Context Navigation

source: nscp/modules/CheckEventLog/CheckEventLog.cpp @ 8c7d67f

0.4.00.4.10.4.2stable

Last change on this file since 8c7d67f was 8c7d67f, checked in by Michael Medin <michael@…>, 5 years ago

+ Added debug to new section [Eventlog], when enabled it will (log) wat lines matched what, this is a pretty big performance overhead so dont run with this one.

+ Added syntax to new section [Eventlog] used as a shorthand for the syntax to use as "default" (when no syntax=... option is given)

Fixed an issue with eventlog and . matching. + Added shorthand ! for != in "all" numeric filters (eventlog)

Property mode set to 100644

File size: 21.7 KB

Line
1	/**************************************************************************
2	* Copyright (C) 2004-2007 by Michael Medin <michael@medin.name> *
3	* *
4	* This code is part of NSClient++ - http://trac.nakednuns.org/nscp *
5	* *
6	* This program is free software; you can redistribute it and/or modify *
7	* it under the terms of the GNU General Public License as published by *
8	* the Free Software Foundation; either version 2 of the License, or *
9	* (at your option) any later version. *
10	* *
11	* This program is distributed in the hope that it will be useful, *
12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14	* GNU General Public License for more details. *
15	* *
16	* You should have received a copy of the GNU General Public License *
17	* along with this program; if not, write to the *
18	* Free Software Foundation, Inc., *
19	* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
20	***************************************************************************/
21
22	#include "stdafx.h"
23	#include "CheckEventLog.h"
24	#include <filter_framework.hpp>
25
26	#include <strEx.h>
27	#include <time.h>
28	#include <utils.h>
29	#include <error.hpp>
30	#include <map>
31
32	CheckEventLog gCheckEventLog;
33
34	BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
35	{
36	NSCModuleWrapper::wrapDllMain(hModule, ul_reason_for_call);
37	return TRUE;
38	}
39
40	CheckEventLog::CheckEventLog() {
41	}
42	CheckEventLog::~CheckEventLog() {
43	}
44
45
46	bool CheckEventLog::loadModule() {
47	try {
48	NSCModuleHelper::registerCommand(_T("CheckEventLog"), _T("Check for errors in the event logger!"));
49	debug_ = NSCModuleHelper::getSettingsInt(EVENTLOG_SECTION_TITLE, EVENTLOG_DEBUG, EVENTLOG_DEBUG_DEFAULT)==1;
50	syntax_ = NSCModuleHelper::getSettingsString(EVENTLOG_SECTION_TITLE, EVENTLOG_SYNTAX, EVENTLOG_SYNTAX_DEFAULT);
51	} catch (NSCModuleHelper::NSCMHExcpetion &e) {
52	NSC_LOG_ERROR_STD(_T("Failed to register command: ") + e.msg_);
53	} catch (...) {
54	NSC_LOG_ERROR_STD(_T("Failed to register command."));
55	}
56	return true;
57	}
58	bool CheckEventLog::unloadModule() {
59	return true;
60	}
61
62	bool CheckEventLog::hasCommandHandler() {
63	return true;
64	}
65	bool CheckEventLog::hasMessageHandler() {
66	return false;
67	}
68
69
70	class EventLogRecord {
71	EVENTLOGRECORD *pevlr_;
72	__int64 currentTime_;
73	std::wstring file_;
74	public:
75	EventLogRecord(std::wstring file, EVENTLOGRECORD *pevlr, __int64 currentTime) : file_(file), pevlr_(pevlr), currentTime_(currentTime) {
76	}
77	inline __int64 timeGenerated() const {
78	return (currentTime_-pevlr_->TimeGenerated)*1000;
79	}
