/*****************************************************************/ /** Microsoft Windows NT **/ /** Copyright(c) Microsoft Corp., 1991 **/ /*****************************************************************/ /* * lognt.hxx * This file contains class definitions of NT event log objects. * NT_EVENT_LOG * * History: * Yi-HsinS 10/15/91 Created * terryk 12/20/91 Added WriteTextEntry * Yi-HsinS 01/15/92 Added Backup, SeekOldestLogEntry, * SeekNewestLogEntry and modified * parameters to WriteTextEntry * Yi-HsinS 02/25/92 Added helper methods to get log * descriptions from the registry * Yi-HsinS 04/25/92 Added caching for message dlls * Yi-HsinS 10/13/92 Added support for parameter message file * RaviR 02/28/95 Added support to get description & * source name for Cairo Alerts * JonN 6/22/00 WriteTextEntry no longer supported * */ #ifndef _LOGNT_HXX_ #define _LOGNT_HXX_ #include "eventlog.hxx" #include "uatom.hxx" #include "regkey.hxx" #include "array.hxx" #include "uintlsa.hxx" // // The maximum number of libraries that are opened at any one time. // #define MAX_LIBRARY_OPENED 10 // // The following is used to get the alert description and source name // for Cairo alerts. // typedef long (*PASGETALERTDESCRIPTION)(ULONG, const BYTE*, LPWSTR *); typedef long (*PASGETALERTSOURCENAME)(ULONG, const BYTE*, LPWSTR *); /************************************************************************* NAME: DLL_NAME_HANDLE_PAIR SYNOPSIS: The class stores the name and opened handle of a dll. INTERFACE : DLL_HANDLE() - Constructor Set() - Set the name and handle QueryName() - Return the full path name of the dll QueryHandle() - Return the handle of the dll PARENT: BASE USES: CAVEATS: NOTES: HISTORY: Yi-HsinS 4/25/92 Created **************************************************************************/ DLL_CLASS DLL_NAME_HANDLE_PAIR: public BASE { private: // Name of the dll NLS_STR _nlsName; // Opened handle of the above dll HMODULE _handle; public: DLL_NAME_HANDLE_PAIR(); DLL_NAME_HANDLE_PAIR( const TCHAR *pszName, HMODULE handle = 0 ); APIERR Set( const TCHAR *pszName, HMODULE handle ) { _nlsName = pszName; _handle = handle; return _nlsName.QueryError(); } NLS_STR *QueryName( VOID ) { return &_nlsName; } HMODULE QueryHandle( VOID ) { return _handle; } }; // // An array of DLL_NAME_HANDLE_PAIR // DECL_ARRAY_OF( DLL_NAME_HANDLE_PAIR, DLL_BASED ) /************************************************************************* NAME: DLL_HANDLE_CACHE_ARRAY SYNOPSIS: Wrapper class containing an array of DLL_NAME_HANDLE_PAIR. This class contains all methods in dealing with caching the opened handles of dlls. INTERFACE : DLL_HANDLE_CACHE_ARRAY() - Constructor QueryHandle() - Query the handle of the given dll QuerySize() - Query the number of elements that is allocated for the array. QueryCount() - Query the actual number of elements contained in the array. operator[]() - Return the ith element in the array Cache() - Store the dll and handle into the array. PARENT: BASE USES: ARRAY_OF( DLL_NAME_HANDLE_PAIR ) CAVEATS: NOTES: HISTORY: Yi-HsinS 4/25/92 Created **************************************************************************/ DLL_CLASS DLL_HANDLE_CACHE_ARRAY: public BASE { private: ARRAY_OF( DLL_NAME_HANDLE_PAIR ) _aDllNameHandle; // The next slot to fill in the dll name/handle UINT _cNext; // Flag indicating whether the array is full or not BOOL _fFull; public: DLL_HANDLE_CACHE_ARRAY( UINT cElem ); HMODULE QueryHandle( const NLS_STR &nls ); INT QuerySize() const { return _aDllNameHandle.QueryCount(); } INT QueryCount() const { return ( _fFull? _aDllNameHandle.QueryCount() : _cNext ); } DLL_NAME_HANDLE_PAIR &operator[]( INT iIndex ) const { return _aDllNameHandle[ iIndex ]; } APIERR Cache( const NLS_STR &nls, HMODULE handle ); }; /************************************************************************* NAME: SOURCE_INFO_ITEM SYNOPSIS: The class for storing the information contained in the registry of each source under the module. INTERFACE : SOURCE_INFO_ITEM() - Constructor ~SOURCE_INFO_ITEM() - Destructor Set() - Set the information contain in the item IsInitialized() - See if the all the information contained in this item is initialized or not. QuerySource() - Return the source name QueryTypeMask() - Return the type mask QueryCategoryDllName() - Return the full path name of the category dll QueryCategoryCount() - Return the number of categories used in the source. QueryCategoryList() - Return the list of categories supported in this source. SetCategoryList() - Set the category list. QueryEventsDllList() - Return the list of full path names of the events dll QueryParameterMessageDllName() - Return the dll name containing strings for language independent insertion strings PARENT: BASE USES: NLS_STR, STRLIST CAVEATS: NOTES: HISTORY: Yi-HsinS 2/25/92 Created **************************************************************************/ DLL_CLASS SOURCE_INFO_ITEM : public BASE { private: // The name of the source NLS_STR _nlsSource; // Flag indicating whether the information in this item is initialized // or not BOOL _fInitialized; // The type mask supported by the source USHORT _usTypeMask; // The category dll name supported by the source NLS_STR _nlsCategoryDllName; // The number of categories in the above dll USHORT _cCategoryCount; // Pointer to a list of categories names STRLIST *_pstrlstCategory; // Pointer to a list of dlls containing descriptions STRLIST *_pstrlstEventsDll; // The name of the parameter message dll supported by the source NLS_STR _nlsParameterMessageDllName; public: SOURCE_INFO_ITEM(); SOURCE_INFO_ITEM( const TCHAR *pszSource, USHORT usTypeMask = 0, const TCHAR *pszCategoryDllName = NULL, USHORT cCategoryCount = 0, STRLIST *pstrlstEventsDll = NULL, const TCHAR *pszParameterMessageDllName = NULL ); ~SOURCE_INFO_ITEM(); APIERR Set( USHORT usTypeMask, const TCHAR *pszCategoryDllName, USHORT cCategoryCount, STRLIST *pstrlstEventsDll, const TCHAR *pszParameterMessageDllName ); BOOL IsInitialized( VOID ) const { return _fInitialized; } const NLS_STR *QuerySource( VOID ) const { return &_nlsSource; } USHORT QueryTypeMask( VOID ) const { UIASSERT( IsInitialized() ); return _usTypeMask; } const NLS_STR *QueryCategoryDllName( VOID ) const { UIASSERT( IsInitialized() ); return &_nlsCategoryDllName; } USHORT QueryCategoryCount( VOID ) const { UIASSERT( IsInitialized() ); return _cCategoryCount; } STRLIST *QueryCategoryList( VOID ) { UIASSERT( IsInitialized() ); return _pstrlstCategory; } VOID SetCategoryList( STRLIST *pstrlstCategory ) { _pstrlstCategory = pstrlstCategory; } STRLIST *QueryEventDllList( VOID ) { UIASSERT( IsInitialized() ); return _pstrlstEventsDll; } const NLS_STR *QueryParameterMessageDllName( VOID ) const { UIASSERT( IsInitialized() ); return &_nlsParameterMessageDllName; } }; /************************************************************************* NAME: SOURCE_INFO_ITEM_PTR SYNOPSIS: Item that contains a pointer to SOURCE_INFO_ITEM INTERFACE: SOURCE_INFO_ITEM_PTR() - Constructor ~SOURCE_INFO_ITEM_PTR() - Destructor operator=() - Assignment operator operator->() - Return a pointer to SOURCE_INFO_ITEM Compare() - Compare two SOURCE_INFO_ITEM_PTR to see if they contain the same source. QuerySourceItem() - Return the SOURCE_INFO_ITEM contained in the object. PARENT: USES: SOURCE_INFO_ITEM CAVEATS: NOTES: HISTORY: Yi-HsinS 2/25/92 Created **************************************************************************/ DLL_CLASS SOURCE_INFO_ITEM_PTR { private: SOURCE_INFO_ITEM *_pSrcInfoItem; // If _fDestroy is TRUE, we will destroy _pSrcInfoItem when this // item gets destructed. Otherwise, we will leave it alone. BOOL _fDestroy; public: SOURCE_INFO_ITEM_PTR() : _pSrcInfoItem( NULL ), _fDestroy( TRUE ) {} SOURCE_INFO_ITEM_PTR( SOURCE_INFO_ITEM *pSrcInfoItem, BOOL fDestroy ) : _pSrcInfoItem( pSrcInfoItem ), _fDestroy( fDestroy ) {} ~SOURCE_INFO_ITEM_PTR() { if ( _fDestroy ) delete _pSrcInfoItem; _pSrcInfoItem = NULL; } SOURCE_INFO_ITEM_PTR &operator=( const