microsoft
/
WinLog
зеркало из https://github.com/microsoft/WinLog.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Winlog: Update code files from source CDP with MIT license, include public files, change root folder

This commit is contained in:
rbiles 2021-05-03 16:28:25 -07:00
Родитель ec6f237a15
Коммит 4a1c1d4338
24 изменённых файлов: 676 добавлений и 63 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

22
.gitattributes поставляемый Normal file
Просмотреть файл

@ -0,0 +1,22 @@
# Set the default behavior, in case people don't have core.autocrlf set.
* text=auto
# Use text conventions for commonly used text extensions.
*.csv text
*.ini text
*.json text
*.txt text
*.xml text
# Denote all files that are truly binary and should not be modified.
*.dll binary
*.exe binary
*.gz binary
*.ico binary
*.jpg binary
*.lib binary
*.pdb binary
*.pdf binary
*.png binary
*.wim binary
*.zip binary

390
.gitignore поставляемый Normal file
Просмотреть файл

@ -0,0 +1,390 @@
###
OneBranch Specific
###
# Everything outside the src directory
/source/.packages
# Build generated files in src
/source/**/objd/**/*
/source/**/obj/**/*
/source/**/bin/**/*
/source/**/gen/**/*
/source/**/*.nuspec
/source/**/StyleCop.Cache
/source/**/[Ll]ogs/**/stdout.txt
/source/**/[Ll]ogs/**/stderr.txt
*.binlog
# QuickBuild and Build Exe
/source/**/build*.dbb
/source/**/build*.evt
/source/**/build*.log
/source/**/build*.trc
/source/**/build*.trc.txt
/source/**/__tracer/
/source/**/QLogs/
QuickBuild.log
# MSBuild's log file
msbuild.log
# VSMSBuild generated files in CoreXT
*.sln
*.projhash*
*.slnhash*
# Build.exe
*.err
*.wrn
*.log
*.prf
*.trc
buildd.dbb
build.dbb
buildd.evt
build.evt
# CloudBuild
BuildSessionInfo.json
QBuildResultStats.txt
QLogs
###
Secret Disclosure Risks
From: AzSec@microsoft.com
###
# *.pfx
*.[Pp][Ff][Xx]
# *.key
*.[Kk][Ee][Yy]
# *.sst
*.[Ss][Ss][Tt]
# *.p12
*.[Pp]12
# *.pvk
*.[Pp][Vv][Kk]
# wdsconfig.xml
[Ww][Dd][Ss][Cc][Oo][Nn][Ff][Ii][Gg].[Xx][Mm][Ll]
# wdsdeploy.xml
[Ww][Dd][Ss][Dd][Ee][Pp][Ll][Oo][Yy].[Xx][Mm][Ll]
# accounts.xml
[Aa][Cc][Cc][Oo][Uu][Nn][Tt][Ss].[Xx][Mm][Ll]
# deploymentsecrets.xml
[Dd][Ee][Pp][Ll][Oo][Yy][Mm][Ee][Nn][Tt][Ss][Ee][Cc][Rr][Ee][Tt][Ss].[Xx][Mm][Ll]
[Ss][Yy][Ss][Pp][Rr][Ee][Pp].[Ii][Nn][Ff]
# Unix tools, Vim/Emacs included
*~
*.swp
# Office
~$*
###
# Repository Bloat Risks
*.7[Zz]
*.[Bb][Ii][Nn]
*.[Cc][Aa][Bb]
*.[Dd][Ll][Ll]
*.[Dd][Mm][Pp]
*.[Ee][Tt][Ll]
*.[Ee][Xx][Ee]
*.[Gg][Zz]
*.[Ll][Ii][Bb]
*.[Mm][Ss][Ii]
*.[Mm][Ss][Uu]
*.[Nn][Uu][Pp][Kk][Gg]
*.[Pp][Dd][Bb]
*.[Rr][Aa][Rr]
*.[Ss][Oo]
*.[Vv][Hh][Dd]
*.[Ww][Ii][Mm]
*.[Zz][Ii][Pp]
### Begin of VS ignore files from github ####
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
## Retrieved on 2017/01/04 - hash 4f1b03c640ad89096e303423b30ffa09f7e68f2f
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
*.vcxproj.filters
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
**/Properties/launchSettings.json
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
*.mdf
*.ldf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# JetBrains Rider
.idea/
*.sln.iml
# CodeRush
.cr/
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc

14
Source/WinLog/CONTRIBUTING.md Normal file
Просмотреть файл

@ -0,0 +1,14 @@
# Contributing
This project welcomes contributions and suggestions. Most contributions require you to
agree to a Contributor License Agreement (CLA) declaring that you have the right to,
and actually do, grant us the rights to use your contribution. For details, visit
https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need
to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