80	inline __int64 timeWritten() const {
81	return (currentTime_-pevlr_->TimeWritten)*1000;
82	}
83	inline std::wstring eventSource() const {
84	return reinterpret_cast<WCHAR*>(reinterpret_cast<LPBYTE>(pevlr_) + sizeof(EVENTLOGRECORD));
85	}
86	inline DWORD eventID() const {
87	return (pevlr_->EventID&0xffff);
88	}
89	inline DWORD severity() const {
90	return (pevlr_->EventID>>30);
91	}
92
93	inline DWORD eventType() const {
94	return pevlr_->EventType;
95	}
96	/*
97	std::wstring userSID() const {
98	if (pevlr_->UserSidOffset == 0)
99	return "";
100	PSID p = reinterpret_cast<PSID>(reinterpret_cast<LPBYTE>(pevlr_) + + pevlr_->UserSidOffset);
101	LPSTR user = new CHAR[1025];
102	LPSTR domain = new CHAR[1025];
103	DWORD userLen = 1024;
104	DWORD domainLen = 1024;
105	SID_NAME_USE sidName;
106	LookupAccountSid(NULL, p, user, &userLen, domain, &domainLen, &sidName);
107	user[userLen] = 0;
108	domain[domainLen] = 0;
109	return std::wstring(domain) + "\\" + std::wstring(user);
110	}
111	*/
112
113	std::wstring enumStrings() const {
114	std::wstring ret;
115	TCHAR* p = reinterpret_cast<TCHAR*>(reinterpret_cast<LPBYTE>(pevlr_) + pevlr_->StringOffset);
116	for (unsigned int i =0;i<pevlr_->NumStrings;i++) {
117	std::wstring s = p;
118	if (!s.empty())
119	s += _T(", ");
120	ret += s;
121	p+= wcslen(p)+1;
122	}
123	return ret;
124	}
125
126	static DWORD appendType(DWORD dwType, std::wstring sType) {
127	return dwType \| translateType(sType);
128	}
129	static DWORD subtractType(DWORD dwType, std::wstring sType) {
130	return dwType & (!translateType(sType));
131	}
132	static DWORD translateType(std::wstring sType) {
133	if (sType == _T("error"))
134	return EVENTLOG_ERROR_TYPE;
135	if (sType == _T("warning"))
136	return EVENTLOG_WARNING_TYPE;
137	if (sType == _T("info"))
138	return EVENTLOG_INFORMATION_TYPE;
139	if (sType == _T("auditSuccess"))
140	return EVENTLOG_AUDIT_SUCCESS;
141	if (sType == _T("auditFailure"))
142	return EVENTLOG_AUDIT_FAILURE;
143	return strEx::stoi(sType);
144	}
145	static std::wstring translateType(DWORD dwType) {
146	if (dwType == EVENTLOG_ERROR_TYPE)
147	return _T("error");
148	if (dwType == EVENTLOG_WARNING_TYPE)
149	return _T("warning");
150	if (dwType == EVENTLOG_INFORMATION_TYPE)
151	return _T("info");
152	if (dwType == EVENTLOG_AUDIT_SUCCESS)
153	return _T("auditSuccess");
154	if (dwType == EVENTLOG_AUDIT_FAILURE)
155	return _T("auditFailure");
156	return strEx::itos(dwType);
157	}
158	static DWORD translateSeverity(std::wstring sType) {
159	if (sType == _T("success"))
160	return 0;
161	if (sType == _T("informational"))
162	return 1;
163	if (sType == _T("warning"))
164	return 2;
165	if (sType == _T("error"))
166	return 3;
167	return strEx::stoi(sType);
168	}
169	static std::wstring translateSeverity(DWORD dwType) {
170	if (dwType == 0)
171	return _T("success");
172	if (dwType == 1)
173	return _T("informational");
174	if (dwType == 2)
175	return _T("warning");
176	if (dwType == 3)
177	return _T("error");
178	return strEx::itos(dwType);
179	}
180	std::wstring get_dll() {
181	HKEY hKey = HKEY_LOCAL_MACHINE;
182	std::wstring path = ((std::wstring)_T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\") + file_ + (std::wstring)_T("\\") + eventSource()).c_str();
183	std::wstring ret;
184	HKEY hTemp;
185	LONG lRet = ERROR_SUCCESS;
