root/source3/rpcclient/cmd_eventlog.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. get_eventlog_handle
  2. cmd_eventlog_readlog
  3. cmd_eventlog_numrecords
  4. cmd_eventlog_oldestrecord
  5. cmd_eventlog_reportevent
  6. cmd_eventlog_reporteventsource
  7. cmd_eventlog_registerevsource
  8. cmd_eventlog_backuplog
  9. cmd_eventlog_loginfo

   1 /*
   2    Unix SMB/CIFS implementation.
   3    RPC pipe client
   4 
   5    Copyright (C) Günther Deschner 2009
   6 
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11 
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16 
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20 
  21 #include "includes.h"
  22 #include "rpcclient.h"
  23 
  24 static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
  25                                     TALLOC_CTX *mem_ctx,
  26                                     const char *log,
  27                                     struct policy_handle *handle)
  28 {
  29         NTSTATUS status;
  30         struct eventlog_OpenUnknown0 unknown0;
  31         struct lsa_String logname, servername;
  32 
  33         unknown0.unknown0 = 0x005c;
  34         unknown0.unknown1 = 0x0001;
  35 
  36         init_lsa_String(&logname, log);
  37         init_lsa_String(&servername, NULL);
  38 
  39         status = rpccli_eventlog_OpenEventLogW(cli, mem_ctx,
  40                                                &unknown0,
  41                                                &logname,
  42                                                &servername,
  43                                                0x00000001, /* major */
  44                                                0x00000001, /* minor */
  45                                                handle);
  46         if (!NT_STATUS_IS_OK(status)) {
  47                 return status;
  48         }
  49 
  50         return NT_STATUS_OK;
  51 }
  52 
  53 static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
  54                                      TALLOC_CTX *mem_ctx,
  55                                      int argc,
  56                                      const char **argv)
  57 {
  58         NTSTATUS status = NT_STATUS_OK;
  59         struct policy_handle handle;
  60 
  61         uint32_t flags = EVENTLOG_BACKWARDS_READ |
  62                          EVENTLOG_SEQUENTIAL_READ;
  63         uint32_t offset = 0;
  64         uint32_t number_of_bytes = 0;
  65         uint8_t *data = NULL;
  66         uint32_t sent_size = 0;
  67         uint32_t real_size = 0;
  68 
  69         if (argc < 2 || argc > 4) {
  70                 printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
  71                 return NT_STATUS_OK;
  72         }
  73 
  74         if (argc >= 3) {
  75                 offset = atoi(argv[2]);
  76         }
  77 
  78         if (argc >= 4) {
  79                 number_of_bytes = atoi(argv[3]);
  80                 data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
  81                 if (!data) {
  82                         goto done;
  83                 }
  84         }
  85 
  86         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
  87         if (!NT_STATUS_IS_OK(status)) {
  88                 return status;
  89         }
  90 
  91         do {
  92 
  93                 enum ndr_err_code ndr_err;
  94                 DATA_BLOB blob;
  95                 struct EVENTLOGRECORD r;
  96                 uint32_t size = 0;
  97                 uint32_t pos = 0;
  98 
  99                 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 100                                                        &handle,
 101                                                        flags,
 102                                                        offset,
 103                                                        number_of_bytes,
 104                                                        data,
 105                                                        &sent_size,
 106                                                        &real_size);
 107                 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL) &&
 108                     real_size > 0 ) {
 109                         number_of_bytes = real_size;
 110                         data = talloc_array(mem_ctx, uint8_t, real_size);
 111                         if (!data) {
 112                                 goto done;
 113                         }
 114                         status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
 115                                                                &handle,
 116                                                                flags,
 117                                                                offset,
 118                                                                number_of_bytes,
 119                                                                data,
 120                                                                &sent_size,
 121                                                                &real_size);
 122                 }
 123 
 124                 if (!NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE) &&
 125                     !NT_STATUS_IS_OK(status)) {
 126                         goto done;
