From 22baef983826f23cafd56159740d4b85bb971d2c Mon Sep 17 00:00:00 2001 From: Markus Thurner Date: Mon, 13 Apr 2015 12:08:20 +0200 Subject: [PATCH 1/3] Minor cleanup --- TimberWinR/Inputs/WindowsEvtInputListener.cs | 34 ++++++-------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/TimberWinR/Inputs/WindowsEvtInputListener.cs b/TimberWinR/Inputs/WindowsEvtInputListener.cs index fed7c32..478eec7 100644 --- a/TimberWinR/Inputs/WindowsEvtInputListener.cs +++ b/TimberWinR/Inputs/WindowsEvtInputListener.cs @@ -1,17 +1,10 @@ using System; using System.Collections.Generic; using System.Linq; -using System.Runtime.InteropServices; -using System.Security.AccessControl; -using System.Text; using System.Threading; -using System.Threading.Tasks; -using System.IO; -using Interop.MSUtil; - using Newtonsoft.Json.Linq; -using Newtonsoft.Json.Serialization; using NLog; +using TimberWinR.Parser; using LogQuery = Interop.MSUtil.LogQueryClassClass; using EventLogInputFormat = Interop.MSUtil.COMEventLogInputContextClassClass; using LogRecordSet = Interop.MSUtil.ILogRecordset; @@ -23,13 +16,13 @@ namespace TimberWinR.Inputs /// public class WindowsEvtInputListener : InputListener { - private int _pollingIntervalInSeconds = 1; - private TimberWinR.Parser.WindowsEvent _arguments; + private readonly int _pollingIntervalInSeconds = 1; + private readonly WindowsEvent _arguments; private long _receivedMessages; - private List _tasks { get; set; } + private List _tasks; public bool Stop { get; set; } - public WindowsEvtInputListener(TimberWinR.Parser.WindowsEvent arguments, CancellationToken cancelToken) + public WindowsEvtInputListener(WindowsEvent arguments, CancellationToken cancelToken) : base(cancelToken, "Win32-Eventlog") { _arguments = arguments; @@ -38,8 +31,7 @@ namespace TimberWinR.Inputs foreach (string eventHive in _arguments.Source.Split(',')) { - string hive = eventHive.Trim(); - var thread = new Thread(new ParameterizedThreadStart(EventWatcher)); + var thread = new Thread(EventWatcher); _tasks.Add(thread); thread.Start(eventHive); } @@ -48,7 +40,7 @@ namespace TimberWinR.Inputs public override void Shutdown() { Stop = true; - LogManager.GetCurrentClassLogger().Info("Shutting Down {0}", InputType); + LogManager.GetCurrentClassLogger().Info("Shutting Down {0}", InputType); base.Shutdown(); } @@ -76,8 +68,6 @@ namespace TimberWinR.Inputs { string location = ploc.ToString(); - LogQuery oLogQuery = new LogQuery(); - LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready"); // Instantiate the Event Log Input Format object @@ -93,9 +83,7 @@ namespace TimberWinR.Inputs resolveSIDs = _arguments.ResolveSIDS }; - oLogQuery = null; - - Dictionary logFileMaxRecords = new Dictionary(); + var logFileMaxRecords = new Dictionary(); using (var syncHandle = new ManualResetEventSlim()) { @@ -107,7 +95,7 @@ namespace TimberWinR.Inputs { try { - oLogQuery = new LogQuery(); + var oLogQuery = new LogQuery(); var qfiles = string.Format("SELECT Distinct [EventLog] FROM {0}", location); var rsfiles = oLogQuery.Execute(qfiles, iFmt); @@ -151,15 +139,11 @@ namespace TimberWinR.Inputs var lrn = (Int64)record.getValueEx("RecordNumber"); logFileMaxRecords[fileName] = lrn; - record = null; ProcessJson(json); _receivedMessages++; - json = null; - } // Close the recordset rs.close(); - rs = null; GC.Collect(); } if (!Stop) From 98ef675f9c3a04c3287158e73977f34ecba6b964 Mon Sep 17 00:00:00 2001 From: Markus Thurner Date: Mon, 13 Apr 2015 12:27:19 +0200 Subject: [PATCH 2/3] Wait for threads to be completed before shutting down, and naming threads for easier debugging. --- TimberWinR/Inputs/WindowsEvtInputListener.cs | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/TimberWinR/Inputs/WindowsEvtInputListener.cs b/TimberWinR/Inputs/WindowsEvtInputListener.cs index 478eec7..fcb19d1 100644 --- a/TimberWinR/Inputs/WindowsEvtInputListener.cs +++ b/TimberWinR/Inputs/WindowsEvtInputListener.cs @@ -19,7 +19,7 @@ namespace TimberWinR.Inputs private readonly int _pollingIntervalInSeconds = 1; private readonly WindowsEvent _arguments; private long _receivedMessages; - private List _tasks; + private readonly List _tasks; public bool Stop { get; set; } public WindowsEvtInputListener(WindowsEvent arguments, CancellationToken cancelToken) @@ -31,7 +31,7 @@ namespace TimberWinR.Inputs foreach (string eventHive in _arguments.Source.Split(',')) { - var thread = new Thread(EventWatcher); + var thread = new Thread(EventWatcher) {Name = "Win32-Eventlog-" + eventHive}; _tasks.Add(thread); thread.Start(eventHive); } @@ -40,7 +40,11 @@ namespace TimberWinR.Inputs public override void Shutdown() { Stop = true; - LogManager.GetCurrentClassLogger().Info("Shutting Down {0}", InputType); + LogManager.GetCurrentClassLogger().Info("Shutting Down {0}", InputType); + foreach (var thread in _tasks) + { + thread.Join(); + } base.Shutdown(); } From ec2ec6691506704ca17e3b28145dd25d50317e34 Mon Sep 17 00:00:00 2001 From: Markus Thurner Date: Mon, 13 Apr 2015 12:27:36 +0200 Subject: [PATCH 3/3] Convert TimeGenerated and TimeWritten to UTC. --- TimberWinR/Inputs/WindowsEvtInputListener.cs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/TimberWinR/Inputs/WindowsEvtInputListener.cs b/TimberWinR/Inputs/WindowsEvtInputListener.cs index fcb19d1..18d73ba 100644 --- a/TimberWinR/Inputs/WindowsEvtInputListener.cs +++ b/TimberWinR/Inputs/WindowsEvtInputListener.cs @@ -137,6 +137,8 @@ namespace TimberWinR.Inputs object v = record.getValue(field.Name); if (field.Name == "Data") v = ToPrintable(v.ToString()); + if ((field.Name == "TimeGenerated" || field.Name == "TimeWritten") && field.DataType == typeof (DateTime)) + v = ((DateTime) v).ToUniversalTime(); json.Add(new JProperty(field.Name, v)); }