186	if (lRet = RegOpenKeyEx(hKey, path.c_str(), 0, KEY_QUERY_VALUE, &hTemp) != ERROR_SUCCESS) {
187	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource() + error::format::from_system(lRet));
188	return ret;
189	}
190	DWORD type;
191	const DWORD data_length = 2048;
192	DWORD cbData = data_length;
193	BYTE *bData = new BYTE[cbData];
194	lRet = RegQueryValueEx(hTemp, _T("EventMessageFile"), NULL, &type, bData, &cbData);
195	if (lRet == ERROR_SUCCESS) {
196	if (type == REG_SZ) {
197	if (cbData < data_length-1) {
198	bData[cbData] = 0;
199	ret = reinterpret_cast<LPCTSTR>(bData);
200	} else {
201	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource());
202	}
203	} else if (type == REG_EXPAND_SZ) {
204	#define EXPAND_BUFFER_SIZE 2048
205	if (cbData < data_length-1) {
206	bData[cbData] = 0;
207	std::wstring s = reinterpret_cast<LPCTSTR>(bData);
208	TCHAR *buffer = new TCHAR[EXPAND_BUFFER_SIZE+1];
209	DWORD expRet = ExpandEnvironmentStrings(s.c_str(), buffer, EXPAND_BUFFER_SIZE);
210	if (expRet >= EXPAND_BUFFER_SIZE)
211	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource());
212	else
213	ret = buffer;
214	} else {
215	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource());
216	}
217	} else {
218	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource());
219	}
220	} else {
221	NSC_LOG_ERROR_STD(_T("Could not extract DLL for eventsource: ") + eventSource() + error::format::from_system(lRet));
222	}
223	RegCloseKey(hTemp);
224	delete [] bData;
225	return ret;
226	}
227
228	std::wstring render_message() {
229	DWORD *dwArgs = new DWORD[pevlr_->NumStrings+1];
230	TCHAR* p = reinterpret_cast<TCHAR*>(reinterpret_cast<LPBYTE>(pevlr_) + pevlr_->StringOffset);
231	for (unsigned int i =0;i<pevlr_->NumStrings;i++) {
232	dwArgs[i] = reinterpret_cast<DWORD>(p);
233	DWORD len = wcslen(p);
234	p += len+1;
235	}
236
237	/*
238	TCHAR _sz = (TCHAR)GlobalAlloc(GPTR, (pevlr_->NumStrings)sizeof(TCHAR ));
239	register UINT z;
240	TCHAR* p = reinterpret_cast<TCHAR*>(reinterpret_cast<LPBYTE>(pevlr_) + pevlr_->StringOffset);
241	for(unsigned int z = 0; z < pevlr_->NumStrings; z++) {
242	DWORD len = wcslen(p);
243	_sz[z] = (TCHAR )GlobalAlloc(GPTR, (len+1) sizeof(TCHAR));
244	wcscpy_s(_sz[z], len, p);
245	p += len+1;
246	}
247	*/
248	std::wstring ret;
249	strEx::splitList dlls = strEx::splitEx(get_dll(), _T(";"));
250	for (strEx::splitList::const_iterator cit = dlls.begin(); cit != dlls.end(); ++cit) {
251	//std::wstring msg = error::format::message::from_module((*cit), eventID(), _sz);
252	std::wstring msg = error::format::message::from_module((*cit), eventID(), dwArgs);
253	if (msg.empty()) {
254	msg = error::format::message::from_module((*cit), pevlr_->EventID, dwArgs);
255	}
256	strEx::replace(msg, _T("\n"), _T(" "));
257	strEx::replace(msg, _T("\t"), _T(" "));
258	std::string::size_type pos = msg.find_last_not_of(_T("\n\t "));
259	if (pos != std::string::npos) {
260	msg = msg.substr(0,pos);
261	}
262	if (!msg.empty()) {
263	if (!ret.empty())
264	ret += _T(", ");
265	ret += msg;
266	}
267	}
268	delete [] dwArgs;
269	return ret;
270	}
271	SYSTEMTIME get_time(DWORD time) {
272	FILETIME FileTime, LocalFileTime;
273	SYSTEMTIME SysTime;
274	__int64 lgTemp;
275	__int64 SecsTo1970 = 116444736000000000;
276
277	lgTemp = Int32x32To64(time,10000000) + SecsTo1970;
278
279	FileTime.dwLowDateTime = (DWORD) lgTemp;
