statement and relevant details, visit
|
||||
https://privacy.microsoft.com/en-us/privacystatement.
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
|
@ -1,20 +1,21 @@
|
|||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net452</TargetFramework>
|
||||
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
|
||||
<AssemblyVersion>3.0.1.0</AssemblyVersion>
|
||||
<FileVersion>3.0.1.0</FileVersion>
|
||||
<Version>3.0.1</Version>
|
||||
<TargetFrameworks>net472</TargetFrameworks>
|
||||
<GeneratePackageOnBuild>false</GeneratePackageOnBuild>
|
||||
<Version>3.4.3</Version>
|
||||
<Description>Windows Event Log utility for reading OS Logs, EVTX files, specific to Windows</Description>
|
||||
<Copyright>Copyright © Microsoft. All Rights Reserved</Copyright>
|
||||
<RepositoryUrl>https://msazure.visualstudio.com/One/_git/SecEng-Dev-SIEMfx</RepositoryUrl>
|
||||
<PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
|
||||
<Authors>Microsoft</Authors>
|
||||
<Authors>C+E Security Infra SecEng Dev</Authors>
|
||||
<Description>Library for executing Kusto queries on live streams of data</Description>
|
||||
<PackageReleaseNotes>Library for executing Kusto queries on live streams of data</PackageReleaseNotes>
|
||||
<PackageTags>Windows OS EVTX Logs Playback Replay</PackageTags>
|
||||
<RepositoryType>git</RepositoryType>
|
||||
<GenerateAssemblyVersionAttribute>false</GenerateAssemblyVersionAttribute>
|
||||
<GenerateAssemblyFileVersionAttribute>false</GenerateAssemblyFileVersionAttribute>
|
||||
<GenerateAssemblyInformationalVersionAttribute>false</GenerateAssemblyInformationalVersionAttribute>
|
||||
<AssemblyName>Microsoft.WinLog</AssemblyName>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
|
@ -22,28 +23,11 @@
|
|||
</ItemGroup>
|
||||
|
||||
<!-- .NET 4.5 references, compilation flags and build options -->
|
||||
<ItemGroup Condition=" '$(TargetFramework)' == 'net452' ">
|
||||
<ItemGroup Condition=" '$(TargetFramework)' == 'net472' ">
|
||||
<Reference Include="mscorlib" />
|
||||
<Reference Include="System" />
|
||||
<Reference Include="System.Core" />
|
||||
<Reference Include="Microsoft.CSharp" />
|
||||
</ItemGroup>
|
||||
|
||||
<PropertyGroup Condition=" '$(CdpxPostSigning)' == 'true' ">
|
||||
<IsCleaning>false</IsCleaning>
|
||||
<CopyRoleFilesDependsOn />
|
||||
<AddRoleContentDependsOn />
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<Compile Include="..\..\.version\PipelineAssemblyInfo.cs" Link="Properties\PipelineAssemblyInfo.cs" />
|
||||
</ItemGroup>
|
||||
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
|
||||
<SignAssembly>true</SignAssembly>
|
||||
<DelaySign>true</DelaySign>
|
||||
<KeyFile>..\35MSSharedLib1024.snk</KeyFile>
|
||||
<AssemblyOriginatorKeyFile>..\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
|
||||
</PropertyGroup>
|
||||
|
||||
</Project>
|
|
@ -1,6 +1,7 @@
|
|||
// /********************************************************
|
||||
// * *
|
||||
// * Copyright (C) Microsoft. All rights reserved. *
|
||||
// * Licensed under the MIT license. *
|
||||
// * *
|
||||
// ********************************************************/
|
||||
|
Загрузка…
Ссылка в новой задаче