MINIFICPP-1025 Code review.
MINIFICPP-1025 Substituted tabs with spaces.
Signed-off-by: Arpad Boda <aboda@apache.org>
This closes #658
diff --git a/extensions/windows-event-log/ConsumeWindowsEventLog.cpp b/extensions/windows-event-log/ConsumeWindowsEventLog.cpp
index 6e7b2e0..3a37033 100644
--- a/extensions/windows-event-log/ConsumeWindowsEventLog.cpp
+++ b/extensions/windows-event-log/ConsumeWindowsEventLog.cpp
@@ -91,41 +91,41 @@
build());
core::Property ConsumeWindowsEventLog::IdentifierMatcher(
- core::PropertyBuilder::createProperty("Identifier Match Regex")->
- isRequired(false)->
- withDefaultValue(".*Sid")->
- withDescription("Regular Expression to match Subject Identifier Fields. These will be placed into the attributes of the FlowFile")->
- build());
+ core::PropertyBuilder::createProperty("Identifier Match Regex")->
+ isRequired(false)->
+ withDefaultValue(".*Sid")->
+ withDescription("Regular Expression to match Subject Identifier Fields. These will be placed into the attributes of the FlowFile")->
+ build());
core::Property ConsumeWindowsEventLog::IdentifierFunction(
- core::PropertyBuilder::createProperty("Apply Identifier Function")->
- isRequired(false)->
- withDefaultValue<bool>(true)->
- withDescription("If true it will resolve SIDs matched in the 'Identifier Match Regex' to the DOMAIN\\USERNAME associated with that ID")->
- build());
+ core::PropertyBuilder::createProperty("Apply Identifier Function")->
+ isRequired(false)->
+ withDefaultValue<bool>(true)->
+ withDescription("If true it will resolve SIDs matched in the 'Identifier Match Regex' to the DOMAIN\\USERNAME associated with that ID")->
+ build());
core::Property ConsumeWindowsEventLog::ResolveAsAttributes(
- core::PropertyBuilder::createProperty("Resolve Metadata in Attributes")->
- isRequired(false)->
- withDefaultValue<bool>(true)->
- withDescription("If true, any metadata that is resolved ( such as IDs or keyword metadata ) will be placed into attributes, otherwise it will be replaced in the XML or text output")->
- build());
+ core::PropertyBuilder::createProperty("Resolve Metadata in Attributes")->
+ isRequired(false)->
+ withDefaultValue<bool>(true)->
+ withDescription("If true, any metadata that is resolved ( such as IDs or keyword metadata ) will be placed into attributes, otherwise it will be replaced in the XML or text output")->
+ build());
core::Property ConsumeWindowsEventLog::EventHeaderDelimiter(
- core::PropertyBuilder::createProperty("Event Header Delimiter")->
- isRequired(false)->
- withDescription("If set, the chosen delimiter will be used in the Event output header. Otherwise, a colon followed by spaces will be used.")->
- build());
+ core::PropertyBuilder::createProperty("Event Header Delimiter")->
+ isRequired(false)->
+ withDescription("If set, the chosen delimiter will be used in the Event output header. Otherwise, a colon followed by spaces will be used.")->
+ build());
core::Property ConsumeWindowsEventLog::EventHeader(
- core::PropertyBuilder::createProperty("Event Header")->
- isRequired(false)->
- withDefaultValue("LOG_NAME=Log Name, SOURCE = Source, TIME_CREATED = Date,EVENT_RECORDID=Record ID,EVENTID = Event ID,TASK_CATEGORY = Task Category,LEVEL = Level,KEYWORDS = Keywords,USER = User,COMPUTER = Computer, EVENT_TYPE = EventType")->
- withDescription("Comma seperated list of key/value pairs with the following keys LOG_NAME, SOURCE, TIME_CREATED,EVENT_RECORDID,EVENTID,TASK_CATEGORY,LEVEL,KEYWORDS,USER,COMPUTER, and EVENT_TYPE. Eliminating fields will remove them from the header.")->
- build());
+ core::PropertyBuilder::createProperty("Event Header")->
+ isRequired(false)->
+ withDefaultValue("LOG_NAME=Log Name, SOURCE = Source, TIME_CREATED = Date,EVENT_RECORDID=Record ID,EVENTID = Event ID,TASK_CATEGORY = Task Category,LEVEL = Level,KEYWORDS = Keywords,USER = User,COMPUTER = Computer, EVENT_TYPE = EventType")->
+ withDescription("Comma seperated list of key/value pairs with the following keys LOG_NAME, SOURCE, TIME_CREATED,EVENT_RECORDID,EVENTID,TASK_CATEGORY,LEVEL,KEYWORDS,USER,COMPUTER, and EVENT_TYPE. Eliminating fields will remove them from the header.")->
+ build());
core::Relationship ConsumeWindowsEventLog::Success("success", "Relationship for successfully consumed events.");
@@ -153,46 +153,45 @@
}
bool ConsumeWindowsEventLog::insertHeaderName(wel::METADATA_NAMES &header, const std::string &key, const std::string & value) {
-
- wel::METADATA name = wel::WindowsEventLogMetadata::getMetadataFromString(key);
-
- if (name != wel::METADATA::UNKNOWN) {
- header.emplace_back(std::make_pair(name, value));
- return true;
- }
- else {
- return false;
- }
+
+ wel::METADATA name = wel::WindowsEventLogMetadata::getMetadataFromString(key);
+
+ if (name != wel::METADATA::UNKNOWN) {
+ header.emplace_back(std::make_pair(name, value));
+ return true;
+ }
+ else {
+ return false;
+ }
}
void ConsumeWindowsEventLog::onSchedule(const std::shared_ptr<core::ProcessContext> &context, const std::shared_ptr<core::ProcessSessionFactory> &sessionFactory) {
- context->getProperty(IdentifierMatcher.getName(), regex_);
- context->getProperty(ResolveAsAttributes.getName(), resolve_as_attributes_);
- context->getProperty(IdentifierFunction.getName(), apply_identifier_function_);
- context->getProperty(EventHeaderDelimiter.getName(), header_delimiter_);
+ context->getProperty(IdentifierMatcher.getName(), regex_);
+ context->getProperty(ResolveAsAttributes.getName(), resolve_as_attributes_);
+ context->getProperty(IdentifierFunction.getName(), apply_identifier_function_);