280	FileTime.dwHighDateTime = (DWORD)(lgTemp >> 32);
281
282	FileTimeToLocalFileTime(&FileTime, &LocalFileTime);
283	FileTimeToSystemTime(&LocalFileTime, &SysTime);
284	return SysTime;
285	}
286
287	SYSTEMTIME get_time_generated() {
288	return get_time(pevlr_->TimeGenerated);
289	}
290	SYSTEMTIME get_time_written() {
291	return get_time(pevlr_->TimeWritten);
292	}
293
294	std::wstring render(bool propper, std::wstring syntax, std::wstring date_format = DATE_FORMAT) {
295	if (propper) {
296	// To obtain the appropriate message string from the message file, load the message file with the LoadLibrary function and use the FormatMessage function
297	strEx::replace(syntax, _T("%message%"), render_message());
298	} else {
299	strEx::replace(syntax, _T("%message%"), _T("%message% needs the descriptions flag set!"));
300	}
301
302	strEx::replace(syntax, _T("%source%"), eventSource());
303	strEx::replace(syntax, _T("%generated%"), strEx::format_date(get_time_generated(), date_format));
304	strEx::replace(syntax, _T("%written%"), strEx::format_date(get_time_written(), date_format));
305	strEx::replace(syntax, _T("%type%"), translateType(eventType()));
306	strEx::replace(syntax, _T("%severity%"), translateSeverity(severity()));
307	strEx::replace(syntax, _T("%strings%"), enumStrings());
308	strEx::replace(syntax, _T("%id%"), strEx::itos(eventID()));
309	return syntax;
310	}
311	};
312	/*
313	return (pevlr_->EventID&0xffff);
314	}
315	inline DWORD severity() const {
316	return (pevlr_->EventID>>30);
317	*/
318	class uniq_eventlog_record {
319	DWORD ID;
320	WORD type;
321	WORD category;
322	public:
323	std::wstring message;
324	uniq_eventlog_record(EVENTLOGRECORD *pevlr) : ID(pevlr->EventID&0xffff), type(pevlr->EventType), category(pevlr->EventCategory) {}
325	bool operator< (const uniq_eventlog_record &other) const {
326	return (ID < other.ID) \|\| ((ID==other.ID)&&(type < other.type)) \|\| (ID==other.ID&&type==other.type)&&(category < other.category);
327	}
328	std::wstring to_string() const {
329	return _T("id=") + strEx::itos(ID) + _T("type=") + strEx::itos(type) + _T("category=") + strEx::itos(category);
330	}
331	};
332	typedef std::map<uniq_eventlog_record,unsigned int> uniq_eventlog_map;
333
334
335	struct eventlog_filter {
336	filters::filter_all_strings eventSource;
337	filters::filter_all_numeric<unsigned int, filters::handlers::eventtype_handler> eventType;
338	filters::filter_all_numeric<unsigned int, filters::handlers::eventseverity_handler> eventSeverity;
339	filters::filter_all_strings message;
340	filters::filter_all_times timeWritten;
341	filters::filter_all_times timeGenerated;
342	filters::filter_all_numeric<DWORD, filters::handlers::eventtype_handler> eventID;
343	std::wstring value_;
344
345	inline bool hasFilter() {
346	return eventSource.hasFilter() \|\| eventType.hasFilter() \|\| eventID.hasFilter() \|\| eventSeverity.hasFilter() \|\| message.hasFilter() \|\|
347	timeWritten.hasFilter() \|\| timeGenerated.hasFilter();
348	}
349	std::wstring getValue() const {
350	if (eventSource.hasFilter())
351	return eventSource.getValue();
352	if (eventType.hasFilter())
353	return eventType.getValue();
354	if (eventSeverity.hasFilter())
355	return eventSeverity.getValue();
356	if (eventID.hasFilter())
357	return eventID.getValue();
