Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-07-08 21:55:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
reactos/base/services/eventlog/eventsource.c

235 lines
6.5 KiB
C
Raw Normal View History

[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
/*
[EVENTLOG] - Update code source files headers. - Use explicit unicode functions for RegOpen/Query/SetXXX and safe-string APIs. - Use GetSystemWindowsDirectoryW where needed instead of GetWindowsDirectoryW (TS-safe). - Fix some variable names & types. - Improve some DPRINTs. svn path=/trunk/; revision=73034
2016-10-25 23:32:20 +00:00
* PROJECT: ReactOS EventLog Service
* LICENSE: GPL - See COPYING in the top level directory
* FILE: base/services/eventlog/eventsource.c
* PURPOSE: Event log sources support
* COPYRIGHT: Copyright 2011 Eric Kohl
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
*/
/* INCLUDES *****************************************************************/
#include "eventlog.h"
[EVENTLOG] * Do not include debug.h into the main header. CORE-7716 svn path=/trunk/; revision=61315
2013-12-21 13:45:16 +00:00
#define NDEBUG
#include <debug.h>
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
static LIST_ENTRY EventSourceListHead;
static CRITICAL_SECTION EventSourceListCs;
/* FUNCTIONS ****************************************************************/
VOID
InitEventSourceList(VOID)
{
InitializeCriticalSection(&EventSourceListCs);
InitializeListHead(&EventSourceListHead);
}
static VOID
DumpEventSourceList(VOID)
{
PLIST_ENTRY CurrentEntry;
PEVENTSOURCE EventSource;
DPRINT("DumpEventSourceList()\n");
EnterCriticalSection(&EventSourceListCs);
CurrentEntry = EventSourceListHead.Flink;
while (CurrentEntry != &EventSourceListHead)
{
EventSource = CONTAINING_RECORD(CurrentEntry,
EVENTSOURCE,
EventSourceListEntry);
DPRINT("EventSource->szName: %S\n", EventSource->szName);
CurrentEntry = CurrentEntry->Flink;
}
LeaveCriticalSection(&EventSourceListCs);
DPRINT("Done\n");
}
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
static BOOL
AddNewEventSource(PLOGFILE pLogFile,
PWSTR lpSourceName)
{
PEVENTSOURCE lpEventSource;
lpEventSource = HeapAlloc(GetProcessHeap(), 0,
FIELD_OFFSET(EVENTSOURCE, szName[wcslen(lpSourceName) + 1]));
if (lpEventSource != NULL)
{
wcscpy(lpEventSource->szName, lpSourceName);
lpEventSource->LogFile = pLogFile;
DPRINT("Insert event source: %S\n", lpEventSource->szName);
EnterCriticalSection(&EventSourceListCs);
InsertTailList(&EventSourceListHead,
&lpEventSource->EventSourceListEntry);
LeaveCriticalSection(&EventSourceListCs);
}
return (lpEventSource != NULL);
}
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
BOOL
LoadEventSources(HKEY hKey,
PLOGFILE pLogFile)
{
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
BOOL Success;
DWORD dwNumSubKeys, dwMaxSubKeyLength;
DWORD dwEventSourceNameLength, MaxValueLen;
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
DWORD dwIndex;
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
PWSTR Buf = NULL, SourceList = NULL, Source = NULL;
size_t cchRemaining = 0;
[MAGNIFY]: Fix CID 512972 and CID 512973. [EVENTLOG]: Fix CID 515148, CID 515149 and CID 512988. By Ricardo Hanke. CORE-9314 CORE-9316 #resolve #comment Committed, thanks! svn path=/trunk/; revision=66558
2015-03-03 21:03:21 +00:00
LONG Result;
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
DPRINT("LoadEventSources\n");
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
Result = RegQueryInfoKeyW(hKey, NULL, NULL, NULL, &dwNumSubKeys, &dwMaxSubKeyLength,
NULL, NULL, NULL, NULL, NULL, NULL);
[MAGNIFY]: Fix CID 512972 and CID 512973. [EVENTLOG]: Fix CID 515148, CID 515149 and CID 512988. By Ricardo Hanke. CORE-9314 CORE-9316 #resolve #comment Committed, thanks! svn path=/trunk/; revision=66558
2015-03-03 21:03:21 +00:00
if (Result != ERROR_SUCCESS)
{
[EVENTLOG] - Use NT functions to retrieve timestamps for events. - Log kernel events with the current computer name. - Don't hardcode variables types for sizeofs. - Add type-checks for the data to be retrieved from the registry, and use default values in case the values do not exist or are invalid. - Use ULONG_PTR to perform pointer arithmetics. - Use string-safe functions for copy/concatenation. - Cache EventLog source for eventlog service self-logging. - Unlock the LogFile in LogfClearFile. - Fix rounding in LogfAllocAndBuildNewRecord. - Verify ELF handle validity in ElfrGetLogInformation. - Implement IELF_HANDLE_rundown to correctly cleanup ELF handles when client apps shut down. Adapt also the parameter of ElfDeleteEventLogHandle for reusing it there. - Update some code formatting. CORE-11842 #resolve I don't completely touch file.c as it contains most of my upcoming eventlog fixes... svn path=/trunk/; revision=72213
2016-08-12 19:14:55 +00:00
DPRINT1("RegQueryInfoKeyW failed: %lu\n", Result);