+ context->getProperty(EventHeaderDelimiter.getName(), header_delimiter_);
- std::string header;
- context->getProperty(EventHeader.getName(), header);
-
- auto keyValueSplit = utils::StringUtils::split(header, ",");
- for (const auto &kv : keyValueSplit) {
- auto splitKeyAndValue = utils::StringUtils::split(kv, "=");
- if (splitKeyAndValue.size() == 2) {
- auto key = utils::StringUtils::trim(splitKeyAndValue.at(0));
- auto value = utils::StringUtils::trim(splitKeyAndValue.at(1));
- if (!insertHeaderName(header_names_, key, value)) {
- logger_->log_debug("%s is an invalid key for the header map", key);
- }
- }
- else if (splitKeyAndValue.size() == 1) {
- auto key = utils::StringUtils::trim(splitKeyAndValue.at(0));
- if (!insertHeaderName(header_names_, key, "")) {
- logger_->log_debug("%s is an invalid key for the header map", key);
- }
- }
+ std::string header;
+ context->getProperty(EventHeader.getName(), header);
- }
-
+ auto keyValueSplit = utils::StringUtils::split(header, ",");
+ for (const auto &kv : keyValueSplit) {
+ auto splitKeyAndValue = utils::StringUtils::split(kv, "=");
+ if (splitKeyAndValue.size() == 2) {
+ auto key = utils::StringUtils::trim(splitKeyAndValue.at(0));
+ auto value = utils::StringUtils::trim(splitKeyAndValue.at(1));
+ if (!insertHeaderName(header_names_, key, value)) {
+ logger_->log_error("%s is an invalid key for the header map", key);
+ }
+ }
+ else if (splitKeyAndValue.size() == 1) {
+ auto key = utils::StringUtils::trim(splitKeyAndValue.at(0));
+ if (!insertHeaderName(header_names_, key, "")) {
+ logger_->log_error("%s is an invalid key for the header map", key);
+ }
+ }
+ }
+
if (subscriptionHandle_) {
logger_->log_error("Processor already subscribed to Event Log, expected cleanup to unsubscribe.");
} else {
@@ -227,18 +226,18 @@
}
wel::WindowsEventLogHandler ConsumeWindowsEventLog::getEventLogHandler(const std::string & name) {
- std::lock_guard<std::mutex> lock(cache_mutex_);
- auto provider = providers_.find(name);
- if (provider != std::end(providers_)) {
- return provider->second;
- }
+ std::lock_guard<std::mutex> lock(cache_mutex_);
+ auto provider = providers_.find(name);
+ if (provider != std::end(providers_)) {
+ return provider->second;
+ }
- std::wstring temp_wstring = std::wstring(name.begin(), name.end());
- LPCWSTR widechar = temp_wstring.c_str();
+ std::wstring temp_wstring = std::wstring(name.begin(), name.end());
+ LPCWSTR widechar = temp_wstring.c_str();
- providers_[name] = wel::WindowsEventLogHandler(EvtOpenPublisherMetadata(NULL, widechar, NULL, 0, 0));
+ providers_[name] = wel::WindowsEventLogHandler(EvtOpenPublisherMetadata(NULL, widechar, NULL, 0, 0));
- return providers_[name];
+ return providers_[name];
}
@@ -272,7 +271,7 @@
this,
[](EVT_SUBSCRIBE_NOTIFY_ACTION action, PVOID pContext, EVT_HANDLE eventHandle)
{
-
+
auto pConsumeWindowsEventLog = static_cast<ConsumeWindowsEventLog*>(pContext);
auto& logger = pConsumeWindowsEventLog->logger_;
@@ -299,53 +298,51 @@
if (EvtRender(NULL, eventHandle, EvtRenderEventXml, size, &buf[0], &used, &propertyCount)) {
std::string xml = to_string(&buf[0]);
- EventRender renderedData;
+ EventRender renderedData;
- pugi::xml_document doc;
- pugi::xml_parse_result result = doc.load_string(xml.c_str());
+ pugi::xml_document doc;
+ pugi::xml_parse_result result = doc.load_string(xml.c_str());
- if (!result) {
- logger->log_error("Invalid XML produced");
- return 0UL;
- }
- // this is a well known path.
- std::string providerName = doc.child("Event").child("System").child("Provider").attribute("Name").value();
-
- auto handler = pConsumeWindowsEventLog->getEventLogHandler(providerName);
- auto message = handler.getEventMessage(eventHandle);
+ if (!result) {
+ logger->log_error("Invalid XML produced");
+ return 0UL;
+ }
+ // this is a well known path.
+ std::string providerName = doc.child("Event").child("System").child("Provider").attribute("Name").value();
-
+ auto handler = pConsumeWindowsEventLog->getEventLogHandler(providerName);
+ auto message = handler.getEventMessage(eventHandle);
- // resolve the event metadata
- wel::MetadataWalker walker(pConsumeWindowsEventLog->getEventLogHandler(providerName).getMetadata(), pConsumeWindowsEventLog->channel_, eventHandle, !pConsumeWindowsEventLog->resolve_as_attributes_, pConsumeWindowsEventLog->apply_identifier_function_, pConsumeWindowsEventLog->regex_);
- doc.traverse(walker);
+ // resolve the event metadata
+ wel::MetadataWalker walker(pConsumeWindowsEventLog->getEventLogHandler(providerName).getMetadata(), pConsumeWindowsEventLog->channel_, eventHandle, !pConsumeWindowsEventLog->resolve_as_attributes_, pConsumeWindowsEventLog->apply_identifier_function_, pConsumeWindowsEventLog->regex_);
+ doc.traverse(walker);
- if (!message.empty())
- {
- for (const auto &mapEntry : walker.getIdentifiers()) {
- // replace the identifiers with their translated strings.
- utils::StringUtils::replaceAll(message, mapEntry.first, mapEntry.second);
- }
- wel::WindowsEventLogHeader log_header(pConsumeWindowsEventLog->header_names_);
- // set the delimiter
- log_header.setDelimiter(pConsumeWindowsEventLog->header_delimiter_);
- // render the header.
- renderedData.rendered_text_ = log_header.getEventHeader(&walker);
- renderedData.rendered_text_ += "Message" + pConsumeWindowsEventLog->header_delimiter_ + " ";
- renderedData.rendered_text_ += message;
- }
+ if (!message.empty())
+ {
+ for (const auto &mapEntry : walker.getIdentifiers()) {
+ // replace the identifiers with their translated strings.
