From e28e893120951eed43b769aa7f7497a4974789e6 Mon Sep 17 00:00:00 2001 From: Eric Fontana Date: Thu, 6 Nov 2014 10:47:51 -0500 Subject: [PATCH] Added Interval parameter for WindowsEvents and bumped up default interval to 60 seconds. --- TimberWinR.ServiceHost/Properties/AssemblyInfo.cs | 4 ++-- TimberWinR/Inputs/WindowsEvtInputListener.cs | 15 +++++++-------- TimberWinR/Parser.cs | 5 ++++- TimberWinR/mdocs/WindowsEvents.md | 3 ++- 4 files changed, 15 insertions(+), 12 deletions(-) diff --git a/TimberWinR.ServiceHost/Properties/AssemblyInfo.cs b/TimberWinR.ServiceHost/Properties/AssemblyInfo.cs index 6cd2621..4333ec8 100644 --- a/TimberWinR.ServiceHost/Properties/AssemblyInfo.cs +++ b/TimberWinR.ServiceHost/Properties/AssemblyInfo.cs @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.3.8.0")] -[assembly: AssemblyFileVersion("1.3.8.0")] +[assembly: AssemblyVersion("1.3.9.0")] +[assembly: AssemblyFileVersion("1.3.9.0")] diff --git a/TimberWinR/Inputs/WindowsEvtInputListener.cs b/TimberWinR/Inputs/WindowsEvtInputListener.cs index 90bfcfa..ce3155a 100644 --- a/TimberWinR/Inputs/WindowsEvtInputListener.cs +++ b/TimberWinR/Inputs/WindowsEvtInputListener.cs @@ -26,11 +26,11 @@ namespace TimberWinR.Inputs private TimberWinR.Parser.WindowsEvent _arguments; private long _receivedMessages; - public WindowsEvtInputListener(TimberWinR.Parser.WindowsEvent arguments, CancellationToken cancelToken, int pollingIntervalInSeconds = 5) + public WindowsEvtInputListener(TimberWinR.Parser.WindowsEvent arguments, CancellationToken cancelToken) : base(cancelToken, "Win32-Eventlog") { _arguments = arguments; - _pollingIntervalInSeconds = pollingIntervalInSeconds; + _pollingIntervalInSeconds = arguments.Interval; foreach (string eventHive in _arguments.Source.Split(',')) { @@ -52,6 +52,7 @@ namespace TimberWinR.Inputs new JProperty("messages", _receivedMessages), new JProperty("binaryFormat", _arguments.BinaryFormat.ToString()), new JProperty("direction", _arguments.Direction.ToString()), + new JProperty("interval", _arguments.Interval), new JProperty("formatMsg", _arguments.FormatMsg), new JProperty("fullEventCode", _arguments.FullEventCode), new JProperty("fullText", _arguments.FullText), @@ -67,8 +68,7 @@ namespace TimberWinR.Inputs { LogQuery oLogQuery = new LogQuery(); - LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready"); - + LogManager.GetCurrentClassLogger().Info("WindowsEvent Input Listener Ready"); // Instantiate the Event Log Input Format object var iFmt = new EventLogInputFormat() @@ -85,18 +85,17 @@ namespace TimberWinR.Inputs oLogQuery = null; - Dictionary logFileMaxRecords = new Dictionary(); - + Dictionary logFileMaxRecords = new Dictionary(); // Execute the query while (!CancelToken.IsCancellationRequested) { try { - oLogQuery = new LogQuery(); - Thread.CurrentThread.Priority = ThreadPriority.BelowNormal; + oLogQuery = new LogQuery(); + var qfiles = string.Format("SELECT Distinct [EventLog] FROM {0}", location); var rsfiles = oLogQuery.Execute(qfiles, iFmt); for (; !rsfiles.atEnd(); rsfiles.moveNext()) diff --git a/TimberWinR/Parser.cs b/TimberWinR/Parser.cs index 16bda41..e0a7966 100644 --- a/TimberWinR/Parser.cs +++ b/TimberWinR/Parser.cs @@ -245,9 +245,12 @@ namespace TimberWinR.Parser public List Fields { get; set; } [JsonProperty(PropertyName = "formatMsg")] public bool FormatMsg { get; set; } - + [JsonProperty(PropertyName = "interval")] + public int Interval { get; set; } + public WindowsEvent() { + Interval = 60; // Every minute Source = "System"; StringsSep = "|"; FormatMsg = true; diff --git a/TimberWinR/mdocs/WindowsEvents.md b/TimberWinR/mdocs/WindowsEvents.md index be9164a..a16681c 100644 --- a/TimberWinR/mdocs/WindowsEvents.md +++ b/TimberWinR/mdocs/WindowsEvents.md @@ -2,7 +2,7 @@ The WindowsEvents input will collect events from the Windows Event Viewer. The source parameter indicates which event logs to collect data from. You can specify more than one log by using the comma, i.e. "Application,System" will collect -logs from the Application and System event logs. +logs from the Application and System event logs. The default interval for scanning for new Events is 60 seconds. ## Parameters The following parameters are allowed when configuring WindowsEvents. @@ -18,6 +18,7 @@ The following parameters are allowed when configuring WindowsEvents. | *fullText* | bool |Retrieve the full text message | true,false | **true** | | *resolveSIDS* | bool |Resolve SID values into full account names | true,false | **true** | | *formatMsg* | bool |Format the text message as a single line. | true,false | **true** | +| *interval* | integer | Interval in seconds to sleep during checks | Interval | 60 | ### source format The source indicates where to collect the event(s) from, it can be of these form(s):