Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

487 lines
15 KiB

  1. /*****************************************************************/
  2. /** Microsoft Windows NT **/
  3. /** Copyright(c) Microsoft Corp., 1991 **/
  4. /*****************************************************************/
  5. /*
  6. * eventlog.hxx
  7. * This file contains base class for the event log objects.
  8. * LOG_ENTRY_NUMBER
  9. * EVENT_LOG
  10. *
  11. * The hierarchy of the event log objects is as follows:
  12. *
  13. * EVENT_LOG
  14. * / \
  15. * / \
  16. * LM_EVENT_LOG NT_EVENT_LOG
  17. * / \
  18. * / \
  19. * LM_AUDIT_LOG LM_ERROR_LOG
  20. *
  21. *
  22. * History:
  23. * Yi-HsinS 10/15/91 Created
  24. * Yi-HsinS 12/15/91 Moved LM_EVENT_LOG to lmlog.hxx,
  25. * moved NT_EVENT_LOG to ntlog.hxx
  26. * TerryK 12/20/91 Added SaveAsLog and
  27. * WriteTextEntry to EVENT_LOG
  28. * Yi-HsinS 1/15/92 Added Backup, SeekOldestLogEntry,
  29. * SeekNewestLogEntry and modified
  30. * parameters to WriteTextEntry
  31. * Yi-HsinS 5/15/92 Added QuerySourceList()...
  32. * JonN 6/22/00 WriteTextEntry no longer supported
  33. *
  34. */
  35. #ifndef _EVENTLOG_HXX_
  36. #define _EVENTLOG_HXX_
  37. #include "ctime.hxx"
  38. #include "intlprof.hxx"
  39. #include "logmisc.hxx"
  40. #include "strlst.hxx"
  41. #define SMALL_BUF_DEFAULT_SIZE 1024 // 1K - size of buffer for seek read
  42. #define BIG_BUF_DEFAULT_SIZE (16*1024) // 16K - size of buffer of iter. read
  43. #undef MAXULONG
  44. #define MAXULONG ((ULONG) -1)
  45. #define MAXUINT ((UINT) -1)
  46. #define TYPE_NONE ((USHORT) -1) // Used either when no type exist
  47. // in the log entry.
  48. /*************************************************************************
  49. NAME: LOG_ENTRY_NUMBER
  50. SYNOPSIS: The class for encapsulating the record number of the
  51. event log
  52. INTERFACE: LOG_ENTRY_NUMBER() - Constructor
  53. QueryRecordNum() - Query the record number
  54. QueryDirection() - Query the direction, EVLOG_FWD or EVLOG_BACK
  55. SetRecordNum() - Set the record number
  56. SetDirection() - Set the direction
  57. PARENT: BASE
  58. USES:
  59. CAVEATS:
  60. NOTES: Direction is ignored in NT_EVENT_LOG where all
  61. record numbers are absolute.
  62. HISTORY:
  63. Yi-HsinS 10/15/91 Created
  64. **************************************************************************/
  65. DLL_CLASS LOG_ENTRY_NUMBER: public BASE
  66. {
  67. private:
  68. /*
  69. * The record number of the log entry relative to the beginning of the log
  70. * if the direction is EVLOG_FWD and relative to the end of the log
  71. * if the direction is EVLOG_BACK.
  72. *
  73. * Note: with the exception of NT event logs which are absolute record
  74. * numbers.
  75. */
  76. ULONG _ulRecordNum;
  77. EVLOG_DIRECTION _evdir;
  78. public:
  79. /*
  80. * Constructor
  81. */
  82. LOG_ENTRY_NUMBER( ULONG ulRecordNum = 0, EVLOG_DIRECTION evdir = EVLOG_FWD)
  83. : _ulRecordNum( ulRecordNum ),
  84. _evdir( evdir ) {}
  85. /*
  86. * Returns the record number of the log entry
  87. */
  88. ULONG QueryRecordNum( VOID ) const
  89. { return _ulRecordNum; }
  90. /*
  91. * Returns the direction of browsing the log
  92. */
  93. EVLOG_DIRECTION QueryDirection( VOID ) const
  94. { return _evdir; }
  95. /*
  96. * Sets the record number
  97. */
  98. VOID SetRecordNum( ULONG ulRecordNum )
  99. { _ulRecordNum = ulRecordNum; }
  100. /*
  101. * Sets the direction of browsing
  102. */
  103. VOID SetDirection( EVLOG_DIRECTION evdir )
  104. { _evdir = evdir; }
  105. };
  106. /*************************************************************************
  107. NAME: EVENT_LOG
  108. SYNOPSIS: The common base class for NT event log and LM event log classes
  109. INTERFACE: protected:
  110. I_Next() - The helper method that actually reads the
  111. next entry in the log file.