+ utils::StringUtils::replaceAll(message, mapEntry.first, mapEntry.second);
+ }
+ wel::WindowsEventLogHeader log_header(pConsumeWindowsEventLog->header_names_);
+ // set the delimiter
+ log_header.setDelimiter(pConsumeWindowsEventLog->header_delimiter_);
+ // render the header.
+ renderedData.rendered_text_ = log_header.getEventHeader(&walker);
+ renderedData.rendered_text_ += "Message" + pConsumeWindowsEventLog->header_delimiter_ + " ";
+ renderedData.rendered_text_ += message;
+ }
- if (pConsumeWindowsEventLog->resolve_as_attributes_) {
- renderedData.matched_fields_ = walker.getFieldValues();
- }
+ if (pConsumeWindowsEventLog->resolve_as_attributes_) {
+ renderedData.matched_fields_ = walker.getFieldValues();
+ }
- wel::XmlString writer;
- doc.print(writer,"", pugi::format_raw); // no indentation or formatting
- xml = writer.xml_;
-
- renderedData.text_ = std::move(xml);
+ wel::XmlString writer;
+ doc.print(writer,"", pugi::format_raw); // no indentation or formatting
+ xml = writer.xml_;
- pConsumeWindowsEventLog->listRenderedData_.enqueue(std::move(renderedData));
+ renderedData.text_ = std::move(xml);
+
+ pConsumeWindowsEventLog->listRenderedData_.enqueue(std::move(renderedData));
} else {
logger->log_error("EvtRender returned the following error code: %d.", GetLastError());
}
@@ -396,22 +393,22 @@
auto flowFile = session->create();
session->write(flowFile, &WriteCallback(evt.text_));
- for (const auto &fieldMapping : evt.matched_fields_) {
- if (!fieldMapping.second.empty()) {
- session->putAttribute(flowFile, fieldMapping.first, fieldMapping.second);
- }
- }
+ for (const auto &fieldMapping : evt.matched_fields_) {
+ if (!fieldMapping.second.empty()) {
+ session->putAttribute(flowFile, fieldMapping.first, fieldMapping.second);
+ }
+ }
session->putAttribute(flowFile, FlowAttributeKey(MIME_TYPE), "application/xml");
session->getProvenanceReporter()->receive(flowFile, provenanceUri_, getUUIDStr(), "Consume windows event logs", 0);
session->transfer(flowFile, Success);
- flowFile = session->create();
+ flowFile = session->create();
- session->write(flowFile, &WriteCallback(evt.rendered_text_));
- session->putAttribute(flowFile, FlowAttributeKey(MIME_TYPE), "text/plain");
- session->getProvenanceReporter()->receive(flowFile, provenanceUri_, getUUIDStr(), "Consume windows event logs", 0);
- session->transfer(flowFile, Success);
- session->commit();
+ session->write(flowFile, &WriteCallback(evt.rendered_text_));
+ session->putAttribute(flowFile, FlowAttributeKey(MIME_TYPE), "text/plain");
+ session->getProvenanceReporter()->receive(flowFile, provenanceUri_, getUUIDStr(), "Consume windows event logs", 0);
+ session->transfer(flowFile, Success);
+ session->commit();
flowFileCount++;
}
diff --git a/extensions/windows-event-log/wel/MetadataWalker.cpp b/extensions/windows-event-log/wel/MetadataWalker.cpp
index 3c10006..22c6636 100644
--- a/extensions/windows-event-log/wel/MetadataWalker.cpp
+++ b/extensions/windows-event-log/wel/MetadataWalker.cpp
@@ -10,136 +10,122 @@
namespace wel {
bool MetadataWalker::for_each(pugi::xml_node &node) {
- // don't shortcut resolution here so that we can log attributes.
- const std::string node_name = node.name();
- if (node_name == "Data") {
-
- for (pugi::xml_attribute attr : node.attributes())
- {
+ // don't shortcut resolution here so that we can log attributes.
+ const std::string node_name = node.name();
+ if (node_name == "Data") {
+ for (pugi::xml_attribute attr : node.attributes()) {
+ static const auto idUpdate = [&](const std::string &input) {
+ if (resolve_) {
+ const auto resolved = utils::OsUtils::userIdToUsername(input);
+ replaced_identifiers_[input] = resolved;
+ return resolved;
+ }
- if (std::regex_match(attr.name(), regex_)) {
- std::function<std::string(const std::string &)> idUpdate = [&](const std::string &input) -> std::string {
- if (resolve_) {
- auto resolved = utils::OsUtils::userIdToUsername(input);
- replaced_identifiers_[input] = resolved;
- return resolved;
- }
- else {
- replaced_identifiers_[input] = input;
- }
- };
- updateText(node, attr.name(), std::move(idUpdate));
+ replaced_identifiers_[input] = input;
+ return input;
+ };
- }
+ if (std::regex_match(attr.name(), regex_)) {
+ updateText(node, attr.name(), idUpdate);
+ }
- if (std::regex_match(attr.value(), regex_)) {
- std::function<std::string(const std::string &)> idUpdate = [&](const std::string &input) -> std::string {
- if (resolve_) {
- auto resolved = utils::OsUtils::userIdToUsername(input);
- replaced_identifiers_[input] = resolved;
- return resolved;
- }
- else {
- replaced_identifiers_[input] = input;
- }
- };
- updateText(node, attr.value(), std::move(idUpdate));
- }
- }
+ if (std::regex_match(attr.value(), regex_)) {
+ updateText(node, attr.value(), idUpdate);
+ }
+ }
- if (resolve_) {
- std::string nodeText = node.text().get();
- std::vector<std::string> ids = getIdentifiers(nodeText);
- for (const auto &id : ids) {
- auto resolved = utils::OsUtils::userIdToUsername(id);
- std::string replacement = "%{" + id + "}";
- replaced_identifiers_[id] = resolved;
- replaced_identifiers_[replacement] = resolved;
- nodeText = utils::StringUtils::replaceAll(nodeText, replacement, resolved);
- }
- node.text().set(nodeText.c_str());
- }
+ if (resolve_) {
+ std::string nodeText = node.text().get();
+ std::vector<std::string> ids = getIdentifiers(nodeText);
+ for (const auto &id : ids) {
+ auto resolved = utils::OsUtils::userIdToUsername(id);
+ std::string replacement = "%{" + id + "}";
+ replaced_identifiers_[id] = resolved;
+ replaced_identifiers_[replacement] = resolved;
+ nodeText = utils::StringUtils::replaceAll(nodeText, replacement, resolved);
+ }
+ node.text().set(nodeText.c_str());
+ }
- }
- else if (node_name == "TimeCreated") {
- metadata_["TimeCreated"] = node.attribute("SystemTime").value();
- }
- else if (node_name == "EventRecordID") {
- metadata_["EventRecordID"] = node.text().get();
- }
- else if (node_name == "Provider") {
- metadata_["Provider"] = node.attribute("Name").value();
- }
- else if (node_name == "EventID") {
- metadata_["EventID"] = node.text().get();
- }
- else {