1
src/WinLog/CounterSample.cs → Source/WinLog/CounterSample.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/CsvCounterReader.cs → Source/WinLog/CsvCounterReader.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

104
src/WinLog/CustomTypes.cs → Source/WinLog/CustomTypes.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/
@ -9,11 +10,12 @@ namespace WinLog
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Linq;
using Newtonsoft.Json;
using WinLog.Helpers;
/// <summary>
/// Class that defines the event metadata.
/// Class that defines the event metadata.
/// </summary>
public class EventIdMetrics
{
@ -29,58 +31,58 @@ namespace WinLog
}
/// <summary>
/// Class that defines the various metrics associated with event uploading.
/// Class that defines the various metrics associated with event uploading.
/// </summary>
public class EventLogUploadResult
{
/// <summary>
/// The number of event records that were uploaded.
/// The number of event records that were uploaded.
/// </summary>
public int EventCount { get; set; }
/// <summary>
/// The number of events that matched the upload filter criteria.
/// The number of events that matched the upload filter criteria.
/// </summary>
public int FilteredEventCount { get; set; }
/// <summary>
/// The number of seconds that it took the program to read all of the events from the event source.
/// The number of seconds that it took the program to read all of the events from the event source.
/// </summary>
public double TimeToRead { get; set; }
/// <summary>
/// The number of seconds that it took to complete uploading the events to the destination.
/// The number of seconds that it took to complete uploading the events to the destination.
/// </summary>
public double TimeToUpload { get; set; }
/// <summary>
/// Whether the upload completed successfully.
/// Whether the upload completed successfully.
/// </summary>
public bool UploadSuccessful { get; set; }
/// <summary>
/// The returned error message, if any.
/// The returned error message, if any.
/// </summary>
public string ErrorMessage { get; set; }
/// <summary>
/// The list of EventIdMetrics uploaded.
/// The list of EventIdMetrics uploaded.
/// </summary>
public Dictionary<string, EventIdMetrics> EventIdMetricsList { get; set; }
/// <summary>
/// The number of events without User Data.
/// The number of events without User Data.
/// </summary>
public int NullUserDataCount { get; set; }
/// <summary>
/// The number of events without extended Event Data.
/// The number of events without extended Event Data.
/// </summary>
public int NullEventDataCount { get; set; }
}
/// <summary>
/// Class that defines an event log record for the purposes of the WinLog namespace.
/// Class that defines an event log record for the purposes of the WinLog namespace.
/// </summary>
public class LogRecord
{
@ -93,7 +95,7 @@ namespace WinLog
public string Keywords;
public DateTime TimeCreated;
public long EventRecordId;
public Guid Correlation; //missing in LogRecordCdoc
public string Correlation; //missing in LogRecordCdoc
public int ProcessId;
public int ThreadId;
public string Channel;
@ -149,12 +151,7 @@ namespace WinLog
Channel = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Channel");
Keywords = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Keywords");
Guid resultCorrelation;
if (Guid.TryParse(CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation"), out resultCorrelation))
{
Correlation = resultCorrelation;
}
Correlation = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "Correlation");
// Variant System properties (not on all Windows Events)
string processId = CommonXmlFunctions.GetSafeExpandoObjectValue(dictionaryRecord, "ProcessID");
@ -172,7 +169,7 @@ namespace WinLog
}
/// <summary>
/// Class that defines an event log record for the purposes of the Microsoft Cyber Defense Operations Center (CDOC).
/// Class that defines an event log record for the purposes of the Microsoft Cyber Defense Operations Center (CDOC).
/// </summary>
public class LogRecordCdoc
{
@ -251,8 +248,8 @@ namespace WinLog
}
/// <summary>
/// Class that defines an event log record for the purposes of the WinLog namespace.
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
/// Class that defines an event log record for the purposes of the WinLog namespace.
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
/// </summary>
public class LogRecordEx
{
@ -286,7 +283,66 @@ namespace WinLog
}
/// <summary>
/// Class for enabling JSON parsing of events.
/// Class that defines an event log record for the purposes of the WinLog namespace.
/// Includes extended properties, such as Bookmarks and embedded LogRecordEx instances.
/// </summary>
public class LogRecordRaw
{
public string Provider { get; set; }
public int EventId { get; set; }
public string Version { get; set; }
public string Level { get; set; }
public string Task { get; set; }
public string Opcode { get; set; }
public DateTime TimeCreated { get; set; }
public long EventRecordId { get; set; }
public int ProcessId { get; set; }
public int ThreadId { get; set; }
public string Channel { get; set; }
public string Computer { get; set; }
public string Security { get; set; }
public string Keywords { get; set; }
public string Correlation { get; set; }
public Dictionary<string, string> EventData { get; set; }
public LogRecordRaw(EventBookmark bookmark)
{
Bookmark = bookmark;
}
public LogRecordRaw()
{
}
public EventBookmark Bookmark { get; private set; }
public IDictionary<string, object> ToDictionary(LogRecordRaw logRecordRaw)
{
IDictionary<string, object> returnValue = logRecordRaw.GetType()
.GetProperties()
.ToDictionary(prop => prop.Name, prop => prop.GetValue(logRecordRaw, null));
return returnValue;
}
}
/// <summary>
/// Class for enabling JSON parsing of events.
/// </summary>
public class JsonParseFilter
{
@ -309,7 +365,7 @@ namespace WinLog
}
/// <summary>
/// Class defining metadata about where and when a log file was collected.
/// Class defining metadata about where and when a log file was collected.
/// </summary>
public class LogFileLineage
{