  112. I_Open() - The helper method that actually opens the
  113. log for reading
  114. I_Close() - The helper method that actually closes the
  115. log file.
  116. CreateCurrentRawEntry() -
  117. Create a RAW_LOG_ENTRY containing the information
  118. in the current log entry.
  119. SetPos() - Set the position for the next read.
  120. public:
  121. EVENT_LOG() - Constructor, takes a server name, the direction
  122. to read the log file, and an optional module name
  123. ignored by LM_EVENT_LOG.
  124. ~EVENT_LOG() - Virtual destructor
  125. QueryServer() - Query the server name
  126. QueryModule() - Query the module name
  127. QueryDirection() - Query the direction of reading the log
  128. SetDirection() - Set the direction of reading the log
  129. IsSeek() - TRUE if we need to seek read, FALSE otherwise.
  130. SetSeekFlag() - Set a flag indicating we want to seek read.
  131. IsOpened() - TRUE if the log file has been opened, FALSE if
  132. the log file is closed
  133. SetOpenFlag() - Set a flag indicating the log has been opened
  134. QuerySourceList() - Query the sources supported by the module.
  135. QuerySrcSupportedTypeMask() - Query the types that are
  136. supported by the given source.
  137. QuerySrcSupportedCategoryList() - Query the categories supported
  138. by the given source.
  139. Open() - Opens the handle to the event log
  140. Close() - Close the handle to the event log
  141. Clear() - Clear the event log
  142. Backup()- Backup the event log without clearing the log file
  143. Available only in NT_EVENT_LOG, will assert out
  144. if not redefined.
  145. Reset() - Reset the position to the beginning or the end of
  146. the event log depending on the direction
  147. Next() - The iterator for getting the next entry into
  148. the buffer
  149. SeekLogEntry() - Get the log entry with the given record
  150. number into the buffer. The method is not for
  151. iterating through the log file. It's for getting
  152. non-consecutive log entries. A smaller buffer is
  153. used when reading the log entries.
  154. SeekOldestLogEntry() - Get the oldest log entry in the log
  155. SeekNewestLogEntry() - Get the newest log entry in the log
  156. QueryNumberOfEntries() - Get the number of entries in the log
  157. QueryCurrentEntryData() -
  158. Retrieve the raw data of the current log entry.
  159. QueryCurrentEntryDesc() -
  160. Retrieve the description of the current log entry.
  161. QueryCurrentEntryTime() -
  162. Retrieve the time of the current log entry.
  163. CreateCurrentFormatEntry() -
  164. Create a FORMATTED_LOG_ENTRY containing the info.
  165. in the current log entry.
  166. WriteTextEntry() - Write an entry to a text file
  167. JonN 6/22/00 WriteTextEntry no longer supported
  168. QueryPos() - Get the position of the current event log entry
  169. relative to the beginning or the end of the file
  170. depending on the direction
  171. ApplyFilter() - Apply the filter when reading the log
  172. ClearFilter() - Clear the filter pattern
  173. QueryFilter() - Returns the filter pattern
  174. IsFilterOn() - TRUE if the filter pattern is not NULL
  175. PARENT: BASE
  176. USES: NLS_STR, EVENT_FILTER_PATTERN
  177. CAVEATS:
  178. NOTES:
  179. HISTORY:
  180. Yi-HsinS 10/15/91 Created
  181. **************************************************************************/
  182. DLL_CLASS EVENT_LOG : public BASE
  183. {
  184. protected:
  185. /*
  186. * The computer the log file is on.