- static std::map<std::string, EVT_FORMAT_MESSAGE_FLAGS> formatFlagMap = { {"Channel", EvtFormatMessageChannel}, {"Keywords", EvtFormatMessageKeyword}, {"Level", EvtFormatMessageLevel}, {"Opcode", EvtFormatMessageOpcode}, {"Task",EvtFormatMessageTask} };
- auto it = formatFlagMap.find(node_name);
- if (it != formatFlagMap.end()) {
- std::function<std::string(const std::string &)> updateFunc = [&](const std::string &input) -> std::string {
- if (resolve_) {
- auto resolved = getEventData(it->second);
- if (!resolved.empty()) {
- return resolved;
- }
- }
- return input;
- };
- updateText(node, node.name(), std::move(updateFunc));
- }
- else {
- // no conversion is required here, so let the node fall through
- }
- }
+ }
+ else if (node_name == "TimeCreated") {
+ metadata_["TimeCreated"] = node.attribute("SystemTime").value();
+ }
+ else if (node_name == "EventRecordID") {
+ metadata_["EventRecordID"] = node.text().get();
+ }
+ else if (node_name == "Provider") {
+ metadata_["Provider"] = node.attribute("Name").value();
+ }
+ else if (node_name == "EventID") {
+ metadata_["EventID"] = node.text().get();
+ }
+ else {
+ static std::map<std::string, EVT_FORMAT_MESSAGE_FLAGS> formatFlagMap = { {"Channel", EvtFormatMessageChannel}, {"Keywords", EvtFormatMessageKeyword}, {"Level", EvtFormatMessageLevel}, {"Opcode", EvtFormatMessageOpcode}, {"Task",EvtFormatMessageTask} };
+ auto it = formatFlagMap.find(node_name);
+ if (it != formatFlagMap.end()) {
+ std::function<std::string(const std::string &)> updateFunc = [&](const std::string &input) -> std::string {
+ if (resolve_) {
+ auto resolved = getEventData(it->second);
+ if (!resolved.empty()) {
+ return resolved;
+ }
+ }
+ return input;
+ };
+ updateText(node, node.name(), std::move(updateFunc));
+ }
+ else {
+ // no conversion is required here, so let the node fall through
+ }
+ }
return true;
}
std::vector<std::string> MetadataWalker::getIdentifiers(const std::string &text) const {
- auto pos = text.find("%{");
- std::vector<std::string> found_strings;
- while (pos != std::string::npos)
- {
- auto next_pos = text.find("}", pos);
- if (next_pos != std::string::npos) {
- auto potential_identifier = text.substr(pos + 2, next_pos - (pos + 2));
- std::smatch match;
- if (potential_identifier.find("S-") != std::string::npos){
- found_strings.push_back(potential_identifier);
- }
- }
- pos = text.find("%{", pos + 2);
- }
- return found_strings;
+ auto pos = text.find("%{");
+ std::vector<std::string> found_strings;
+ while (pos != std::string::npos) {
+ auto next_pos = text.find("}", pos);
+ if (next_pos != std::string::npos) {
+ auto potential_identifier = text.substr(pos + 2, next_pos - (pos + 2));
+ std::smatch match;
+ if (potential_identifier.find("S-") != std::string::npos){
+ found_strings.push_back(potential_identifier);
+ }
+ }
+ pos = text.find("%{", pos + 2);
+ }
+ return found_strings;
}
std::string MetadataWalker::getMetadata(METADATA metadata) const {
- switch (metadata) {
- case LOG_NAME:
- return log_name_;
- case SOURCE:
- return getString(metadata_,"Provider");
- case TIME_CREATED:
- return event_timestamp_str_;
- case EVENTID:
- return getString(metadata_,"EventID");
- case EVENT_RECORDID:
- return getString(metadata_, "EventRecordID");
- case OPCODE:
- return getString(metadata_, "Opcode");
- case TASK_CATEGORY:
- return getString(metadata_,"Task");
- case LEVEL:
- return getString(metadata_,"Level");
- case KEYWORDS:
- return getString(metadata_,"Keywords");
- case EVENT_TYPE:
- return std::to_string(event_type_index_);
- case COMPUTER:
- return getComputerName();
- };
- return "N/A";
+ switch (metadata) {
+ case LOG_NAME:
+ return log_name_;
+ case SOURCE:
+ return getString(metadata_,"Provider");
+ case TIME_CREATED:
+ return event_timestamp_str_;
+ case EVENTID:
+ return getString(metadata_,"EventID");
+ case EVENT_RECORDID:
+ return getString(metadata_, "EventRecordID");
+ case OPCODE:
+ return getString(metadata_, "Opcode");
+ case TASK_CATEGORY:
+ return getString(metadata_,"Task");
+ case LEVEL:
+ return getString(metadata_,"Level");
+ case KEYWORDS:
+ return getString(metadata_,"Keywords");
+ case EVENT_TYPE:
+ return std::to_string(event_type_index_);
+ case COMPUTER:
+ return getComputerName();
+ };
+ return "N/A";
}
std::map<std::string, std::string> MetadataWalker::getFieldValues() const {
@@ -150,23 +136,21 @@
return replaced_identifiers_;
}
-
-
std::string MetadataWalker::updateXmlMetadata(const std::string &xml, EVT_HANDLE metadata_ptr, EVT_HANDLE event_ptr, bool update_xml, bool resolve, const std::string ®ex) {
- MetadataWalker walker(metadata_ptr,"", event_ptr, update_xml, resolve, regex);
+ MetadataWalker walker(metadata_ptr,"", event_ptr, update_xml, resolve, regex);
- pugi::xml_document doc;
- pugi::xml_parse_result result = doc.load_string(xml.c_str());
+ pugi::xml_document doc;
+ pugi::xml_parse_result result = doc.load_string(xml.c_str());
- if (result) {
- doc.traverse(walker);
- wel::XmlString writer;
- doc.print(writer, "", pugi::format_raw); // no indentation or formatting
- return writer.xml_;
- }
- else {
- throw std::runtime_error("Could not parse XML document");
- }
+ if (result) {
+ doc.traverse(walker);
+ wel::XmlString writer;
+ doc.print(writer, "", pugi::format_raw); // no indentation or formatting
+ return writer.xml_;
+ }
+ else {
+ throw std::runtime_error("Could not parse XML document");
+ }
}
std::string MetadataWalker::to_string(const wchar_t* pChar) {
@@ -177,8 +161,7 @@
std::string previous_value = node.text().get();
auto new_field_value = fn(previous_value);
if (new_field_value != previous_value) {
-
- metadata_[field_name] = new_field_value;
+ metadata_[field_name] = new_field_value;
if (update_xml_) {
node.text().set(new_field_value.c_str());
} else {
diff --git a/extensions/windows-event-log/wel/MetadataWalker.h b/extensions/windows-event-log/wel/MetadataWalker.h
index cf491d7..73c822a 100644
--- a/extensions/windows-event-log/wel/MetadataWalker.h
+++ b/extensions/windows-event-log/wel/MetadataWalker.h
@@ -59,30 +59,30 @@
* Overloaded function to visit a node
* @param node Node that we are visiting.