358	if (message.hasFilter())
359	return message.getValue();
360	if (timeWritten.hasFilter())
361	return timeWritten.getValue();
362	if (timeGenerated.hasFilter())
363	return timeGenerated.getValue();
364	return _T("UNknown...");
365	}
366	bool matchFilter(const EventLogRecord &value) const {
367	if ((eventSource.hasFilter())&&(eventSource.matchFilter(value.eventSource())))
368	return true;
369	else if ((eventType.hasFilter())&&(eventType.matchFilter(value.eventType())))
370	return true;
371	else if ((eventSeverity.hasFilter())&&(eventSeverity.matchFilter(value.severity())))
372	return true;
373	else if ((eventID.hasFilter())&&(eventID.matchFilter(value.eventID())))
374	return true;
375	else if ((message.hasFilter())&&(message.matchFilter(value.enumStrings())))
376	return true;
377	else if ((timeWritten.hasFilter())&&(timeWritten.matchFilter(value.timeWritten())))
378	return true;
379	else if ((timeGenerated.hasFilter())&&(timeGenerated.matchFilter(value.timeGenerated())))
380	return true;
381	return false;
382	}
383	};
384
385
386	#define MAP_FILTER(value, obj, filtermode) \
387	else if (p__.first == value) { eventlog_filter filter; filter.obj = p__.second; filter_chain.push_back(filteritem_type(filtermode, filter)); }
388
389
390	#define BUFFER_SIZE 1024*64
391	NSCAPI::nagiosReturn CheckEventLog::handleCommand(const strEx::blindstr command, const unsigned int argLen, TCHAR **char_args, std::wstring &message, std::wstring &perf) {
392	if (command != _T("CheckEventLog"))
393	return NSCAPI::returnIgnored;
394	typedef checkHolders::CheckConatiner<checkHolders::MaxMinBoundsULongInteger> EventLogQueryConatiner;
395	typedef std::pair<int,eventlog_filter> filteritem_type;
396	typedef std::list<filteritem_type > filterlist_type;
397	NSCAPI::nagiosReturn returnCode = NSCAPI::returnOK;
398	std::list<std::wstring> stl_args = arrayBuffer::arrayBuffer2list(argLen, char_args);
399
400	std::list<std::wstring> files;
401	filterlist_type filter_chain;
402	EventLogQueryConatiner query;
403
404	bool bPerfData = true;
405	bool bFilterIn = true;
406	bool bFilterAll = false;
407	bool bFilterNew = false;
408	bool bShowDescriptions = false;
409	bool unique = false;
410	unsigned int truncate = 0;
411	std::wstring syntax = syntax_;
412	const int filter_plus = 1;
413	const int filter_minus = 2;
414	const int filter_normal = 3;
415	const int filter_compat = 3;
416
417	try {
418	MAP_OPTIONS_BEGIN(stl_args)
419	MAP_OPTIONS_NUMERIC_ALL(query, _T(""))
420	MAP_OPTIONS_STR2INT(_T("truncate"), truncate)
421	MAP_OPTIONS_BOOL_TRUE(_T("unique"), unique)
422	MAP_OPTIONS_BOOL_TRUE(_T("descriptions"), bShowDescriptions)
423	MAP_OPTIONS_PUSH(_T("file"), files)
424	MAP_OPTIONS_BOOL_FALSE(IGNORE_PERFDATA, bPerfData)
425	MAP_OPTIONS_BOOL_EX(_T("filter"), bFilterNew, _T("new"), _T("old"))
426	MAP_OPTIONS_BOOL_EX(_T("filter"), bFilterIn, _T("in"), _T("out"))
427	MAP_OPTIONS_BOOL_EX(_T("filter"), bFilterAll, _T("all"), _T("any"))
428	MAP_OPTIONS_STR(_T("syntax"), syntax)
429	/*
430	MAP_FILTER_OLD("filter-eventType", eventType)
431	MAP_FILTER_OLD("filter-severity", eventSeverity)
432	MAP_FILTER_OLD("filter-eventID", eventID)
433	MAP_FILTER_OLD("filter-eventSource", eventSource)
434	MAP_FILTER_OLD("filter-generated", timeGenerated)
435	MAP_FILTER_OLD("filter-written", timeWritten)