SOURCE_INFO_ITEM_PTR &s ) { _pSrcInfoItem = s._pSrcInfoItem; return *this; } SOURCE_INFO_ITEM *operator->() { return _pSrcInfoItem; } INT Compare( const SOURCE_INFO_ITEM_PTR *pSrcInfoItemPtr ) const ; SOURCE_INFO_ITEM *QuerySourceItem() const { return _pSrcInfoItem; } }; // // An array of pointers to SOURCE_INFO_ITEM // DECL_ARRAY_LIST_OF( SOURCE_INFO_ITEM_PTR, DLL_BASED ) /************************************************************************* NAME: SOURCE_INFO_ARRAY SYNOPSIS: Wrapper class for the array of SOURCE_INFO_ITEM. Access methods are added to get the information for the nth item in the array. INTERFACE : SOURCE_INFO_ARRAY() - Constructor QuerySource() - Return the source name of the ith item QueryTypeMask() - Return the type mask of the ith item QueryCategoryDllName() - Return the full path name of the category dll of the ith item QueryCategoryCount() - Return the number of categories of the ith item QueryCategoryList() - Return the list of categories supported by the ith source. QueryEventsDllList() - Return the list of full path names of the events dll of the ith item QueryParameterMessageDllName() - Return the dll name containing strings for language independent insertion strings of the ith item PARENT: ARRAY_LIST_OF( SOURCE_INFO_ITEM ) USES: CAVEATS: NOTES: HISTORY: Yi-HsinS 8/25/92 Created **************************************************************************/ DLL_CLASS SOURCE_INFO_ARRAY : public ARRAY_LIST_OF( SOURCE_INFO_ITEM_PTR ) { public: SOURCE_INFO_ARRAY( UINT cElem ) : ARRAY_LIST_OF(SOURCE_INFO_ITEM_PTR )( cElem ) { } const NLS_STR *QuerySource( INT i ) const { return ((*this)[i])->QuerySource(); } USHORT QueryTypeMask( INT i ) const { return ((*this)[i])->QueryTypeMask(); } const NLS_STR *QueryCategoryDllName( INT i ) const { return ((*this)[i])->QueryCategoryDllName(); } USHORT QueryCategoryCount( INT i ) const { return ((*this)[i])->QueryCategoryCount(); } STRLIST *QueryCategoryList( INT i ) const { return ((*this)[i])->QueryCategoryList(); } STRLIST *QueryEventDllList( INT i ) const { return ((*this)[i])->QueryEventDllList(); } const NLS_STR *QueryParameterMessageDllName( INT i ) const { return ((*this)[i])->QueryParameterMessageDllName(); } }; /************************************************************************* NAME: LOG_REGISTRY_INFO SYNOPSIS: The class for storing all the information contained in the registry under the given module (system, security...). INTERFACE: LOG_REGISTRY_INFO() - Constructor ~LOG_REGISTRY_INFO() - Destructor Init() - 2nd stage constructor SubstituteParameterID - Find all %%num in the given string with appropriate strings. MapEventIDToString() - Get the description associated with the string MapCategoryToString() - Get the string associated with the string GetSrcSupportedTypeMask() - Get the type mask supported by the given source GetSrcSupportedCategoryList() - Get all categories supported by the given source GetSourceList() - Get the sources supported under the given module PARENT: BASE USES: NLS_STR, STRLIST, DLL_HANDLE_CACHE_ARRAY, REG_KEY, SOURCE_INFO_ARRAY CAVEATS: NOTES: HISTORY: Yi-HsinS 2/25/92 Created **************************************************************************/ DLL_CLASS LOG_REGISTRY_INFO : public BASE { private: // // The server that we are reading the registry from // NLS_STR _nlsServer; // // The module in the registry // NLS_STR _nlsModule; // // If the server points to a remote machine, // then this will contain the path to %SystemRoot%. // Else this will contain a NULL string which will not be used. // NLS_STR _nlsRemoteSystemRoot; // // The array to cache the handles used by the eventlog to get the // description of each log entry. // DLL_HANDLE_CACHE_ARRAY _aDllHandleCache; // // Pointer to an array of SOURCE_INFO_ITEM // SOURCE_INFO_ARRAY *_paSourceInfo; // // The index of the primary module in the array pointed by _paSourceInfo // INT _iPrimarySource; // // Pointer to a strlst containing all sources under the module // STRLIST *_pstrlstSource; // // Pointer to the registry key of module // REG_KEY *_pRegKeyFocusModule; // // Get the registry key of module on the server // APIERR GetRegKeyModule( const TCHAR *pszServer, REG_KEY **ppRegKeyModule ); // // Get the handle of the given dll // APIERR GetLibHandle( const TCHAR *pszLibName, HMODULE *pHandle ); // // Expand %SystemRoot% that is contained in pszPath // APIERR ExpandSystemRoot( const TCHAR *pszPath, NLS_STR *pnls ); // // Get %SystemRoot% from the remote registry. This is used only // if we are reading the registry from the remote machine. // APIERR GetRemoteSystemRoot( NLS_STR *pnls ); // // Initialize the SOURCE_INFO_ITEM at (*_paSourceInfo)[index] // APIERR InitSource( INT index ); // // Initialize the category list at (*_paSourceInfo)[index] // APIERR InitCategoryList( INT index ); // // Get the source name at (*_paSourceInfo)[index] // INT QuerySourceIndex( const TCHAR *pszSource ); // // Returns TRUE if the primary source exists in the registry // BOOL PrimarySourceExist( VOID ) { return _iPrimarySource >= 0; } // // Returns TRUE if the index is the same as the primary source index // BOOL IsPrimarySource( INT index ) { return index == _iPrimarySource; } // // Get the string associated with the id in the dll // APIERR RetrieveMessage( HMODULE handle, ULONG nID, NLS_STR *pnls ); // // Get the string associated with nMessageID in the source // APIERR MapParameterToString( const TCHAR *pszSource, ULONG nMessageID, NLS_STR *pnls ); public: LOG_REGISTRY_INFO( const NLS_STR &nlsServer, const NLS_STR &nlsModule ); ~LOG_REGISTRY_INFO(); APIERR Init( VOID ); APIERR SubstituteParameterID( const TCHAR *pszSource, NLS_STR *pnls ); APIERR MapEventIDToString ( const TCHAR *pszSource, ULONG ulEventID, NLS_STR *pnls ); APIERR MapCategoryToString ( const TCHAR *pszSource, USHORT usCategory, NLS_STR *pnls ); APIERR GetSrcSupportedTypeMask( const TCHAR *pszSource, USHORT *pusTypeMask ); APIERR GetSrcSupportedCategoryList( const TCHAR *pszSource, STRLIST **ppstrlstCategory ); STRLIST *GetSourceList( VOID ) { return _pstrlstSource; } }; /************************************************************************* NAME: NT_EVENT_LOG SYNOPSIS: The class for NT Event Log INTERFACE: protected: I_Next() - Helper method for reading the log file I_Open() - Helper method for opening the handle to the event log I_Close()- Helper method for closing the handle to the event log CreateCurrentRawEntry() - Create a RAW_LOG_ENTRY for the current log entry. This is used when filtering log files. SetPos() - Set the position for the next read. QueryCurrentEntryCategory() - Get the category of the current log entry QueryCurrentEntryTypeString() - Retrieve the type of the current log entry QueryCurrentEntryUser() - Get the user of the current log entry NextString() - Iterator for returning the strings in the current log entry. public: NT_EVENT_LOG() - Constructor ~NT_EVENT_LOG() - Destructor Clear() - Clear the event log Backup() - Back up the event log without clearing the log file Reset() - Reset to the beginning or end of log depending on direction QueryPos() - Get the position of the current event log entry Direction is not important on NT. SeekOldestLogEntry() - Get the oldest log entry in the log SeekNewestLogEntry() - Get the newest log entry in the log QueryNumberOfEntries() - Get the number of entries in the log CreateCurrentFormatEntry() - Create a FORMATTED_LOG_ENTRY for the current log entry. WriteTextEntry() - Write the current log entry to a text file JonN 6/22/00 WriteTextEntry no longer supported QueryCurrentEntryData() - Retrieve the raw data of the current log entry QueryCurrentEntryDesc() - Get the description of the current log entry QueryCurrentEntryTime() - Get the time of the current log entry IsBackup() - True if we want to open a backup log file QuerySourceList() - Return the sources supported by the module QuerySrcSupportedTypeMask() - Query the type mask supported by the given source