*/
- virtual bool for_each(pugi::xml_node &node) override;
+ virtual bool for_each(pugi::xml_node &node) override;
- static std::string updateXmlMetadata(const std::string &xml, EVT_HANDLE metadata_ptr, EVT_HANDLE event_ptr, bool update_xml, bool resolve, const std::string ®ex = "");
+ static std::string updateXmlMetadata(const std::string &xml, EVT_HANDLE metadata_ptr, EVT_HANDLE event_ptr, bool update_xml, bool resolve, const std::string ®ex = "");
- virtual std::map<std::string, std::string> getFieldValues() const override;
+ virtual std::map<std::string, std::string> getFieldValues() const override;
- virtual std::map<std::string, std::string> getIdentifiers() const override;
+ virtual std::map<std::string, std::string> getIdentifiers() const override;
- virtual std::string getMetadata(METADATA metadata) const override;
+ virtual std::string getMetadata(METADATA metadata) const override;
private:
- std::vector<std::string> getIdentifiers(const std::string &text) const ;
+ std::vector<std::string> getIdentifiers(const std::string &text) const ;
- static std::string getString(const std::map<std::string, std::string> &map, const std::string &field) {
- auto srch = map.find(field);
- if (srch != std::end(map)) {
- return srch->second;
- }
- return "N/A";
- }
- static std::string to_string(const wchar_t* pChar);
+ static std::string getString(const std::map<std::string, std::string> &map, const std::string &field) {
+ auto srch = map.find(field);
+ if (srch != std::end(map)) {
+ return srch->second;
+ }
+ return "N/A";
+ }
+ static std::string to_string(const wchar_t* pChar);
/**
* Updates text within the XML representation
*/
diff --git a/extensions/windows-event-log/wel/WindowsEventLog.cpp b/extensions/windows-event-log/wel/WindowsEventLog.cpp
index 4b2b041..ba73517 100644
--- a/extensions/windows-event-log/wel/WindowsEventLog.cpp
+++ b/extensions/windows-event-log/wel/WindowsEventLog.cpp
@@ -28,164 +28,155 @@
void WindowsEventLogMetadata::renderMetadata() {
- DWORD status = ERROR_SUCCESS;
- DWORD dwBufferSize = 0;
- DWORD dwBufferUsed = 0;
- DWORD dwPropertyCount = 0;
- std::unique_ptr< EVT_VARIANT, utils::FreeDeleter> rendered_values;
+ DWORD status = ERROR_SUCCESS;
+ DWORD dwBufferSize = 0;
+ DWORD dwBufferUsed = 0;
+ DWORD dwPropertyCount = 0;
+ std::unique_ptr< EVT_VARIANT, utils::FreeDeleter> rendered_values;
- auto context = EvtCreateRenderContext(0, NULL, EvtRenderContextSystem);
- if (!EvtRender(context, event_ptr_, EvtRenderEventValues, dwBufferSize, nullptr, &dwBufferUsed, &dwPropertyCount))
- {
- if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
- {
- dwBufferSize = dwBufferUsed;
- rendered_values = std::unique_ptr<EVT_VARIANT, utils::FreeDeleter>((PEVT_VARIANT)(malloc(dwBufferSize)));
- if (rendered_values)
- {
- EvtRender(context, event_ptr_, EvtRenderEventValues, dwBufferSize, rendered_values.get(), &dwBufferUsed, &dwPropertyCount);
- }
- }
- else {
- return;
- }
+ auto context = EvtCreateRenderContext(0, NULL, EvtRenderContextSystem);
+ if (!EvtRender(context, event_ptr_, EvtRenderEventValues, dwBufferSize, nullptr, &dwBufferUsed, &dwPropertyCount))
+ {
+ if (ERROR_INSUFFICIENT_BUFFER == (status = GetLastError()))
+ {
+ dwBufferSize = dwBufferUsed;
+ rendered_values = std::unique_ptr<EVT_VARIANT, utils::FreeDeleter>((PEVT_VARIANT)(malloc(dwBufferSize)));
+ if (rendered_values)
+ {
+ EvtRender(context, event_ptr_, EvtRenderEventValues, dwBufferSize, rendered_values.get(), &dwBufferUsed, &dwPropertyCount);
+ }
+ }
+ else {
+ return;
+ }
- if (ERROR_SUCCESS != (status = GetLastError()))
- {
- return;
- }
- }
+ if (ERROR_SUCCESS != (status = GetLastError()))
+ {
+ return;
+ }
+ }
- event_timestamp_ = static_cast<PEVT_VARIANT>( rendered_values.get())[EvtSystemTimeCreated].FileTimeVal;
+ event_timestamp_ = static_cast<PEVT_VARIANT>( rendered_values.get())[EvtSystemTimeCreated].FileTimeVal;
- SYSTEMTIME st;
- FILETIME ft;
+ SYSTEMTIME st;
+ FILETIME ft;
- ft.dwHighDateTime = (DWORD)((event_timestamp_ >> 32) & 0xFFFFFFFF);
- ft.dwLowDateTime = (DWORD)(event_timestamp_ & 0xFFFFFFFF);
+ ft.dwHighDateTime = (DWORD)((event_timestamp_ >> 32) & 0xFFFFFFFF);
+ ft.dwLowDateTime = (DWORD)(event_timestamp_ & 0xFFFFFFFF);
- FileTimeToSystemTime(&ft, &st);