[MAGNIFY]: Fix CID 512972 and CID 512973. [EVENTLOG]: Fix CID 515148, CID 515149 and CID 512988. By Ricardo Hanke. CORE-9314 CORE-9316 #resolve #comment Committed, thanks! svn path=/trunk/; revision=66558
2015-03-03 21:03:21 +00:00
return FALSE;
}
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
dwMaxSubKeyLength++;
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
Buf = HeapAlloc(GetProcessHeap(), 0, dwMaxSubKeyLength * sizeof(WCHAR));
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
if (!Buf)
{
[EVENTLOG] - Use NT functions to retrieve timestamps for events. - Log kernel events with the current computer name. - Don't hardcode variables types for sizeofs. - Add type-checks for the data to be retrieved from the registry, and use default values in case the values do not exist or are invalid. - Use ULONG_PTR to perform pointer arithmetics. - Use string-safe functions for copy/concatenation. - Cache EventLog source for eventlog service self-logging. - Unlock the LogFile in LogfClearFile. - Fix rounding in LogfAllocAndBuildNewRecord. - Verify ELF handle validity in ElfrGetLogInformation. - Implement IELF_HANDLE_rundown to correctly cleanup ELF handles when client apps shut down. Adapt also the parameter of ElfDeleteEventLogHandle for reusing it there. - Update some code formatting. CORE-11842 #resolve I don't completely touch file.c as it contains most of my upcoming eventlog fixes... svn path=/trunk/; revision=72213
2016-08-12 19:14:55 +00:00
DPRINT1("Error: cannot allocate heap!\n");
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
return FALSE;
}
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
/*
* Allocate a buffer for storing the names of the sources as a REG_MULTI_SZ
* in the registry. Also add the event log as its own source.
* Add a final NULL-terminator.
*/
MaxValueLen = dwNumSubKeys * dwMaxSubKeyLength + wcslen(pLogFile->LogName) + 2;
SourceList = HeapAlloc(GetProcessHeap(), 0, MaxValueLen * sizeof(WCHAR));
if (!SourceList)
{
DPRINT1("Error: cannot allocate heap!\n");
/* It is not dramatic if we cannot create it */
}
else
{
cchRemaining = MaxValueLen;
Source = SourceList;
}
/*
* Enumerate all the subkeys of the event log key, that constitute
* all the possible event sources for this event log. At this point,
* skip the possible existing source having the same name as the
* event log, it will be added later on.
*/
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
dwEventSourceNameLength = dwMaxSubKeyLength;
dwIndex = 0;
while (RegEnumKeyExW(hKey,
dwIndex,
Buf,
&dwEventSourceNameLength,
NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
if (_wcsicmp(pLogFile->LogName, Buf) != 0)
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
{
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
DPRINT("Event Source: %S\n", Buf);
Success = AddNewEventSource(pLogFile, Buf);
if (Success && (Source != NULL))
{
/* Append the event source name and an extra NULL-terminator */
StringCchCopyExW(Source, cchRemaining, Buf, &Source, &cchRemaining, 0);
if (cchRemaining > 0)
{
*++Source = L'\0';
cchRemaining--;
}
}
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
}
dwEventSourceNameLength = dwMaxSubKeyLength;
dwIndex++;
}
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
/* Finally, allow the event log itself to be its own source */
DPRINT("Event Source: %S\n", pLogFile->LogName);
Success = AddNewEventSource(pLogFile, pLogFile->LogName);
if (Success && (Source != NULL))
{
/* Append the event source name and an extra NULL-terminator */
StringCchCopyExW(Source, cchRemaining, pLogFile->LogName, &Source, &cchRemaining, 0);
if (cchRemaining > 0)
{
*++Source = L'\0';
cchRemaining--;
}
}
/* Save the list of sources in the registry */
[EVENTLOG] - Update code source files headers. - Use explicit unicode functions for RegOpen/Query/SetXXX and safe-string APIs. - Use GetSystemWindowsDirectoryW where needed instead of GetWindowsDirectoryW (TS-safe). - Fix some variable names & types. - Improve some DPRINTs. svn path=/trunk/; revision=73034
2016-10-25 23:32:20 +00:00
Result = RegSetValueExW(hKey,
L"Sources",
0,
REG_MULTI_SZ,
(LPBYTE)SourceList,
(MaxValueLen - cchRemaining + 1) * sizeof(WCHAR));
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
if (Result != ERROR_SUCCESS)
{
[EVENTLOG] - Update code source files headers. - Use explicit unicode functions for RegOpen/Query/SetXXX and safe-string APIs. - Use GetSystemWindowsDirectoryW where needed instead of GetWindowsDirectoryW (TS-safe). - Fix some variable names & types. - Improve some DPRINTs. svn path=/trunk/; revision=73034
2016-10-25 23:32:20 +00:00
DPRINT1("RegSetValueExW failed: %lu\n", Result);