436	MAP_FILTER_OLD("filter-message", message)
437	*/
438	MAP_FILTER(_T("filter+eventType"), eventType, filter_plus)
439	MAP_FILTER(_T("filter+severity"), eventSeverity, filter_plus)
440	MAP_FILTER(_T("filter+eventID"), eventID, filter_plus)
441	MAP_FILTER(_T("filter+eventSource"), eventSource, filter_plus)
442	MAP_FILTER(_T("filter+generated"), timeGenerated, filter_plus)
443	MAP_FILTER(_T("filter+written"), timeWritten, filter_plus)
444	MAP_FILTER(_T("filter+message"), message, filter_plus)
445
446	MAP_FILTER(_T("filter.eventType"), eventType, filter_normal)
447	MAP_FILTER(_T("filter.severity"), eventSeverity, filter_normal)
448	MAP_FILTER(_T("filter.eventID"), eventID, filter_normal)
449	MAP_FILTER(_T("filter.eventSource"), eventSource, filter_normal)
450	MAP_FILTER(_T("filter.generated"), timeGenerated, filter_normal)
451	MAP_FILTER(_T("filter.written"), timeWritten, filter_normal)
452	MAP_FILTER(_T("filter.message"), message, filter_normal)
453
454	MAP_FILTER(_T("filter-eventType"), eventType, filter_minus)
455	MAP_FILTER(_T("filter-severity"), eventSeverity, filter_minus)
456	MAP_FILTER(_T("filter-eventID"), eventID, filter_minus)
457	MAP_FILTER(_T("filter-eventSource"), eventSource, filter_minus)
458	MAP_FILTER(_T("filter-generated"), timeGenerated, filter_minus)
459	MAP_FILTER(_T("filter-written"), timeWritten, filter_minus)
460	MAP_FILTER(_T("filter-message"), message, filter_minus)
461
462	MAP_OPTIONS_MISSING(message, _T("Unknown argument: "))
463	MAP_OPTIONS_END()
464	} catch (filters::parse_exception e) {
465	message = e.getMessage();
466	return NSCAPI::returnUNKNOWN;
467	} catch (filters::filter_exception e) {
468	message = e.getMessage();
469	return NSCAPI::returnUNKNOWN;
470	}
471
472	unsigned long int hit_count = 0;
473
474	for (std::list<std::wstring>::const_iterator cit2 = files.begin(); cit2 != files.end(); ++cit2) {
475	HANDLE hLog = OpenEventLog(NULL, (*cit2).c_str());
476	if (hLog == NULL) {
477	message = _T("Could not open the '") + (*cit2) + _T("' event log: ") + error::lookup::last_error();
478	return NSCAPI::returnUNKNOWN;
479	}
480	uniq_eventlog_map uniq_records;
481
482	//DWORD dwThisRecord;
483	DWORD dwRead, dwNeeded;
484	EVENTLOGRECORD *pevlr;
485	BYTE bBuffer[BUFFER_SIZE];
486
487	pevlr = reinterpret_cast<EVENTLOGRECORD*>(&bBuffer);
488
489	__time64_t ltime;
490	_time64(&ltime);
491
492	//GetOldestEventLogRecord(hLog, &dwThisRecord);
493
494	while (ReadEventLog(hLog, EVENTLOG_FORWARDS_READ\|EVENTLOG_SEQUENTIAL_READ,
495	0, pevlr, BUFFER_SIZE, &dwRead, &dwNeeded))
496	{
497	while (dwRead > 0)
498	{
499	//bool bMatch = bFilterAll;
500	bool bMatch = !bFilterIn;
501	EventLogRecord record((*cit2), pevlr, ltime);
502
503	if (filter_chain.empty()) {
504	message = _T("No filters specified.");
505	return NSCAPI::returnUNKNOWN;
506	}
507
508
509	for (filterlist_type::const_iterator cit3 = filter_chain.begin(); cit3 != filter_chain.end(); ++cit3 ) {
510	std::wstring reason;
511	int mode = (*cit3).first;
512	bool bTmpMatched = (*cit3).second.matchFilter(record);
513	if (!bFilterNew) {
514	if (bFilterAll) {
515	if (!bTmpMatched) {
516	bMatch = false;
517	break;
518	}
519	} else {
520	if (bTmpMatched) {
521	bMatch = true;
522	break;
523	}
524	}
525	} else {
526	if ((mode == filter_minus)&&(bTmpMatched)) {
527	// a -<filter> hit so thrash item and bail out!
