/*****************************************************************/ /** Microsoft Windows NT **/ /** Copyright(c) Microsoft Corp., 1991 **/ /*****************************************************************/ /* * eventlog.hxx * This file contains base class for the event log objects. * LOG_ENTRY_NUMBER * EVENT_LOG * * The hierarchy of the event log objects is as follows: * * EVENT_LOG * / \ * / \ * LM_EVENT_LOG NT_EVENT_LOG * / \ * / \ * LM_AUDIT_LOG LM_ERROR_LOG * * * History: * Yi-HsinS 10/15/91 Created * Yi-HsinS 12/15/91 Moved LM_EVENT_LOG to lmlog.hxx, * moved NT_EVENT_LOG to ntlog.hxx * TerryK 12/20/91 Added SaveAsLog and * WriteTextEntry to EVENT_LOG * Yi-HsinS 1/15/92 Added Backup, SeekOldestLogEntry, * SeekNewestLogEntry and modified * parameters to WriteTextEntry * Yi-HsinS 5/15/92 Added QuerySourceList()... * JonN 6/22/00 WriteTextEntry no longer supported * */ #ifndef _EVENTLOG_HXX_ #define _EVENTLOG_HXX_ #include "ctime.hxx" #include "intlprof.hxx" #include "logmisc.hxx" #include "strlst.hxx" #define SMALL_BUF_DEFAULT_SIZE 1024 // 1K - size of buffer for seek read #define BIG_BUF_DEFAULT_SIZE (16*1024) // 16K - size of buffer of iter. read #undef MAXULONG #define MAXULONG ((ULONG) -1) #define MAXUINT ((UINT) -1) #define TYPE_NONE ((USHORT) -1) // Used either when no type exist // in the log entry. /************************************************************************* NAME: LOG_ENTRY_NUMBER SYNOPSIS: The class for encapsulating the record number of the event log INTERFACE: LOG_ENTRY_NUMBER() - Constructor QueryRecordNum() - Query the record number QueryDirection() - Query the direction, EVLOG_FWD or EVLOG_BACK SetRecordNum() - Set the record number SetDirection() - Set the direction PARENT: BASE USES: CAVEATS: NOTES: Direction is ignored in NT_EVENT_LOG where all record numbers are absolute. HISTORY: Yi-HsinS 10/15/91 Created **************************************************************************/ DLL_CLASS LOG_ENTRY_NUMBER: public BASE { private: /* * The record number of the log entry relative to the beginning of the log * if the direction is EVLOG_FWD and relative to the end of the log * if the direction is EVLOG_BACK. * * Note: with the exception of NT event logs which are absolute record * numbers. */ ULONG _ulRecordNum; EVLOG_DIRECTION _evdir; public: /* * Constructor */ LOG_ENTRY_NUMBER( ULONG ulRecordNum = 0, EVLOG_DIRECTION evdir = EVLOG_FWD) : _ulRecordNum( ulRecordNum ), _evdir( evdir ) {} /* * Returns the record number of the log entry */ ULONG QueryRecordNum( VOID ) const { return _ulRecordNum; } /* * Returns the direction of browsing the log */ EVLOG_DIRECTION QueryDirection( VOID ) const { return _evdir; } /* * Sets the record number */ VOID SetRecordNum( ULONG ulRecordNum ) { _ulRecordNum = ulRecordNum; } /* * Sets the direction of browsing */ VOID SetDirection( EVLOG_DIRECTION evdir ) { _evdir = evdir; } }; /************************************************************************* NAME: EVENT_LOG SYNOPSIS: The common base class for NT event log and LM event log classes INTERFACE: protected: I_Next() - The helper method that actually reads the next entry in the log file. I_Open() - The helper method that actually opens the log for reading I_Close() - The helper method that actually closes the log file. CreateCurrentRawEntry() - Create a RAW_LOG_ENTRY containing the information in the current log entry. SetPos() - Set the position for the next read. public: EVENT_LOG() - Constructor, takes a server name, the direction to read the log file, and an optional module name ignored by LM_EVENT_LOG. ~EVENT_LOG() - Virtual destructor QueryServer() - Query the server name QueryModule() - Query the module name QueryDirection() - Query the direction of reading the log SetDirection() - Set the direction of reading the log IsSeek() - TRUE if we need to seek read, FALSE otherwise. SetSeekFlag() - Set a flag indicating we want to seek read. IsOpened() - TRUE if the log file has been opened, FALSE if the log file is closed