QuerySrcSupportedCategoryList() - Query the category list supported by the given source PARENT: EVENT_LOG USES: CAVEATS: NOTES: HISTORY: Yi-HsinS 10/15/91 Created **************************************************************************/ DLL_CLASS NT_EVENT_LOG : public EVENT_LOG { private: // // Handle to the NT event log // HANDLE _handle; // // Buffer containing a whole amount of event log entries returned // by a net API call. // BUFFER _buf; // // Points to the current log entry inside the buffer _buf // EVENTLOGRECORD *_pEL; // // the offset(bytes) in the buffer in which the next log entry starts // ULONG _cbOffset; // // the number of bytes returned from the last read // ULONG _cbReturned; // // the minimum number of bytes needed for the next read // ULONG _cbMinBytesNeeded; // // The index of the next string to be retrieved by NextString() // UINT _iStrings; // // The log number to read in the case of seek read // ULONG _ulRecSeek; // // TRUE if we want to open a backup file // BOOL _fBackup; // // Registry Information needed to get the description of log entries // LOG_REGISTRY_INFO _logRegistryInfo; // // The following for translating SIDS to readable names // LSA_POLICY _lsaPolicy; LSA_TRANSLATED_NAME_MEM _lsatnm; LSA_REF_DOMAIN_MEM _lsardm; NLS_STR _nlsAccountDomain; UINT _cCountUsers; // // The following is used to get the alert description and source name // for Cairo alerts. // HINSTANCE _hinstanceSysmgmt; PASGETALERTDESCRIPTION _pAsGetAlertDescription; PASGETALERTSOURCENAME _pAsGetAlertSourceName; protected: virtual APIERR I_Next( BOOL *pfContinue, ULONG ulBufferSize = BIG_BUF_DEFAULT_SIZE ); virtual APIERR I_Open( VOID ); virtual APIERR I_Close( VOID ); virtual APIERR CreateCurrentRawEntry( RAW_LOG_ENTRY *pRawLogEntry ); virtual VOID SetPos( const LOG_ENTRY_NUMBER &logEntryNum, BOOL fForceRead ); APIERR QueryCurrentEntryCategory( NLS_STR *pnlsCategory ); APIERR QueryCurrentEntryTypeString( NLS_STR *pnlsType ); APIERR QueryCurrentEntryUser( NLS_STR *pnlsUser ); // // Iterator to return the next string in the current log. // Returns FALSE if some error occurs or if there are no more strings left. // Need to QueryLastError() to distinguish between the two cases. // APIERR NextString( BOOL *pfContinue, NLS_STR **ppnlsString ); // // The following method is used to get the proc address of alert functions // AsGetAlertdescription and AsGetAlertSourceName // APIERR GetProcAddressOfAlertFuctions( VOID ); public: // // Constructor : takes a server name, // an optional direction which defaults to EVLOG_FWD, // a module name needed for NT Event Log, // and a module name needed for reading the registry. // If pszModule and pszRegistryModule don't point to the // same place, then we are reading a backup event log. // NT_EVENT_LOG( const TCHAR *pszServer, EVLOG_DIRECTION evdir = EVLOG_FWD, const TCHAR *pszModule = NULL, const TCHAR *pszRegistryModule = NULL ); virtual ~NT_EVENT_LOG(); // // See comments in EVENT_LOG // virtual APIERR Clear( const TCHAR *pszBackupFile = NULL ); virtual APIERR Backup( const TCHAR *pszBackupFile ); virtual VOID Reset( VOID ); virtual APIERR QueryPos( LOG_ENTRY_NUMBER *plogEntryNum ); virtual APIERR SeekOldestLogEntry( VOID ); virtual APIERR SeekNewestLogEntry( VOID ); virtual APIERR QueryNumberOfEntries( ULONG *pcEntries ); virtual APIERR CreateCurrentFormatEntry( FORMATTED_LOG_ENTRY **ppFmtLogEntry ); // JonN 6/22/00 WriteTextEntry no longer supported virtual APIERR WriteTextEntry( ULONG ulFileHandle, INTL_PROFILE &intlprof, TCHAR chSeparator ); virtual ULONG QueryCurrentEntryData( BYTE **ppbDataOut ); virtual APIERR QueryCurrentEntryDesc( NLS_STR *pnlsDesc ); virtual ULONG QueryCurrentEntryTime( VOID ); BOOL IsBackup( VOID ) { return _fBackup; } virtual STRLIST *QuerySourceList( VOID ); virtual APIERR QuerySrcSupportedTypeMask( const NLS_STR &nlsSource, USHORT *pusTypeMask ); virtual APIERR QuerySrcSupportedCategoryList( const NLS_STR &nlsSource, STRLIST **ppstrlstCategory ); }; #endif