1
src/WinLog/EventLogObservable.cs → Source/WinLog/EventLogObservable.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

125
src/WinLog/EventRecordConversion.cs → Source/WinLog/EventRecordConversion.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/
@ -45,14 +46,34 @@ namespace WinLog
string keywords;
providerStringCache.Lookup(eventRecord, out level, out task, out opCode, out keywords);
return ToLogRecordCdoc(
LogRecord logRecord = ToLogRecord(
eventRecord.ToXml(),
eventRecord.Bookmark,
level,
task,
opCode,
eventRecord.ProcessId ?? 0,
eventRecord.ThreadId ?? 0);
eventRecord.ThreadId ?? 0,
keywords);
return new LogRecordCdoc
{
EventRecordId = logRecord.EventRecordId,
TimeCreated = logRecord.TimeCreated,
Computer = logRecord.Computer,
ProcessId = logRecord.ProcessId,
ThreadId = logRecord.ThreadId,
Provider = logRecord.Provider,
EventId = logRecord.EventId,
Level = logRecord.Level,
Version = logRecord.Version,
Channel = logRecord.Channel,
Task = logRecord.Task,
Opcode = logRecord.Opcode,
Security = logRecord.Security,
EventData = logRecord.EventData,
LogFileLineage = logRecord.LogFileLineage
};
}
/// <summary>
@ -65,7 +86,7 @@ namespace WinLog
public LogRecordEx ToLogRecordEx(string eventXml,
EventBookmark eventBookmark = null)
{
LogRecordCdoc logRecordCdoc = ToLogRecordCdoc(eventXml, eventBookmark);
LogRecord logRecordCdoc = ToLogRecord(eventXml, eventBookmark);
return new LogRecordEx
{
@ -81,11 +102,90 @@ namespace WinLog
Channel = logRecordCdoc.Channel,
Task = logRecordCdoc.Task,
Opcode = logRecordCdoc.Opcode,
Security = logRecordCdoc.Security,
EventData = logRecordCdoc.EventData,
LogFileLineage = logRecordCdoc.LogFileLineage
};
}
/// <summary>
/// Converts a Windows EventRecord into a JsonLogRecord, used to insert to Kusto
/// </summary>
/// <param name="eventRecord">the EventRecord object</param>
/// <returns></returns>
public IDictionary<string, object> ToLogRecordRaw(EventRecord eventRecord)
{
if (eventRecord == null)
{
throw new ArgumentNullException(nameof(eventRecord));
}
string level;
string task;
string opCode;
string keywords;
providerStringCache.Lookup(eventRecord, out level, out task, out opCode, out keywords);
LogRecord logRecordCdoc = ToLogRecord(
eventRecord.ToXml(),
eventRecord.Bookmark,
level,
task,
opCode,
eventRecord.ProcessId ?? 0,
eventRecord.ThreadId ?? 0,
keywords,
true);
return GetLogRecordRawObject(logRecordCdoc);
}
/// <summary>
/// Converts a Windows EventRecord into a JsonLogRecordEx, containing an Extended field for use, used to insert to
/// Kusto
/// </summary>
/// <param name="eventXml"></param>
/// <param name="eventBookmark"></param>
/// <returns></returns>
public IDictionary<string, object> ToLogRecordRaw(string eventXml,
EventBookmark eventBookmark = null)
{
LogRecord logRecord = ToLogRecord(eventXml, eventBookmark, string.Empty, string.Empty, string.Empty, 0, 0, string.Empty, true);
return GetLogRecordRawObject(logRecord);
}
/// <summary>
/// Common method return a LogRecordRaw object from a LogRecordCDOC object, essentially without a LogFileLineage field
/// while using the exact same methodology for parsing as all other parsing.
/// </summary>
/// <param name="logRecord"></param>
/// <returns></returns>
private IDictionary<string, object> GetLogRecordRawObject(LogRecord logRecord)
{
var instance = new LogRecordRaw
{
EventRecordId = logRecord.EventRecordId,
TimeCreated = logRecord.TimeCreated,
Computer = logRecord.Computer,
ProcessId = logRecord.ProcessId,
ThreadId = logRecord.ThreadId,
Provider = logRecord.Provider,
EventId = logRecord.EventId,
Level = logRecord.Level,
Version = logRecord.Version,
Channel = logRecord.Channel,
Task = logRecord.Task,
Opcode = logRecord.Opcode,
EventData = logRecord.EventData,
Security = logRecord.Security,
Keywords = logRecord.Keywords,
Correlation = logRecord.Correlation
};
return instance.ToDictionary(instance);
}
/// <summary>
/// Creates a JsonLogRecord object
/// </summary>
@ -96,15 +196,18 @@ namespace WinLog
/// <param name="opCode"></param>
/// <param name="processId"></param>
/// <param name="threadId"></param>
/// <param name="returnEventDataDictionary"></param>
/// <returns></returns>
public LogRecordCdoc ToLogRecordCdoc(
public LogRecord ToLogRecord(
string eventXml,
EventBookmark eventBookmark,
string level = "",
string task = "",
string opCode = "",
int processId = 0,
int threadId = 0)
int threadId = 0,
string keywords = "",
bool returnEventDataDictionary = false)
{
try
{
@ -184,7 +287,7 @@ namespace WinLog
var serializedLogFileLineage = JsonConvert.SerializeObject(logFileLineage);
return new LogRecordCdoc()
return new LogRecord()
{
EventRecordId = Convert.ToInt64(systemPropertiesDictionary["EventRecordID"]),
TimeCreated = Convert.ToDateTime(systemPropertiesDictionary["TimeCreated"]),
@ -193,13 +296,15 @@ namespace WinLog
ThreadId = processId.Equals(0) ? Convert.ToInt32(executionProcessThread[1]) : threadId,
Provider = systemPropertiesDictionary["Provider"].ToString(),
EventId = Convert.ToInt32(systemPropertiesDictionary["EventID"]),
Level = !level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
Level = level.Equals(string.Empty) ? systemPropertiesDictionary["Level"].ToString() : level,
Version = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Version"),
Channel = systemPropertiesDictionary["Channel"].ToString(),
Security = CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Security"),
Task = !task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
Opcode = opCode,
EventData = json,
Keywords = keywords.Equals(string.Empty) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Keywords") : keywords,
Correlation = !string.IsNullOrWhiteSpace(CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Correlation")) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Correlation") : string.Empty,
Task = task.Equals(string.Empty) ? systemPropertiesDictionary["Task"].ToString() : task,
Opcode = opCode.Equals(string.Empty) ? CommonXmlFunctions.GetSafeExpandoObjectValue(systemPropertiesDictionary, "Opcode") : opCode,
EventData = returnEventDataDictionary ? (dynamic)namedProperties : json,
LogFileLineage = serializedLogFileLineage
};
}