  187. */
  188. NLS_STR _nlsServer;
  189. /*
  190. * The module ( "system", "security" or "application" )
  191. */
  192. NLS_STR _nlsModule;
  193. /*
  194. * Direction of reading the event log: forward or backward
  195. */
  196. EVLOG_DIRECTION _evdir;
  197. /*
  198. * Direction of the logs contained in the buffer.
  199. */
  200. EVLOG_DIRECTION _evdirBuf;
  201. /*
  202. * Flag indicating whether to read sequentially next time or need
  203. * to seek
  204. */
  205. BOOL _fSeek;
  206. /*
  207. * Flag used for sanity checking - TRUE if the log file is opened.
  208. * FALSE if closed.
  209. */
  210. BOOL _fOpen;
  211. /*
  212. * Pointer to the filter pattern. NULL means no filter is set.
  213. */
  214. EVENT_FILTER_PATTERN *_pFilterPattern;
  215. /*
  216. * Helper method for reading the log file.
  217. */
  218. virtual APIERR I_Next( BOOL *pfContinue,
  219. ULONG ulBufferSize = BIG_BUF_DEFAULT_SIZE ) = 0;
  220. /*
  221. * Helper method for opening the log file for reading.
  222. */
  223. virtual APIERR I_Open( VOID ) = 0;
  224. /*
  225. * Helper method for closes the log file.
  226. */
  227. virtual APIERR I_Close( VOID ) = 0;
  228. /*
  229. * Create a RAW_LOG_ENTRY containing information about the current log
  230. * entry.
  231. */
  232. virtual APIERR CreateCurrentRawEntry( RAW_LOG_ENTRY *pRawLogEntry ) = 0;
  233. /*
  234. * Set the record number passed in as the next log entry to be read.
  235. * If fForceRead is TRUE, then we will set up all variables so that
  236. * we will definitely read the entry. Else, we will search for the
  237. * entry in the buffer and will only read it if it's not there.
  238. */
  239. virtual VOID SetPos( const LOG_ENTRY_NUMBER &logEntryNum, BOOL fForceRead ) = 0;
  240. public:
  241. /*
  242. * Constructor : takes a server name,
  243. * an optional direction which defaults to EVLOG_FWD,
  244. * and an optional module name.
  245. */
  246. EVENT_LOG( const TCHAR *pszServer,
  247. EVLOG_DIRECTION evdir = EVLOG_FWD,
  248. const TCHAR *pszModule = NULL);
  249. virtual ~EVENT_LOG();
  250. /*
  251. * Some QueryXXX and SetXXX method.
  252. */
  253. APIERR QueryServer( NLS_STR *pnlsServer ) const
  254. { *pnlsServer = _nlsServer; return pnlsServer->QueryError(); }
  255. APIERR QueryModule( NLS_STR *pnlsModule ) const
  256. { *pnlsModule = _nlsModule; return pnlsModule->QueryError(); }
  257. EVLOG_DIRECTION QueryDirection( VOID ) const
  258. { return _evdir; }
  259. VOID SetDirection( EVLOG_DIRECTION evdir )
  260. { _evdir = evdir; }
  261. BOOL IsSeek( VOID ) const
  262. { return _fSeek; }
  263. VOID SetSeekFlag( BOOL fSeek )
  264. { _fSeek = fSeek; }
  265. BOOL IsOpened( VOID ) const
  266. { return _fOpen; }
  267. VOID SetOpenFlag( BOOL fOpen )
  268. { _fOpen = fOpen; }
  269. /*
  270. * Query the sources supported in the module. This will always
  271. * return NULL for LM error/audit log.
  272. */
  273. virtual STRLIST *QuerySourceList( VOID );
  274. /*
  275. * Query the types supported by the given source. The type mask
  276. * will always be 0 if this is a LM error/audit log.
  277. */
  278. virtual APIERR QuerySrcSupportedTypeMask( const NLS_STR &nlsSource,
  279. USHORT *pusTypeMask );
  280. /*
  281. * Query the categories supported by the given source. The pstrlst
  282. * will be NULL if this is a LM error/audit log.