- std::stringstream datestr;
+ FileTimeToSystemTime(&ft, &st);
+ std::stringstream datestr;
- std::string period = "AM";
- auto hour = st.wHour;
- if (hour >= 12 && hour < 24)
- period = "PM";
- if (hour >= 12)
- hour -= 12;
- datestr << st.wMonth << "/" << st.wDay << "/" << st.wYear << " " << std::setfill('0') << std::setw(2) << hour << ":" << std::setfill('0') << std::setw(2) << st.wMinute << ":" << std::setfill('0') << std::setw(2) << st.wSecond << " " << period;
- event_timestamp_str_ = datestr.str();
- auto level = static_cast<PEVT_VARIANT>(rendered_values.get())[EvtSystemLevel];
- auto keyword = static_cast<PEVT_VARIANT>(rendered_values.get())[EvtSystemKeywords];
- if (level.Type == EvtVarTypeByte) {
- switch (level.ByteVal)
- {
- case WINEVENT_LEVEL_CRITICAL:
- case WINEVENT_LEVEL_ERROR:
- event_type_ = "Error";
- event_type_index_ = 1;
- break;
- case WINEVENT_LEVEL_WARNING:
- event_type_ = "Warning";
- event_type_index_ = 2;
- break;
- case WINEVENT_LEVEL_INFO:
- case WINEVENT_LEVEL_VERBOSE:
- event_type_ = "Information";
- event_type_index_ = 4;
- break;
- default:
- event_type_index_ = 0;
- };
+ std::string period = "AM";
+ auto hour = st.wHour;
+ if (hour >= 12 && hour < 24)
+ period = "PM";
+ if (hour >= 12)
+ hour -= 12;
+ datestr << st.wMonth << "/" << st.wDay << "/" << st.wYear << " " << std::setfill('0') << std::setw(2) << hour << ":" << std::setfill('0') << std::setw(2) << st.wMinute << ":" << std::setfill('0') << std::setw(2) << st.wSecond << " " << period;
+ event_timestamp_str_ = datestr.str();
+ auto level = static_cast<PEVT_VARIANT>(rendered_values.get())[EvtSystemLevel];
+ auto keyword = static_cast<PEVT_VARIANT>(rendered_values.get())[EvtSystemKeywords];
+ if (level.Type == EvtVarTypeByte) {
+ switch (level.ByteVal)
+ {
+ case WINEVENT_LEVEL_CRITICAL:
+ case WINEVENT_LEVEL_ERROR:
+ event_type_ = "Error";
+ event_type_index_ = 1;
+ break;
+ case WINEVENT_LEVEL_WARNING:
+ event_type_ = "Warning";
+ event_type_index_ = 2;
+ break;
+ case WINEVENT_LEVEL_INFO:
+ case WINEVENT_LEVEL_VERBOSE:
+ event_type_ = "Information";
+ event_type_index_ = 4;
+ break;
+ default:
+ event_type_index_ = 0;
+ };
- }
- else {
- event_type_ = "N/A";
- }
+ }
+ else {
+ event_type_ = "N/A";
+ }
- if (keyword.UInt64Val & WINEVENT_KEYWORD_AUDIT_SUCCESS) {
- event_type_ = "Success Audit";
- event_type_index_ = 8;
- } else if (keyword.UInt64Val & EVENTLOG_AUDIT_FAILURE) {
- event_type_ = "Failure Audit";
- event_type_index_ = 16;
- }
-
-
-
+ if (keyword.UInt64Val & WINEVENT_KEYWORD_AUDIT_SUCCESS) {
+ event_type_ = "Success Audit";
+ event_type_index_ = 8;
+ } else if (keyword.UInt64Val & EVENTLOG_AUDIT_FAILURE) {
+ event_type_ = "Failure Audit";
+ event_type_index_ = 16;
+ }
}
std::string WindowsEventLogHandler::getEventMessage(EVT_HANDLE eventHandle) const
{
- std::string returnValue;
- std::unique_ptr<WCHAR, utils::FreeDeleter> pBuffer;
- DWORD dwBufferSize = 0;
- DWORD dwBufferUsed = 0;
- DWORD status = 0;
+ std::string returnValue;
+ std::unique_ptr<WCHAR, utils::FreeDeleter> pBuffer;
+ DWORD dwBufferSize = 0;
+ DWORD dwBufferUsed = 0;
+ DWORD status = 0;
- EvtFormatMessage(metadata_provider_, eventHandle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, pBuffer.get(), &dwBufferUsed);
+ EvtFormatMessage(metadata_provider_, eventHandle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, pBuffer.get(), &dwBufferUsed);
- // we need to get the size of the buffer
- status = GetLastError();
- if (ERROR_INSUFFICIENT_BUFFER == status) {
- dwBufferSize = dwBufferUsed;
+ // we need to get the size of the buffer
+ status = GetLastError();
+ if (ERROR_INSUFFICIENT_BUFFER == status) {
+ dwBufferSize = dwBufferUsed;
- /* All C++ examples use malloc and even HeapAlloc in some cases. To avoid any problems ( with EvtFormatMessage calling
- free for example ) we will continue to use malloc and use a custom deleter with unique_ptr.
- '*/
- pBuffer = std::unique_ptr<WCHAR, utils::FreeDeleter>((LPWSTR)malloc(dwBufferSize * sizeof(WCHAR)));
+ /* All C++ examples use malloc and even HeapAlloc in some cases. To avoid any problems ( with EvtFormatMessage calling
+ free for example ) we will continue to use malloc and use a custom deleter with unique_ptr.
+ '*/
+ pBuffer = std::unique_ptr<WCHAR, utils::FreeDeleter>((LPWSTR)malloc(dwBufferSize * sizeof(WCHAR)));
+ if (!pBuffer) {
+ return returnValue;
+ }
+ EvtFormatMessage(metadata_provider_, eventHandle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, pBuffer.get(), &dwBufferUsed);
+ }
- if (pBuffer) {
- EvtFormatMessage(metadata_provider_, eventHandle, 0, 0, NULL, EvtFormatMessageEvent, dwBufferSize, pBuffer.get(), &dwBufferUsed);
- }
- else {
- return returnValue;
- }
- }
- else if (ERROR_EVT_MESSAGE_NOT_FOUND == status || ERROR_EVT_MESSAGE_ID_NOT_FOUND == status) {
- return returnValue;
- }
- else {
- return returnValue;
- }
+ if (ERROR_EVT_MESSAGE_NOT_FOUND == status || ERROR_EVT_MESSAGE_ID_NOT_FOUND == status) {
+ return returnValue;
+ }
- // convert wstring to std::string
- std::wstring message(pBuffer.get());
- returnValue = std::string(message.begin(), message.end());
- return returnValue;
+ // convert wstring to std::string
+ std::wstring message(pBuffer.get());
+ return std::string(message.begin(), message.end());
}
void WindowsEventLogHeader::setDelimiter(const std::string &delim) {
- delimiter_ = delim;
+ delimiter_ = delim;
}
std::string WindowsEventLogHeader::createDefaultDelimiter(size_t max, size_t length) const {
- if (max > length) {
- return ":" + std::string(max - length, ' ');
- }
- else {
- return ": ";
- }
+ if (max > length) {
+ return ":" + std::string(max - length, ' ');
+ }
+ else {
+ return ": ";
+ }
}
std::string WindowsEventLogHeader::getEventHeader(const WindowsEventLogMetadata * const metadata) const{
- std::stringstream eventHeader;
- size_t max = 1;
- for (const auto &option : header_names_) {
- max = (std::max(max, option.second.size()));
- }
- ++max; // increment by one to get space.
- for (const auto &option : header_names_) {
- auto name = option.second;
- if (!name.empty()) {
- eventHeader << name << (delimiter_.empty() ? createDefaultDelimiter(max, name.size()) : delimiter_);
- }
- eventHeader << utils::StringUtils::trim(metadata->getMetadata(option.first)) << std::endl;
- }
+ std::stringstream eventHeader;
+ size_t max = 1;
+ for (const auto &option : header_names_) {
+ max = (std::max(max, option.second.size()));
+ }
+ ++max; // increment by one to get space.
+ for (const auto &option : header_names_) {
+ auto name = option.second;
+ if (!name.empty()) {
+ eventHeader << name << (delimiter_.empty() ? createDefaultDelimiter(max, name.size()) : delimiter_);
+ }
+ eventHeader << utils::StringUtils::trim(metadata->getMetadata(option.first)) << std::endl;
+ }
- return eventHeader.str();
+ return eventHeader.str();
}
EVT_HANDLE WindowsEventLogHandler::getMetadata() const {
diff --git a/extensions/windows-event-log/wel/WindowsEventLog.h b/extensions/windows-event-log/wel/WindowsEventLog.h
index 7f8004b..dc0be24 100644
--- a/extensions/windows-event-log/wel/WindowsEventLog.h
+++ b/extensions/windows-event-log/wel/WindowsEventLog.h
@@ -39,21 +39,21 @@
namespace wel {
- enum METADATA {
- LOG_NAME,
- SOURCE,
- TIME_CREATED,
- EVENTID,
- OPCODE,
- EVENT_RECORDID,
- EVENT_TYPE,
- TASK_CATEGORY,
- LEVEL,
- KEYWORDS,
- USER,
- COMPUTER,
- UNKNOWN
- };
+ enum METADATA {
+ LOG_NAME,
+ SOURCE,
+ TIME_CREATED,
+ EVENTID,
+ OPCODE,
+ EVENT_RECORDID,
+ EVENT_TYPE,
+ TASK_CATEGORY,
+ LEVEL,
+ KEYWORDS,
+ USER,
+ COMPUTER,
+ UNKNOWN
+ };
// this is a continuous enum so we can rely on the array
@@ -63,126 +63,123 @@
class WindowsEventLogHandler
{
public:
- WindowsEventLogHandler() : metadata_provider_(nullptr){
- }
-
- explicit WindowsEventLogHandler(EVT_HANDLE metadataProvider) : metadata_provider_(metadataProvider) {
- }
-
- std::string getEventMessage(EVT_HANDLE eventHandle) const;
+ WindowsEventLogHandler() : metadata_provider_(nullptr){
+ }
+
+ explicit WindowsEventLogHandler(EVT_HANDLE metadataProvider) : metadata_provider_(metadataProvider) {
+ }
+
+ std::string getEventMessage(EVT_HANDLE eventHandle) const;
- EVT_HANDLE getMetadata() const;
+ EVT_HANDLE getMetadata() const;
private:
- EVT_HANDLE metadata_provider_;
+ EVT_HANDLE metadata_provider_;
};
class WindowsEventLogMetadata {
public:
- WindowsEventLogMetadata(EVT_HANDLE metadataProvider, EVT_HANDLE event_ptr, const std::string &log_name) : metadata_ptr_(metadataProvider), event_timestamp_(0), event_ptr_(event_ptr), log_name_(log_name) {
- renderMetadata();
- }
+ WindowsEventLogMetadata(EVT_HANDLE metadataProvider, EVT_HANDLE event_ptr, const std::string &log_name) : metadata_ptr_(metadataProvider), event_timestamp_(0), event_ptr_(event_ptr), log_name_(log_name) {
+ renderMetadata();
+ }
- virtual std::map<std::string, std::string> getFieldValues() const = 0;
+ virtual std::map<std::string, std::string> getFieldValues() const = 0;
- virtual std::map<std::string, std::string> getIdentifiers() const = 0;
+ virtual std::map<std::string, std::string> getIdentifiers() const = 0;