1
src/WinLog/EvtxEnumerable.cs → Source/WinLog/EvtxEnumerable.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

4
src/WinLog/Helpers/CommonFunctions.cs → Source/WinLog/Helpers/CommonFunctions.cs
Просмотреть файл

@ -1,12 +1,10 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/
/// <summary>
/// Static helper methods for use in the WinLog namespace.
/// </summary>
namespace WinLog.Helpers
{
using System;

5
src/WinLog/Helpers/CommonXmlFunctions.cs → Source/WinLog/Helpers/CommonXmlFunctions.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/
@ -32,6 +33,9 @@ namespace WinLog.Helpers
case "Provider":
case "TimeCreated":
return new KeyValuePair<string, object>(attributeName, xElement.FirstAttribute.Value);
case "Correlation":
var xAttribute = xElement?.Attribute("ActivityID");
return xAttribute != null ? new KeyValuePair<string, object>(attributeName, xAttribute.Value) : new KeyValuePair<string, object>(attributeName, string.Empty);
case "Execution":
return new KeyValuePair<string, object>(attributeName,
string.Format("{0}:{1}", xElement.FirstAttribute.Value,
@ -46,7 +50,6 @@ namespace WinLog.Helpers
case "Opcode":
case "Keywords":
case "EventRecordID":
case "Correlation":
case "Channel":
case "Computer":
return new KeyValuePair<string, object>(attributeName, xElement.Value);