SetOpenFlag() - Set a flag indicating the log has been opened QuerySourceList() - Query the sources supported by the module. QuerySrcSupportedTypeMask() - Query the types that are supported by the given source. QuerySrcSupportedCategoryList() - Query the categories supported by the given source. Open() - Opens the handle to the event log Close() - Close the handle to the event log Clear() - Clear the event log Backup()- Backup the event log without clearing the log file Available only in NT_EVENT_LOG, will assert out if not redefined. Reset() - Reset the position to the beginning or the end of the event log depending on the direction Next() - The iterator for getting the next entry into the buffer SeekLogEntry() - Get the log entry with the given record number into the buffer. The method is not for iterating through the log file. It's for getting non-consecutive log entries. A smaller buffer is used when reading the log entries. SeekOldestLogEntry() - Get the oldest log entry in the log SeekNewestLogEntry() - Get the newest log entry in the log QueryNumberOfEntries() - Get the number of entries in the log QueryCurrentEntryData() - Retrieve the raw data of the current log entry. QueryCurrentEntryDesc() - Retrieve the description of the current log entry. QueryCurrentEntryTime() - Retrieve the time of the current log entry. CreateCurrentFormatEntry() - Create a FORMATTED_LOG_ENTRY containing the info. in the current log entry. WriteTextEntry() - Write an entry to a text file JonN 6/22/00 WriteTextEntry no longer supported QueryPos() - Get the position of the current event log entry relative to the beginning or the end of the file depending on the direction ApplyFilter() - Apply the filter when reading the log ClearFilter() - Clear the filter pattern QueryFilter() - Returns the filter pattern IsFilterOn() - TRUE if the filter pattern is not NULL PARENT: BASE USES: NLS_STR, EVENT_FILTER_PATTERN CAVEATS: NOTES: HISTORY: Yi-HsinS 10/15/91 Created **************************************************************************/ DLL_CLASS EVENT_LOG : public BASE { protected: /* * The computer the log file is on. */ NLS_STR _nlsServer; /* * The module ( "system", "security" or "application" ) */ NLS_STR _nlsModule; /* * Direction of reading the event log: forward or backward */ EVLOG_DIRECTION _evdir; /* * Direction of the logs contained in the buffer. */ EVLOG_DIRECTION _evdirBuf; /* * Flag indicating whether to read sequentially next time or need * to seek */ BOOL _fSeek; /* * Flag used for sanity checking - TRUE if the log file is opened. * FALSE if closed. */ BOOL _fOpen; /* * Pointer to the filter pattern. NULL means no filter is set. */ EVENT_FILTER_PATTERN *_pFilterPattern; /* * Helper method for reading the log file. */ virtual APIERR I_Next( BOOL *pfContinue, ULONG ulBufferSize = BIG_BUF_DEFAULT_SIZE ) = 0; /* * Helper method for opening the log file for reading. */ virtual APIERR I_Open( VOID ) = 0; /* * Helper method for closes the log file. */ virtual APIERR I_Close( VOID ) = 0; /* * Create a RAW_LOG_ENTRY containing information about the current log * entry. */ virtual APIERR CreateCurrentRawEntry( RAW_LOG_ENTRY *pRawLogEntry ) = 0; /* * Set the record number passed in as the next log entry to be read. * If fForceRead is TRUE, then we will set up all variables so that * we will definitely read the entry. Else, we will search for the * entry in the buffer and will only read it if it's not there. */ virtual VOID SetPos( const LOG_ENTRY_NUMBER &logEntryNum, BOOL fForceRead ) = 0; public: /* * Constructor : takes a server name, * an optional direction which defaults to EVLOG_FWD, * and an optional module name. */ EVENT_LOG( const TCHAR *pszServer, EVLOG_DIRECTION evdir = EVLOG_FWD, const TCHAR *pszModule = NULL); virtual ~EVENT_LOG(); /* * Some QueryXXX and SetXXX method. */ APIERR QueryServer( NLS_STR *pnlsServer ) const { *pnlsServer = _nlsServer; return pnlsServer->QueryError(); } APIERR QueryModule( NLS_STR *pnlsModule ) const { *pnlsModule = _nlsModule; return pnlsModule->QueryError(); } EVLOG_DIRECTION QueryDirection( VOID ) const { return _evdir; } VOID SetDirection( EVLOG_DIRECTION evdir ) { _evdir = evdir; } BOOL IsSeek( VOID ) const { return _fSeek; } VOID SetSeekFlag( BOOL fSeek ) { _fSeek = fSeek; } BOOL IsOpened( VOID ) const { return _fOpen; } VOID SetOpenFlag( BOOL fOpen ) { _fOpen = fOpen; } /* * Query the sources supported in the module. This will always * return NULL for LM error/audit log. */ virtual STRLIST *QuerySourceList( VOID ); /* * Query the types supported by the given source. The type mask * will always be 0 if this is a LM error/audit log. */ virtual APIERR QuerySrcSupportedTypeMask( const NLS_STR &nlsSource, USHORT *pusTypeMask ); /* * Query the categories supported by the given source. The pstrlst * will be NULL if this is a LM error/audit log. */ virtual APIERR QuerySrcSupportedCategoryList( const NLS_STR &nlsSource, STRLIST **ppstrlstCategory ); /* * Opens ( initializes ) a handle to the event log */ APIERR Open( VOID ); /* * Closes the handle to the event log */ APIERR Close( VOID ); /* * Clear the event log : takes an optional backup file name */ virtual APIERR Clear( const TCHAR *pszBackupFile = NULL ) = 0; /* * Backup the event log to a file without clearing the log file * Available only in NT_EVENT_LOG, will assert out if not redefined. */ virtual APIERR Backup( const TCHAR *pszBackupFile ); /* * Reset to the beginning or end depending on the direction of * browsing */ virtual VOID Reset( VOID ); /* * Get the next log entry in the given direction into the buffer. * *pfContinue is TRUE if we have not reached end of log file yet, FALSE * otherwise. */ APIERR Next( BOOL *pfContinue ); /* * If fRead is TRUE, then read the log entry at the given record * number and set it as the current log entry. Else set the position * so that the next read starts reading at the given position. */ APIERR SeekLogEntry(const LOG_ENTRY_NUMBER &logEntryNum, BOOL fRead = TRUE); /* * Get the oldest or the newest log entry into the buffer * and set it as the current log entry. */ virtual APIERR SeekOldestLogEntry( VOID ) = 0; virtual APIERR SeekNewestLogEntry( VOID ) = 0; /* * Get the number of entries in the event log ( this will return * an approximate number in LM_EVENT_LOG and a more accurate number * in NT_EVENT_LOG assuming no entries are logged after querying. */ virtual APIERR QueryNumberOfEntries( ULONG *pcEntries ) = 0; /* * Retrieve the raw data associated with the current log entry. * Because the raw data is not stored in the FORMATTED_LOG_ENTRY, * we need this method to extract the raw data. */ virtual ULONG QueryCurrentEntryData( BYTE **ppbDataOut ) = 0; /* * Retrieve the description associated with the current log entry. */ virtual APIERR QueryCurrentEntryDesc( NLS_STR *pnlsDesc ) = 0; /* * Get the time associated with the current log entry. */ virtual ULONG QueryCurrentEntryTime( VOID ) = 0; /* * Create a FORMATTED_LOG_ENTRY containing the information * in the current log entry. */ virtual APIERR CreateCurrentFormatEntry( FORMATTED_LOG_ENTRY **ppFmtLogEntry ) = 0; /* * Write the log entry out to a file in text format * JonN 6/22/00 WriteTextEntry no longer supported */ virtual APIERR WriteTextEntry( ULONG ulFileHandle, INTL_PROFILE &intlprof, TCHAR chSeparator ) = 0; /* * Get the record number ( from the beginning or end of the log file * depending on the direction ) of the current entry log. * * Note: Direction is not important in NT event logs. */ virtual APIERR QueryPos( LOG_ENTRY_NUMBER *plogEntryNum ) = 0; /* * Apply the filter pattern when reading the log */ VOID ApplyFilter( EVENT_FILTER_PATTERN *pFilterPattern ) { _pFilterPattern = pFilterPattern; } /* * Clear the filter pattern : _pFilterPattern will be deleted where it * is allocated. */ VOID ClearFilter( VOID ) { _pFilterPattern = NULL; } EVENT_FILTER_PATTERN *QueryFilter( VOID ) const { return _pFilterPattern; } BOOL IsFilterOn( VOID ) { return ( _pFilterPattern != NULL ); } }; #endif