528	if (debug_)
529	NSC_DEBUG_MSG_STD(_T("Matched: - ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
530	bMatch = false;
531	break;
532	} else if ((mode == filter_plus)&&(!bTmpMatched)) {
533	// a +<filter> missed hit so thrash item and bail out!
534	if (debug_)
535	NSC_DEBUG_MSG_STD(_T("Matched: + ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
536	bMatch = false;
537	break;
538	} else if (bTmpMatched) {
539	if (debug_)
540	NSC_DEBUG_MSG_STD(_T("Matched: . (contiunue): ") + (*cit3).second.getValue() + _T(" for: ") + record.render(bShowDescriptions, syntax));
541	bMatch = true;
542	}
543	}
544	}
545	bool match = false;
546	if ((!bFilterNew)&&((bFilterIn&&bMatch)\|\|(!bFilterIn&&!bMatch))) {
547	match = true;
548	} else if (bFilterNew&&bMatch) {
549	match = true;
550	}
551	if (match&&unique) {
552	match = false;
553	uniq_eventlog_record uniq_record = pevlr;
554	uniq_eventlog_map::iterator it = uniq_records.find(uniq_record);
555	if (it != uniq_records.end()) {
556	(*it).second ++;
557	//match = false;
558	}
559	else {
560	if (!syntax.empty()) {
561	uniq_record.message = record.render(bShowDescriptions, syntax);
562	} else if (!bShowDescriptions) {
563	uniq_record.message = record.eventSource();
564	} else {
565	uniq_record.message = record.eventSource();
566	uniq_record.message += _T("(") + EventLogRecord::translateType(record.eventType()) + _T(", ") +
567	strEx::itos(record.eventID()) + _T(", ") + EventLogRecord::translateSeverity(record.severity()) + _T(")");
568	uniq_record.message += _T("[") + record.enumStrings() + _T("]");
569	uniq_record.message += _T("{%count%}");
570	}
571	uniq_records[uniq_record] = 1;
572	}
573	hit_count++;
574	} else if (match) {
575	if (!syntax.empty()) {
576	strEx::append_list(message, record.render(bShowDescriptions, syntax));
577	} else if (!bShowDescriptions) {
578	strEx::append_list(message, record.eventSource());
579	} else {
580	strEx::append_list(message, record.eventSource());
581	message += _T("(") + EventLogRecord::translateType(record.eventType()) + _T(", ") +
582	strEx::itos(record.eventID()) + _T(", ") + EventLogRecord::translateSeverity(record.severity()) + _T(")");
583	message += _T("[") + record.enumStrings() + _T("]");
584	}
585	hit_count++;
586	}
587	dwRead -= pevlr->Length;
588	pevlr = (EVENTLOGRECORD *) ((LPBYTE) pevlr + pevlr->Length);
589	}
590	pevlr = (EVENTLOGRECORD *) &bBuffer;
591	}
592	CloseEventLog(hLog);
593	for (uniq_eventlog_map::const_iterator cit = uniq_records.begin(); cit != uniq_records.end(); ++cit) {
594	std::wstring msg = (*cit).first.message;
595	strEx::replace(msg, _T("%count%"), strEx::itos((*cit).second));
596	strEx::append_list(message, msg);
597	}
598	}
599
600	if (!bPerfData)
601	query.perfData = false;
602	query.runCheck(hit_count, returnCode, message, perf);
603	if ((truncate > 0) && (message.length() > (truncate-4)))
604	message = message.substr(0, truncate-4) + _T("...");
605	if (message.empty())
606	message = _T("Eventlog check ok");
607	NSC_DEBUG_MSG_STD(_T("Result: ") + message) ;
608	return returnCode;
609	}
610
611
612	NSC_WRAPPERS_MAIN_DEF(gCheckEventLog);
613	NSC_WRAPPERS_IGNORE_MSG_DEF();
614	NSC_WRAPPERS_HANDLE_CMD_DEF(gCheckEventLog);

Note: See TracBrowser for help on using the repository browser.

Download in other formats: