RE: Can't get insertion strings from Vista security events using VARIA
- From: Bjornkarl <(skip)bjorn@xxxxxxxx(skip)>
- Date: Fri, 16 Nov 2007 07:16:08 -0800
FYI,
I have the same problem on VISTA.
I have implemented an event log monitor, similar to your code based on the
MS sample code.
My code works fine on LONGHORN RC0.
/Bjornkarl
"Wizard" wrote:
I'm just starting to dwelve into the new windows event log monitoring model.
introduced with Vista. I have been working with the "old" event log model for
many years.
After spending some time on it, I've been able to get a basic understanding
of how things work, and using the sample code provided in the Platform SDK I
was able to create code to subscribe to various channels with a callback
function. This works well.
I am using the Platform SDK for Vista (version 6.0.6000.0) on a fully
patched x64 version of Vista.
However, the default sample renders the events in XML, whereas I would
prefer to go the route that returns an array of VARIANT (EVT_VARIANT)
structures. This also works well for all the fields that I need with the
exception of the event log <DATA> in security events.
In a nutshell, I am creating a rendering context like this:
PCWSTR eventProperties[] = {
L"Event/System/Provider/@Name",
L"Event/System/Channel",
L"Event/System/TimeCreated/@SystemTime",
L"Event/System/EventID",
L"Event/System/EventRecordID",
L"Event/System/Computer",
L"Event/System/Security/@UserID",
L"Event/System/Level",
L"Event/System/Keywords",
L"Event/EventData/Data",
L"Event/EventData/Binary",
L"Event/RenderingInfo/Task",
L"Event/RenderingInfo/Keywords",
L"Event/RenderingInfo/Message" };
EVT_HANDLE renderContext = EvtCreateRenderContext(_countof(eventProperties),
eventProperties, EvtRenderContextValues);
The key thing here is "Event/EventData/Data" of course, which should point
to the information in question.
I then call EvtRender() and pass the renderContext. Then I walk through the
variants similar to this (keep in mind this is just test code):
PEVT_VARIANT vPublisherName = PEVT_VARIANT(&pVariant[iOffset++]);
// Process ...
PEVT_VARIANT vChannel = PEVT_VARIANT(&pVariant[iOffset++]);
// Process ...
and keep doing this until I get to the event data where I have code like this:
PEVT_VARIANT vEventData = PEVT_VARIANT(&pVariant[iOffset++]);
if (vEventData->Count > 0)
{
printf("vEventData->Count = %d\n", vEventData->Count);
if (vEventData->Type & EVT_VARIANT_TYPE_ARRAY)
{
for (int iElement = 0; iElement < vEventData->Count; iElement++)
{
if (vEventData->StringArr[iElement] != NULL)
printf("Event Data [%d]: -%S-\n", iElement,
vEventData->StringArr[iElement]);
else
printf("Event Data [%d]: NULL!\n", iElement);
}
}
else
printf("Event Data: %S\n", vEventData->StringVal);
}
else
{
printf("Event Data Elements: n/a (type=%d, count=%d)\n",
vEventData->Type, vEventData->Count);
if (vEventData->Type == EvtVarTypeUInt32)
printf("Event Data (UINT32): %d\n", vEventData->UInt32Val);
else if (vEventData->Type == EvtVarTypeUInt64)
printf("Event Data (UINT64): %I64d\n", vEventData->UInt64Val);
else if (vEventData->Type == EvtVarTypeSizeT)
printf("Event Data (SIZET): %d\n", vEventData->SizeTVal);
}
The strange thing is this. If subscribe to events from the application
channel with events that use insertion strings, then the data will be
displayed OK.
vEventData->Count will contain the number of items in the array,
vEventData->Type will indicate that it is in an array and I can iterate
through the array and display the insertion strings.
Not so for the security channel.
There, the array flag will never be set, and I will only receive the last
insertion string. Depending on the event, it will either be a string in which
case vEventData->Count will be set to 1, or it will be a number in which case
vEventData->Count will be 0 and the last ELSE statement will catch that.
I tried passing L"Event/EventData/ComplexData/Data" which won't yield
anything, and also tried passing L"Event/EventData" only. They all won't work.
Basically, if the data looks like this:
<Data Name="SubjectUserName">wizard</Data>
<Data Name="SubjectDomainName">THEDOMAIN</Data>
<Data Name="SubjectLogonId">0x79385</Data>
<Data Name="Status">0xc000013a</Data>
<Data Name="ProcessId">0x1134</Data>
<Data Name="ProcessName">C:\Windows\System32\cmd.exe</Data>
then I will only receive "C:\Windows\System32\cmd.exe"
If the data is passed with the Name attribute (e.g. events from the
application event log) like this:
<Data>String1</Data>
<Data>String2</Data>
<Data>String3</Data>
then it will work.
The only way that I can get it to work is if I were to do the XML rendering
and then just parse the XML code, but I'd much rather do the variant option.
Since all the other values work I'm almost wondering if this is a bug of
some sort.
I also checked the number of VARIANTs that are returned by the EvtRender()
function, and it matches the items I request in the rendering context.
Everything works - binary data, message text, category etc. - just not the
insertion strings.
Any insight one can provide would be much appreciated. At this point I'm at
a loss here.
Thank you,
IJFK.
- Follow-Ups:
- Prev by Date: Updating a Vista Credential Tile with a timer
- Next by Date: RE: Can't get insertion strings from Vista security events using V
- Previous by thread: Updating a Vista Credential Tile with a timer
- Next by thread: RE: Can't get insertion strings from Vista security events using V
- Index(es):
Relevant Pages
|
