From 60c211a3abd5eadb359db5f02941f32e2d881e52 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 3 May 1999 21:52:29 +0000 Subject: Added a new command to rpcclient: eventlog where is System, Security or Application. That's a crude equivalent to the eventviewer. Jean Francois (This used to be commit 66b4b896fbcabb964a427d0c0aa2f57997e0f6bb) --- source3/include/rpc_eventlog.h | 133 +++++++++++++++++++++ source3/rpc_client/cli_eventlog.c | 201 +++++++++++++++++++++++++++++++ source3/rpc_parse/parse_eventlog.c | 236 +++++++++++++++++++++++++++++++++++++ source3/rpcclient/cmd_eventlog.c | 94 +++++++++++++++ 4 files changed, 664 insertions(+) create mode 100644 source3/include/rpc_eventlog.h create mode 100644 source3/rpc_client/cli_eventlog.c create mode 100644 source3/rpc_parse/parse_eventlog.c create mode 100644 source3/rpcclient/cmd_eventlog.c diff --git a/source3/include/rpc_eventlog.h b/source3/include/rpc_eventlog.h new file mode 100644 index 0000000000..cc4d9fc62d --- /dev/null +++ b/source3/include/rpc_eventlog.h @@ -0,0 +1,133 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Interface header: Scheduler service + Copyright (C) Luke Kenneth Casson Leighton 1996-1999 + Copyright (C) Andrew Tridgell 1992-1999 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef _RPC_EVENTLOG_H +#define _RPC_EVENTLOG_H + +#define EVENTLOG_OPEN 0x07 +#define EVENTLOG_CLOSE 0x02 +#define EVENTLOG_NUMOFEVENTLOGRECORDS 0x04 +#define EVENTLOG_READEVENTLOG 0x0a + +#define EVENTLOG_READ_SEQUENTIAL 0x01 +#define EVENTLOG_READ_SEEK 0x02 +#define EVENTLOG_READ_FORWARD 0x04 +#define EVENTLOG_READ_BACKWARD 0x08 + +#define EVENTLOG_OK 0X00 +#define EVENTLOG_ERROR 0x01 +#define EVENTLOG_WARNING 0x02 +#define EVENTLOG_INFORMATION 0x04 +#define EVENTLOG_AUDIT_OK 0x08 +#define EVENTLOG_AUDIT_ERROR 0x10 + +typedef struct eventlogrecord +{ + uint32 size; + uint32 reserved; + uint32 recordnumber; + uint32 creationtime; + uint32 writetime; + uint32 eventnumber; + uint16 eventtype; + uint16 num_of_strings; + uint16 category; + uint16 reserved_flag; + uint32 closingrecord; + uint32 stringoffset; + uint32 sid_length; + uint32 sid_offset; + uint32 data_length; + uint32 data_offset; + UNISTR sourcename; + UNISTR computername; + UNISTR sid; + UNISTR strings; + UNISTR data; + uint32 size2; +} EVENTLOGRECORD; + +typedef struct eventlog_q_open +{ + uint32 ptr0; + + uint16 unk0; + uint16 unk1; + uint16 unk2; + uint16 unk3; + + uint32 ptr_source; + + UNISTR2 source; + + uint32 unk4; + uint32 unk5; + uint32 unk6; + uint32 unk7; +} EVENTLOG_Q_OPEN; + +typedef struct eventlog_r_open +{ + POLICY_HND pol; + uint32 status; +} EVENTLOG_R_OPEN; + +typedef struct eventlog_q_close +{ + POLICY_HND pol; +} EVENTLOG_Q_CLOSE; + +typedef struct eventlog_r_close +{ + POLICY_HND pol; + uint32 status; +} EVENTLOG_R_CLOSE; + +typedef struct eventlog_q_numofeventlogrec +{ + POLICY_HND pol; +} EVENTLOG_Q_NUMOFEVENTLOGREC; + +typedef struct eventlog_r_numofeventlogrec +{ + uint32 number; + uint32 status; +} EVENTLOG_R_NUMOFEVENTLOGREC; + +typedef struct eventlog_q_readeventlog +{ + POLICY_HND pol; + uint32 flags; + uint32 offset; + uint32 number_of_bytes; +} EVENTLOG_Q_READEVENTLOG; + +typedef struct eventlog_r_readeventlog +{ + uint32 number_of_bytes; + EVENTLOGRECORD *event; + uint32 sent_size; + uint32 real_size; + uint32 status; +} EVENTLOG_R_READEVENTLOG; + +#endif /* _RPC_EVENTLOG_H */ diff --git a/source3/rpc_client/cli_eventlog.c b/source3/rpc_client/cli_eventlog.c new file mode 100644 index 0000000000..580f4f0dee --- /dev/null +++ b/source3/rpc_client/cli_eventlog.c @@ -0,0 +1,201 @@ +/* + * Unix SMB/Netbios implementation. + * Version 2.1. + * RPC client routines: scheduler service + * Copyright (C) Jean Francois Micouleau 1998-1999, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1999, + * Copyright (C) Andrew Tridgell 1992-1999. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +****************************************************************************/ +BOOL do_event_open(struct cli_state *cli, uint16 fnum, char *log, POLICY_HND *hnd) +{ + prs_struct rbuf; + prs_struct buf; + EVENTLOG_Q_OPEN q; + BOOL p = False; + BOOL valid_pol = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0 , 4, SAFETY_MARGIN, True ); + + /* store the parameters */ + make_eventlog_q_open(&q, log); + + /* turn parameters into data stream */ + eventlog_io_q_open("", &q, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, EVENTLOG_OPEN, &buf, &rbuf)) + { + EVENTLOG_R_OPEN r; + + eventlog_io_r_open("", &r, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r.status != 0) + { + /* report error code */ + DEBUG(0,("do_event_open: %s\n", get_nt_error_msg(r.status))); + p = False; + } + + if (p) + { + /*copy handle */ + memcpy(hnd->data, r.pol.data, sizeof(hnd->data)); + valid_pol = True; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return p; +} + +/**************************************************************************** +****************************************************************************/ +BOOL do_event_close(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd) +{ + prs_struct rbuf; + prs_struct buf; + EVENTLOG_Q_CLOSE q; + BOOL p = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0 , 4, SAFETY_MARGIN, True ); + + /* store the parameters */ + make_eventlog_q_close(&q, hnd); + + /* turn parameters into data stream */ + eventlog_io_q_close("", &q, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, EVENTLOG_CLOSE, &buf, &rbuf)) + { + EVENTLOG_R_CLOSE r; + + eventlog_io_r_close("", &r, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r.status != 0) + { + /* report error code */ + DEBUG(0,("do_event_close: %s\n", get_nt_error_msg(r.status))); + p = False; + } + + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return p; +} + +/**************************************************************************** +****************************************************************************/ +BOOL do_event_numofeventlogrec(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd, uint32 *number) +{ + prs_struct rbuf; + prs_struct buf; + EVENTLOG_Q_NUMOFEVENTLOGREC q; + BOOL p = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0 , 4, SAFETY_MARGIN, True ); + + /* store the parameters */ + make_eventlog_q_numofeventlogrec(&q, hnd); + + /* turn parameters into data stream */ + eventlog_io_q_numofeventlogrec("", &q, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, EVENTLOG_NUMOFEVENTLOGRECORDS, &buf, &rbuf)) + { + EVENTLOG_R_NUMOFEVENTLOGREC r; + + eventlog_io_r_numofeventlogrec("", &r, &rbuf, 0); + p = rbuf.offset != 0; + + if (p && r.status != 0) + { + /* report error code */ + DEBUG(0,("do_event_close: %s\n", get_nt_error_msg(r.status))); + p = False; + } + + if (p) + { + *number=r.number; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return p; +} + +/**************************************************************************** +****************************************************************************/ +BOOL do_event_readeventlog(struct cli_state *cli, uint16 fnum, POLICY_HND *hnd, + uint32 number, uint32 flags, uint32 offset, + uint32 *number_of_bytes, EVENTLOGRECORD *ev) +{ + prs_struct rbuf; + prs_struct buf; + EVENTLOG_Q_READEVENTLOG q; + EVENTLOG_R_READEVENTLOG r; + BOOL p = False; + + prs_init(&buf , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rbuf, 0 , 4, SAFETY_MARGIN, True ); + + /* store the parameters */ + make_eventlog_q_readeventlog(&q, hnd, flags, offset, *number_of_bytes); + + /* turn parameters into data stream */ + eventlog_io_q_readeventlog("", &q, &buf, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, fnum, EVENTLOG_READEVENTLOG, &buf, &rbuf)) + { + r.event=ev; + eventlog_io_r_readeventlog("", &r, &rbuf, 0); + p = rbuf.offset != 0; + + if (p) + { + *number_of_bytes=r.real_size; + } + } + + prs_mem_free(&rbuf); + prs_mem_free(&buf ); + + return p; +} + diff --git a/source3/rpc_parse/parse_eventlog.c b/source3/rpc_parse/parse_eventlog.c new file mode 100644 index 0000000000..5173bd2cad --- /dev/null +++ b/source3/rpc_parse/parse_eventlog.c @@ -0,0 +1,236 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1998, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1998, + * Copyright (C) Jean François Micouleau 1998-1999. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/******************************************************************* +********************************************************************/ +void make_eventlog_q_open(EVENTLOG_Q_OPEN *q_u, char *journal) +{ + q_u->ptr0=0x1; + + q_u->unk0=0x5c; + q_u->unk1=0x01; + + q_u->unk2=2*(strlen(journal)+1); + q_u->unk3=2*(strlen(journal)+1); + + q_u->ptr_source=0x01; + make_buf_unistr2(&(q_u->source), &(q_u->ptr_source), journal); + + q_u->unk4=0x00; + q_u->unk5=0x00; + q_u->unk6=0x01; + q_u->unk7=0x01; +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_q_open(char *desc, EVENTLOG_Q_OPEN *q_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_q_open"); + depth++; + + prs_align(ps); + + prs_uint32("ptr0", ps, depth, &(q_u->ptr0)); + + prs_uint16("unk0", ps, depth, &(q_u->unk0)); + prs_uint16("unk1", ps, depth, &(q_u->unk1)); + prs_uint16("unk2", ps, depth, &(q_u->unk2)); + prs_uint16("unk3", ps, depth, &(q_u->unk3)); + + prs_uint32("ptr_source", ps, depth, &(q_u->ptr_source)); + + smb_io_unistr2("", &(q_u->source), q_u->ptr_source, ps, depth); + prs_align(ps); + + prs_uint32("unk4", ps, depth, &(q_u->unk4)); + prs_uint32("unk5", ps, depth, &(q_u->unk5)); + prs_uint32("unk6", ps, depth, &(q_u->unk6)); + prs_uint32("unk7", ps, depth, &(q_u->unk7)); +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_r_open(char *desc, EVENTLOG_R_OPEN *r_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_r_open"); + depth++; + + prs_align(ps); + smb_io_pol_hnd("", &(r_u->pol), ps, depth); + prs_uint32("status", ps, depth, &(r_u->status)); +} + +/******************************************************************* +********************************************************************/ +void make_eventlog_q_close(EVENTLOG_Q_CLOSE *q_u, POLICY_HND *pol) +{ + memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data)); + +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_q_close(char *desc, EVENTLOG_Q_CLOSE *q_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_q_close"); + depth++; + + prs_align(ps); + smb_io_pol_hnd("", &(q_u->pol), ps, depth); + +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_r_close(char *desc, EVENTLOG_R_CLOSE *r_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_r_close"); + depth++; + + prs_align(ps); + smb_io_pol_hnd("", &(r_u->pol), ps, depth); + prs_uint32("status", ps, depth, &(r_u->status)); +} + +/******************************************************************* +********************************************************************/ +void make_eventlog_q_numofeventlogrec(EVENTLOG_Q_NUMOFEVENTLOGREC *q_u, POLICY_HND *pol) +{ + memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data)); + +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_q_numofeventlogrec(char *desc,EVENTLOG_Q_NUMOFEVENTLOGREC *q_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_q_numofeventlogrec"); + depth++; + + prs_align(ps); + smb_io_pol_hnd("", &(q_u->pol), ps, depth); + +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_r_numofeventlogrec(char *desc, EVENTLOG_R_NUMOFEVENTLOGREC *r_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_r_numofeventlogrec"); + depth++; + + prs_align(ps); + prs_uint32("number", ps, depth, &(r_u->number)); + prs_uint32("status", ps, depth, &(r_u->status)); +} + +/******************************************************************* +********************************************************************/ +void make_eventlog_q_readeventlog(EVENTLOG_Q_READEVENTLOG *q_u, POLICY_HND *pol, + uint32 flags, uint32 offset, uint32 number_of_bytes) +{ + memcpy(&(q_u->pol.data), pol->data, sizeof(q_u->pol.data)); + q_u->flags=flags; + q_u->offset=offset; + q_u->number_of_bytes=number_of_bytes; +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_q_readeventlog(char *desc, EVENTLOG_Q_READEVENTLOG *q_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_q_readeventlog"); + depth++; + + prs_align(ps); + smb_io_pol_hnd("", &(q_u->pol), ps, depth); + prs_uint32("flags", ps, depth, &(q_u->flags)); + prs_uint32("offset", ps, depth, &(q_u->offset)); + prs_uint32("number_of_bytes", ps, depth, &(q_u->number_of_bytes)); +} + +/******************************************************************* +********************************************************************/ +static void eventlog_io_eventlog(char *desc, EVENTLOGRECORD *ev, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_eventlog"); + depth++; + + prs_align(ps); + prs_uint32("size", ps, depth, &(ev->size)); + prs_uint32("reserved", ps, depth, &(ev->reserved)); + prs_uint32("recordnumber", ps, depth, &(ev->recordnumber)); + prs_uint32("creationtime", ps, depth, &(ev->creationtime)); + prs_uint32("writetime", ps, depth, &(ev->writetime)); + prs_uint32("eventnumber", ps, depth, &(ev->eventnumber)); + + prs_uint16("eventtype", ps, depth, &(ev->eventtype)); + prs_uint16("num_of_strings", ps, depth, &(ev->num_of_strings)); + prs_uint16("category", ps, depth, &(ev->category)); + prs_uint16("reserved_flag", ps, depth, &(ev->reserved_flag)); + + prs_uint32("closingrecord", ps, depth, &(ev->closingrecord)); + prs_uint32("stringoffset", ps, depth, &(ev->stringoffset)); + prs_uint32("sid_length", ps, depth, &(ev->sid_length)); + prs_uint32("sid_offset", ps, depth, &(ev->sid_offset)); + prs_uint32("data_length", ps, depth, &(ev->data_length)); + prs_uint32("data_offset", ps, depth, &(ev->data_offset)); + + smb_io_unistr("", &(ev->sourcename), ps, depth); + smb_io_unistr("", &(ev->computername), ps, depth); + + if (ev->sid_length!=0) + smb_io_unistr("", &(ev->sid), ps, depth); + + if (ev->num_of_strings!=0) + smb_io_unistr("", &(ev->strings),ps, depth); + + if (ev->data_length) + smb_io_unistr("", &(ev->data), ps, depth); + + prs_uint32("size2", ps, depth, &(ev->size2)); +} + +/******************************************************************* +********************************************************************/ +void eventlog_io_r_readeventlog(char *desc, EVENTLOG_R_READEVENTLOG *r_u, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "eventlog_io_r_readeventlog"); + depth++; + + prs_align(ps); + prs_uint32("number_of_bytes", ps, depth, &(r_u->number_of_bytes)); + + if (r_u->number_of_bytes!= 0) + eventlog_io_eventlog("", r_u->event, ps, depth); + + prs_uint32("sent_size", ps, depth, &(r_u->sent_size)); + prs_uint32("real_size", ps, depth, &(r_u->real_size)); + prs_uint32("status", ps, depth, &(r_u->status)); +} + diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c new file mode 100644 index 0000000000..e6e10c44eb --- /dev/null +++ b/source3/rpcclient/cmd_eventlog.c @@ -0,0 +1,94 @@ +/* + Unix SMB/Netbios implementation. + Version 2.1. + Copyright (C) Luke Kenneth Casson Leighton 1996-1999, + Copyright (C) Andrew Tridgell 1994-1999, + Copyright (C) Jean Francois Micouleau 1998-1999. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + + +#ifdef SYSLOG +#undef SYSLOG +#endif + +#include "includes.h" +#include "nterr.h" + +extern int DEBUGLEVEL; + +#define DEBUG_TESTING + +extern struct cli_state *smb_cli; +extern FILE* out_hnd; + + +/**************************************************************************** +****************************************************************************/ +void cmd_eventlog(struct client_info *info) +{ + uint16 nt_pipe_fnum; + BOOL res = True; + POLICY_HND hnd; + uint32 number; + uint32 flags; + uint32 offset; + uint32 num_of_bytes; + EVENTLOGRECORD ev; + + fstring journal; + fstring temp; + + flags=EVENTLOG_READ_SEQUENTIAL|EVENTLOG_READ_BACKWARD; + + while (next_token(NULL, temp, NULL, sizeof(temp))) + { + fstrcpy(journal, temp); + } + + /* open scheduler session. */ + res = res ? cli_nt_session_open(smb_cli, PIPE_EVENTLOG, &nt_pipe_fnum) : False; + + res = res ? do_event_open(smb_cli, nt_pipe_fnum, journal, &hnd) : False; + + res = res ? do_event_numofeventlogrec(smb_cli, nt_pipe_fnum, &hnd, &number) : False; + + fprintf(out_hnd, "Number of events: %d\n", number); + + display_eventlog_eventrecord(out_hnd, ACTION_HEADER, &ev); + + for (offset=0; offset