[EVENTLOG] - Get rid of MyHeap. - Continue using safe string functions. - Allow event logs themselves to be their own source. And store the full list of log sources in the "Sources" registry multi-string value. - Correctly compute the number of records. - Correctly return the event number and the write timestamp of reported events. - Use a helper function for ElfrReportEventW/A and for ElfrReportEventAndSourceW that is now implemented. - Rewrite the file.c functions using NT-APIs almost exclusively for file operations. - Modify the logic of LogfReadEvents so that a RecordNumber == 0 in sequential read mode means we need to determine where to start the read operation, depending on whether a forwards-read or a backwards-read is performed. The log handle's CurrentRecord member is therefore initialized to 0 before usage. - Adjust LogfAllocAndBuildNewRecord to take in input the event generation timestamp. - Do not "compute" the RecordNumber of the new event in LogfAllocAndBuildNewRecord; it will be consistently assigned by LogfWriteRecord. - Correctly initialize the OldestRecordNumber to zero for new (empty) logs. - Perform extensive log validity checks when opening existing logs: log header and EOF record as well as boundary checks. - Rewrite almost of the functions to support event log wrapping (see https://msdn.microsoft.com/en-us/library/windows/desktop/bb309026(v=vs.85).aspx ) and splitted records. Now our event logs are not corrupted anymore, and are readable under Windows 2k/xp/2k3/Vista+. - As a consequence of supporting wrapping event logs we need to iterate through them at loading time in order to locate the valid EOF record (indeed it may happen that the log header is not correctly synced, and its Start/EndOffsets are invalid. The EOF record offsets contain on the other way the correct values). The file.c fixes are a bit still work-in-progress, but the bulk of the code works. It is extensively tested in situ in my local VM since 2 months now. CORE-11843 #resolve svn path=/trunk/; revision=72236
2016-08-16 21:08:15 +00:00
}
if (SourceList)
HeapFree(GetProcessHeap(), 0, SourceList);
HeapFree(GetProcessHeap(), 0, Buf);
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
DumpEventSourceList();
return TRUE;
}
PEVENTSOURCE
GetEventSourceByName(LPCWSTR Name)
{
PLIST_ENTRY CurrentEntry;
[EVENTLOG] - Use NT functions to retrieve timestamps for events. - Log kernel events with the current computer name. - Don't hardcode variables types for sizeofs. - Add type-checks for the data to be retrieved from the registry, and use default values in case the values do not exist or are invalid. - Use ULONG_PTR to perform pointer arithmetics. - Use string-safe functions for copy/concatenation. - Cache EventLog source for eventlog service self-logging. - Unlock the LogFile in LogfClearFile. - Fix rounding in LogfAllocAndBuildNewRecord. - Verify ELF handle validity in ElfrGetLogInformation. - Implement IELF_HANDLE_rundown to correctly cleanup ELF handles when client apps shut down. Adapt also the parameter of ElfDeleteEventLogHandle for reusing it there. - Update some code formatting. CORE-11842 #resolve I don't completely touch file.c as it contains most of my upcoming eventlog fixes... svn path=/trunk/; revision=72213
2016-08-12 19:14:55 +00:00
PEVENTSOURCE Item, Result = NULL;
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
DPRINT("GetEventSourceByName(%S)\n", Name);
EnterCriticalSection(&EventSourceListCs);
CurrentEntry = EventSourceListHead.Flink;
while (CurrentEntry != &EventSourceListHead)
{
[EVENTLOG] - Use NT functions to retrieve timestamps for events. - Log kernel events with the current computer name. - Don't hardcode variables types for sizeofs. - Add type-checks for the data to be retrieved from the registry, and use default values in case the values do not exist or are invalid. - Use ULONG_PTR to perform pointer arithmetics. - Use string-safe functions for copy/concatenation. - Cache EventLog source for eventlog service self-logging. - Unlock the LogFile in LogfClearFile. - Fix rounding in LogfAllocAndBuildNewRecord. - Verify ELF handle validity in ElfrGetLogInformation. - Implement IELF_HANDLE_rundown to correctly cleanup ELF handles when client apps shut down. Adapt also the parameter of ElfDeleteEventLogHandle for reusing it there. - Update some code formatting. CORE-11842 #resolve I don't completely touch file.c as it contains most of my upcoming eventlog fixes... svn path=/trunk/; revision=72213
2016-08-12 19:14:55 +00:00
Item = CONTAINING_RECORD(CurrentEntry,
EVENTSOURCE,
EventSourceListEntry);
[EVENTLOG] Implement an event source list and use it to find the event log file for a given event source when an event was reported. svn path=/trunk/; revision=51513
2011-04-30 22:33:53 +00:00
DPRINT("Item->szName: %S\n", Item->szName);
// if ((*(Item->szName) != 0) && !_wcsicmp(Item->szName, Name))
if (_wcsicmp(Item->szName, Name) == 0)
{
DPRINT("Found it\n");
Result = Item;
break;
}
CurrentEntry = CurrentEntry->Flink;
}
LeaveCriticalSection(&EventSourceListCs);
DPRINT("Done (Result: %p)\n", Result);
return Result;
}
Reference in a new issue Copy permalink