- virtual std::string getMetadata(METADATA metadata) const = 0;
+ virtual std::string getMetadata(METADATA metadata) const = 0;
-
- void renderMetadata();
+ void renderMetadata();
- static std::string getMetadataString(METADATA val) {
- static std::map< METADATA, std::string> map = {
- {LOG_NAME, "LOG_NAME" },
- {SOURCE,"SOURCE"},
- {TIME_CREATED,"TIME_CREATED" },
- {EVENTID,"EVENTID"},
- {OPCODE,"OPCODE"},
- {EVENT_RECORDID,"EVENT_RECORDID"},
- {EVENT_TYPE,"EVENT_TYPE"},
- {TASK_CATEGORY, "TASK_CATEGORY"},
- {LEVEL,"LEVEL"},
- {KEYWORDS,"KEYWORDS"},
- {USER,"USER"},
- {COMPUTER,"COMPUTER"}
- };
+ static std::string getMetadataString(METADATA val) {
+ static std::map< METADATA, std::string> map = {
+ {LOG_NAME, "LOG_NAME" },
+ {SOURCE,"SOURCE"},
+ {TIME_CREATED,"TIME_CREATED" },
+ {EVENTID,"EVENTID"},
+ {OPCODE,"OPCODE"},
+ {EVENT_RECORDID,"EVENT_RECORDID"},
+ {EVENT_TYPE,"EVENT_TYPE"},
+ {TASK_CATEGORY, "TASK_CATEGORY"},
+ {LEVEL,"LEVEL"},
+ {KEYWORDS,"KEYWORDS"},
+ {USER,"USER"},
+ {COMPUTER,"COMPUTER"}
+ };
- return map[val];
- }
+ return map[val];
+ }
- static METADATA getMetadataFromString(const std::string &val) {
- static std::map< std::string, METADATA> map = {
- {"LOG_NAME",LOG_NAME},
- {"SOURCE",SOURCE},
- {"TIME_CREATED",TIME_CREATED },
- {"EVENTID",EVENTID},
- {"OPCODE",OPCODE},
- {"EVENT_RECORDID",EVENT_RECORDID},
- {"TASK_CATEGORY", TASK_CATEGORY},
- {"EVENT_TYPE",EVENT_TYPE},
- {"LEVEL",LEVEL},
- {"KEYWORDS",KEYWORDS},
- {"USER",USER},
- {"COMPUTER",COMPUTER}
- };
+ static METADATA getMetadataFromString(const std::string &val) {
+ static std::map< std::string, METADATA> map = {
+ {"LOG_NAME",LOG_NAME},
+ {"SOURCE",SOURCE},
+ {"TIME_CREATED",TIME_CREATED },
+ {"EVENTID",EVENTID},
+ {"OPCODE",OPCODE},
+ {"EVENT_RECORDID",EVENT_RECORDID},
+ {"TASK_CATEGORY", TASK_CATEGORY},
+ {"EVENT_TYPE",EVENT_TYPE},
+ {"LEVEL",LEVEL},
+ {"KEYWORDS",KEYWORDS},
+ {"USER",USER},
+ {"COMPUTER",COMPUTER}
+ };
- auto enumVal = map.find(val);
- if (enumVal != std::end(map)) {
- return enumVal->second;
- }
- else {
- return METADATA::UNKNOWN;
- }
- }
+ auto enumVal = map.find(val);
+ if (enumVal != std::end(map)) {
+ return enumVal->second;
+ }
+ else {
+ return METADATA::UNKNOWN;
+ }
+ }
- static std::string getComputerName() {
- static std::string computer_name;
- if (computer_name.empty()) {
- char buff[10248];
- DWORD size = sizeof(buff);
- if (GetComputerNameExA(ComputerNameDnsFullyQualified, buff, &size)) {
- computer_name = buff;
- }
- else {
- computer_name = "N/A";
- }
- }
- return computer_name;
- }
+ static std::string getComputerName() {
+ static std::string computer_name;
+ if (computer_name.empty()) {
+ char buff[10248];
+ DWORD size = sizeof(buff);
+ if (GetComputerNameExA(ComputerNameDnsFullyQualified, buff, &size)) {
+ computer_name = buff;
+ }
+ else {
+ computer_name = "N/A";
+ }
+ }
+ return computer_name;
+ }
protected:
- std::string log_name_;
- uint64_t event_timestamp_;
- std::string event_type_;
- short event_type_index_;
- std::string event_timestamp_str_;
- EVT_HANDLE event_ptr_;
- EVT_HANDLE metadata_ptr_;
+ std::string log_name_;
+ uint64_t event_timestamp_;
+ std::string event_type_;
+ short event_type_index_;
+ std::string event_timestamp_str_;
+ EVT_HANDLE event_ptr_;
+ EVT_HANDLE metadata_ptr_;
};
class WindowsEventLogHeader {
public:
- explicit WindowsEventLogHeader(METADATA_NAMES header_names) : header_names_(header_names){
+ explicit WindowsEventLogHeader(METADATA_NAMES header_names) : header_names_(header_names){
- }
+ }
- void setDelimiter(const std::string &delim);
+ void setDelimiter(const std::string &delim);
- std::string getEventHeader(const WindowsEventLogMetadata * const metadata) const;
-
-
+ std::string getEventHeader(const WindowsEventLogMetadata * const metadata) const;
private:
- inline std::string createDefaultDelimiter(size_t max, size_t length) const;
+ inline std::string createDefaultDelimiter(size_t max, size_t length) const;
- std::string delimiter_;
- METADATA_NAMES header_names_;
+ std::string delimiter_;
+ METADATA_NAMES header_names_;
};
} /* namespace wel */
diff --git a/extensions/windows-event-log/wel/XMLString.h b/extensions/windows-event-log/wel/XMLString.h
index 0b0793a..4d32673 100644
--- a/extensions/windows-event-log/wel/XMLString.h
+++ b/extensions/windows-event-log/wel/XMLString.h
@@ -41,16 +41,16 @@
namespace minifi {
namespace wel {
- class XmlString : public pugi::xml_writer
- {
- public:
- std::string xml_;
+ class XmlString : public pugi::xml_writer
+ {
+ public:
+ std::string xml_;
- virtual void write(const void* data, size_t size)
- {
- xml_.append(static_cast<const char*>(data), size);
- }
- };
+ virtual void write(const void* data, size_t size)
+ {
+ xml_.append(static_cast<const char*>(data), size);
+ }
+ };
} /* namespace wel */
} /* namespace minifi */