 127                 }
 128 
 129                 number_of_bytes = 0;
 130 
 131                 size = IVAL(data, pos);
 132 
 133                 while (size > 0) {
 134 
 135                         blob = data_blob_const(data + pos, size);
 136                         /* dump_data(0, blob.data, blob.length); */
 137                         ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, NULL, &r,
 138                                            (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
 139                         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 140                                 status = ndr_map_error2ntstatus(ndr_err);
 141                                 goto done;
 142                         }
 143 
 144                         NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
 145 
 146                         pos += size;
 147 
 148                         if (pos + 4 > sent_size) {
 149                                 break;
 150                         }
 151 
 152                         size = IVAL(data, pos);
 153                 }
 154 
 155                 offset++;
 156 
 157         } while (NT_STATUS_IS_OK(status));
 158 
 159  done:
 160         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 161 
 162         return status;
 163 }
 164 
 165 static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 166                                         TALLOC_CTX *mem_ctx,
 167                                         int argc,
 168                                         const char **argv)
 169 {
 170         NTSTATUS status;
 171         struct policy_handle handle;
 172         uint32_t number = 0;
 173 
 174         if (argc != 2) {
 175                 printf("Usage: %s logname\n", argv[0]);
 176                 return NT_STATUS_OK;
 177         }
 178 
 179         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 180         if (!NT_STATUS_IS_OK(status)) {
 181                 return status;
 182         }
 183 
 184         status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
 185                                                &handle,
 186                                                &number);
 187         if (!NT_STATUS_IS_OK(status)) {
 188                 goto done;
 189         }
 190 
 191         printf("number of records: %d\n", number);
 192 
 193  done:
 194         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 195 
 196         return status;
 197 }
 198 
 199 static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 200                                           TALLOC_CTX *mem_ctx,
 201                                           int argc,
 202                                           const char **argv)
 203 {
 204         NTSTATUS status;
 205         struct policy_handle handle;
 206         uint32_t oldest_entry = 0;
 207 
 208         if (argc != 2) {
 209                 printf("Usage: %s logname\n", argv[0]);
 210                 return NT_STATUS_OK;
 211         }
 212 
 213         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 214         if (!NT_STATUS_IS_OK(status)) {
 215                 return status;
 216         }
 217 
 218         status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
 219                                                  &handle,
 220                                                  &oldest_entry);
 221         if (!NT_STATUS_IS_OK(status)) {
 222                 goto done;
 223         }
 224 
 225         printf("oldest entry: %d\n", oldest_entry);
 226 
 227  done:
 228         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 229 
 230         return status;
 231 }
 232 
 233 static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 234                                          TALLOC_CTX *mem_ctx,
 235                                          int argc,
 236                                          const char **argv)
 237 {
 238         NTSTATUS status;
 239         struct policy_handle handle;
 240 
 241         uint16_t num_of_strings = 1;
 242         uint32_t data_size = 0;
 243         struct lsa_String servername;
 244         struct lsa_String *strings;
 245         uint8_t *data = NULL;
 246         uint32_t record_number = 0;
 247         time_t time_written = 0;
 248 
 249         if (argc != 2) {
 250                 printf("Usage: %s logname\n", argv[0]);
 251                 return NT_STATUS_OK;
 252         }
 253 
 254         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 255         if (!NT_STATUS_IS_OK(status)) {
 256                 return status;
 257         }
 258 
 259         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 260         if (!strings) {
 261                 return NT_STATUS_NO_MEMORY;
 262         }
 263 
 264         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 265         init_lsa_String(&servername, NULL);
 266 
 267         status = rpccli_eventlog_ReportEventW(cli, mem_ctx,
 268                                               &handle,
 269                                               time(NULL),
 270                                               EVENTLOG_INFORMATION_TYPE,
 271                                               0, /* event_category */
 272                                               0, /* event_id */