  283. */
  284. virtual APIERR QuerySrcSupportedCategoryList( const NLS_STR &nlsSource,
  285. STRLIST **ppstrlstCategory );
  286. /*
  287. * Opens ( initializes ) a handle to the event log
  288. */
  289. APIERR Open( VOID );
  290. /*
  291. * Closes the handle to the event log
  292. */
  293. APIERR Close( VOID );
  294. /*
  295. * Clear the event log : takes an optional backup file name
  296. */
  297. virtual APIERR Clear( const TCHAR *pszBackupFile = NULL ) = 0;
  298. /*
  299. * Backup the event log to a file without clearing the log file
  300. * Available only in NT_EVENT_LOG, will assert out if not redefined.
  301. */
  302. virtual APIERR Backup( const TCHAR *pszBackupFile );
  303. /*
  304. * Reset to the beginning or end depending on the direction of
  305. * browsing
  306. */
  307. virtual VOID Reset( VOID );
  308. /*
  309. * Get the next log entry in the given direction into the buffer.
  310. * *pfContinue is TRUE if we have not reached end of log file yet, FALSE
  311. * otherwise.
  312. */
  313. APIERR Next( BOOL *pfContinue );
  314. /*
  315. * If fRead is TRUE, then read the log entry at the given record
  316. * number and set it as the current log entry. Else set the position
  317. * so that the next read starts reading at the given position.
  318. */
  319. APIERR SeekLogEntry(const LOG_ENTRY_NUMBER &logEntryNum, BOOL fRead = TRUE);
  320. /*
  321. * Get the oldest or the newest log entry into the buffer
  322. * and set it as the current log entry.
  323. */
  324. virtual APIERR SeekOldestLogEntry( VOID ) = 0;
  325. virtual APIERR SeekNewestLogEntry( VOID ) = 0;
  326. /*
  327. * Get the number of entries in the event log ( this will return
  328. * an approximate number in LM_EVENT_LOG and a more accurate number
  329. * in NT_EVENT_LOG assuming no entries are logged after querying.
  330. */
  331. virtual APIERR QueryNumberOfEntries( ULONG *pcEntries ) = 0;
  332. /*
  333. * Retrieve the raw data associated with the current log entry.
  334. * Because the raw data is not stored in the FORMATTED_LOG_ENTRY,
  335. * we need this method to extract the raw data.
  336. */
  337. virtual ULONG QueryCurrentEntryData( BYTE **ppbDataOut ) = 0;
  338. /*
  339. * Retrieve the description associated with the current log entry.
  340. */
  341. virtual APIERR QueryCurrentEntryDesc( NLS_STR *pnlsDesc ) = 0;
  342. /*
  343. * Get the time associated with the current log entry.
  344. */
  345. virtual ULONG QueryCurrentEntryTime( VOID ) = 0;
  346. /*
  347. * Create a FORMATTED_LOG_ENTRY containing the information
  348. * in the current log entry.
  349. */
  350. virtual APIERR CreateCurrentFormatEntry( FORMATTED_LOG_ENTRY
  351. **ppFmtLogEntry ) = 0;
  352. /*
  353. * Write the log entry out to a file in text format
  354. * JonN 6/22/00 WriteTextEntry no longer supported
  355. */
  356. virtual APIERR WriteTextEntry( ULONG ulFileHandle, INTL_PROFILE &intlprof,
  357. TCHAR chSeparator ) = 0;
  358. /*
  359. * Get the record number ( from the beginning or end of the log file
  360. * depending on the direction ) of the current entry log.
  361. *
  362. * Note: Direction is not important in NT event logs.
  363. */
  364. virtual APIERR QueryPos( LOG_ENTRY_NUMBER *plogEntryNum ) = 0;
  365. /*
  366. * Apply the filter pattern when reading the log
  367. */
  368. VOID ApplyFilter( EVENT_FILTER_PATTERN *pFilterPattern )
  369. { _pFilterPattern = pFilterPattern; }
  370. /*
  371. * Clear the filter pattern : _pFilterPattern will be deleted where it
  372. * is allocated.
  373. */
  374. VOID ClearFilter( VOID )
  375. { _pFilterPattern = NULL; }
  376. EVENT_FILTER_PATTERN *QueryFilter( VOID ) const
  377. { return _pFilterPattern; }
  378. BOOL IsFilterOn( VOID )
  379. { return ( _pFilterPattern != NULL ); }
  380. };
  381. #endif