1
src/WinLog/Helpers/ElementNames.cs → Source/WinLog/Helpers/ElementNames.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/Helpers/XmlCharType.cs → Source/WinLog/Helpers/XmlCharType.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/Helpers/XmlVerification.cs → Source/WinLog/Helpers/XmlVerification.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

21
Source/WinLog/LICENSE.txt Normal file
Просмотреть файл

@ -0,0 +1,21 @@
Copyright (c) Microsoft Corporation.
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

1
src/WinLog/LogReader.cs → Source/WinLog/LogReader.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/LogReaderCdoc.cs → Source/WinLog/LogReaderCdoc.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/LogReaderLogRecord.cs → Source/WinLog/LogReaderLogRecord.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

1
src/WinLog/LogReaderWithMetrics.cs → Source/WinLog/LogReaderWithMetrics.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

7
Source/WinLog/PRIVACY.md Normal file
Просмотреть файл

@ -0,0 +1,7 @@
# Privacy statement
This project contain no facility to collect usage, environment, personal information.
To view Microsoft's complete privacy statement and relevant details, visit
https://privacy.microsoft.com/en-us/privacystatement.

1
src/WinLog/ProviderStringCache.cs → Source/WinLog/ProviderStringCache.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/

0
src/WinLog/Readme.md → Source/WinLog/Readme.md
Просмотреть файл

34
src/WinLog/WinLog.csproj → Source/WinLog/WinLog.csproj
Просмотреть файл

@ -1,20 +1,21 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net452</TargetFramework>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<AssemblyVersion>3.0.1.0</AssemblyVersion>
<FileVersion>3.0.1.0</FileVersion>
<Version>3.0.1</Version>
<TargetFrameworks>net472</TargetFrameworks>
<GeneratePackageOnBuild>false</GeneratePackageOnBuild>
<Version>3.4.3</Version>
<Description>Windows Event Log utility for reading OS Logs, EVTX files, specific to Windows</Description>
<Copyright>Copyright © Microsoft. All Rights Reserved</Copyright>
<RepositoryUrl>https://msazure.visualstudio.com/One/_git/SecEng-Dev-SIEMfx</RepositoryUrl>
<PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
<Authors>Microsoft</Authors>
<Authors>C+E Security Infra SecEng Dev</Authors>
<Description>Library for executing Kusto queries on live streams of data</Description>
<PackageReleaseNotes>Library for executing Kusto queries on live streams of data</PackageReleaseNotes>
<PackageTags>Windows OS EVTX Logs Playback Replay</PackageTags>
<RepositoryType>git</RepositoryType>
<GenerateAssemblyVersionAttribute>false</GenerateAssemblyVersionAttribute>
<GenerateAssemblyFileVersionAttribute>false</GenerateAssemblyFileVersionAttribute>
<GenerateAssemblyInformationalVersionAttribute>false</GenerateAssemblyInformationalVersionAttribute>
<AssemblyName>Microsoft.WinLog</AssemblyName>
</PropertyGroup>
<ItemGroup>
@ -22,28 +23,11 @@
</ItemGroup>
<!-- .NET 4.5 references, compilation flags and build options -->
<ItemGroup Condition=" '$(TargetFramework)' == 'net452' ">
<ItemGroup Condition=" '$(TargetFramework)' == 'net472' ">
<Reference Include="mscorlib" />
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="Microsoft.CSharp" />
</ItemGroup>
<PropertyGroup Condition=" '$(CdpxPostSigning)' == 'true' ">
<IsCleaning>false</IsCleaning>
<CopyRoleFilesDependsOn />
<AddRoleContentDependsOn />
</PropertyGroup>
<ItemGroup>
<Compile Include="..\..\.version\PipelineAssemblyInfo.cs" Link="Properties\PipelineAssemblyInfo.cs" />
</ItemGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
<SignAssembly>true</SignAssembly>
<DelaySign>true</DelaySign>
<KeyFile>..\35MSSharedLib1024.snk</KeyFile>
<AssemblyOriginatorKeyFile>..\35MSSharedLib1024.snk</AssemblyOriginatorKeyFile>
</PropertyGroup>
</Project>

1
src/WinLog/WindowsLogEvent.cs → Source/WinLog/WindowsLogEvent.cs
Просмотреть файл

@ -1,6 +1,7 @@
// /********************************************************
// * *
// * Copyright (C) Microsoft. All rights reserved. *
// * Licensed under the MIT license. *
// * *
// ********************************************************/