 273                                               num_of_strings,
 274                                               data_size,
 275                                               &servername,
 276                                               NULL, /* user_sid */
 277                                               &strings,
 278                                               data,
 279                                               0, /* flags */
 280                                               &record_number,
 281                                               &time_written);
 282 
 283         if (!NT_STATUS_IS_OK(status)) {
 284                 goto done;
 285         }
 286 
 287         printf("entry: %d written at %s\n", record_number,
 288                 http_timestring(talloc_tos(), time_written));
 289 
 290  done:
 291         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 292 
 293         return status;
 294 }
 295 
 296 static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 297                                                TALLOC_CTX *mem_ctx,
 298                                                int argc,
 299                                                const char **argv)
 300 {
 301         NTSTATUS status;
 302         struct policy_handle handle;
 303 
 304         uint16_t num_of_strings = 1;
 305         uint32_t data_size = 0;
 306         struct lsa_String servername, sourcename;
 307         struct lsa_String *strings;
 308         uint8_t *data = NULL;
 309         uint32_t record_number = 0;
 310         time_t time_written = 0;
 311 
 312         if (argc != 2) {
 313                 printf("Usage: %s logname\n", argv[0]);
 314                 return NT_STATUS_OK;
 315         }
 316 
 317         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 318         if (!NT_STATUS_IS_OK(status)) {
 319                 return status;
 320         }
 321 
 322         strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
 323         if (!strings) {
 324                 return NT_STATUS_NO_MEMORY;
 325         }
 326 
 327         init_lsa_String(&strings[0], "test event written by rpcclient\n");
 328         init_lsa_String(&servername, NULL);
 329         init_lsa_String(&sourcename, "rpcclient");
 330 
 331         status = rpccli_eventlog_ReportEventAndSourceW(cli, mem_ctx,
 332                                                        &handle,
 333                                                        time(NULL),
 334                                                        EVENTLOG_INFORMATION_TYPE,
 335                                                        0, /* event_category */
 336                                                        0, /* event_id */
 337                                                        &sourcename,
 338                                                        num_of_strings,
 339                                                        data_size,
 340                                                        &servername,
 341                                                        NULL, /* user_sid */
 342                                                        &strings,
 343                                                        data,
 344                                                        0, /* flags */
 345                                                        &record_number,
 346                                                        &time_written);
 347         if (!NT_STATUS_IS_OK(status)) {
 348                 goto done;
 349         }
 350 
 351         printf("entry: %d written at %s\n", record_number,
 352                 http_timestring(talloc_tos(), time_written));
 353 
 354  done:
 355         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 356 
 357         return status;
 358 }
 359 
 360 static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 361                                               TALLOC_CTX *mem_ctx,
 362                                               int argc,
 363                                               const char **argv)
 364 {
 365         NTSTATUS status;
 366         struct policy_handle log_handle;
 367         struct lsa_String module_name, reg_module_name;
 368         struct eventlog_OpenUnknown0 unknown0;
 369 
 370         unknown0.unknown0 = 0x005c;
 371         unknown0.unknown1 = 0x0001;
 372 
 373         if (argc != 2) {
 374                 printf("Usage: %s logname\n", argv[0]);
 375                 return NT_STATUS_OK;
 376         }
 377 
 378         init_lsa_String(&module_name, "rpcclient");
 379         init_lsa_String(&reg_module_name, NULL);
 380 
 381         status = rpccli_eventlog_RegisterEventSourceW(cli, mem_ctx,
 382                                                       &unknown0,
 383                                                       &module_name,
 384                                                       &reg_module_name,
 385                                                       1, /* major_version */
 386                                                       1, /* minor_version */
 387                                                       &log_handle);
 388         if (!NT_STATUS_IS_OK(status)) {
 389                 goto done;
 390         }
 391 
 392  done:
 393         rpccli_eventlog_DeregisterEventSource(cli, mem_ctx, &log_handle);
 394 
 395         return status;
 396 }
 397 
 398 static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 399                                        TALLOC_CTX *mem_ctx,
 400                                        int argc,
 401                                        const char **argv)
 402 {
 403         NTSTATUS status;
 404         struct policy_handle handle;
 405         struct lsa_String backup_filename;
 406         const char *tmp;
 407 
 408         if (argc != 3) {
 409                 printf("Usage: %s logname backupname\n", argv[0]);
 410                 return NT_STATUS_OK;
 411         }
 412 
 413         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 414         if (!NT_STATUS_IS_OK(status)) {
 415                 return status;
 416         }
 417 
 418         tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
 419         if (!tmp) {
 420                 status = NT_STATUS_NO_MEMORY;
 421                 goto done;
 422         }
 423 
 424         init_lsa_String(&backup_filename, tmp);
 425 
 426         status = rpccli_eventlog_BackupEventLogW(cli, mem_ctx,
 427                                                  &handle,
 428                                                  &backup_filename);
 429 
 430  done:
 431         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 432 
 433         return status;
 434 }
 435 
 436 static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
     /* [<][>][^][v][top][bottom][index][help] */
 437                                      TALLOC_CTX *mem_ctx,
 438                                      int argc,
 439                                      const char **argv)
 440 {
 441         NTSTATUS status;
 442         struct policy_handle handle;
 443         uint8_t *buffer = NULL;
 444         uint32_t buf_size = 0;
 445         uint32_t bytes_needed = 0;
 446 
 447         if (argc != 2) {
 448                 printf("Usage: %s logname\n", argv[0]);
 449                 return NT_STATUS_OK;
 450         }
 451 
 452         status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
 453         if (!NT_STATUS_IS_OK(status)) {
 454                 return status;
 455         }
 456 
 457         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 458                                                    &handle,
 459                                                    0, /* level */
 460                                                    buffer,
 461                                                    buf_size,
 462                                                    &bytes_needed);
 463         if (!NT_STATUS_IS_OK(status) &&
 464             !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
 465                 goto done;
 466         }
 467 
 468         buf_size = bytes_needed;
 469         buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
 470         if (!buffer) {
 471                 status = NT_STATUS_NO_MEMORY;
 472                 goto done;
 473         }
 474 
 475         status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
 476                                                    &handle,
 477                                                    0, /* level */
 478                                                    buffer,
 479                                                    buf_size,
 480                                                    &bytes_needed);
 481         if (!NT_STATUS_IS_OK(status)) {
 482                 goto done;
 483         }
 484 
 485  done:
 486         rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
 487 
 488         return status;
 489 }
 490 
 491 
 492 struct cmd_set eventlog_commands[] = {
 493         { "EVENTLOG" },
 494         { "eventlog_readlog",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_readlog,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Read Eventlog", "" },
 495         { "eventlog_numrecord",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_numrecords,        NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get number of records", "" },
 496         { "eventlog_oldestrecord",      RPC_RTYPE_NTSTATUS,     cmd_eventlog_oldestrecord,      NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get oldest record", "" },
 497         { "eventlog_reportevent",       RPC_RTYPE_NTSTATUS,     cmd_eventlog_reportevent,       NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event", "" },
 498         { "eventlog_reporteventsource", RPC_RTYPE_NTSTATUS,     cmd_eventlog_reporteventsource, NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Report event and source", "" },
 499         { "eventlog_registerevsource",  RPC_RTYPE_NTSTATUS,     cmd_eventlog_registerevsource,  NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Register event source", "" },
 500         { "eventlog_backuplog",         RPC_RTYPE_NTSTATUS,     cmd_eventlog_backuplog,         NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Backup Eventlog File", "" },
 501         { "eventlog_loginfo",           RPC_RTYPE_NTSTATUS,     cmd_eventlog_loginfo,           NULL,   &ndr_table_eventlog.syntax_id,  NULL,   "Get Eventlog Information", "" },
 502         { NULL }
 503 };

/* [<][>][^][v][top][bottom][index][help] */