Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

487 lines
14 KiB

/*****************************************************************/
/** Microsoft Windows NT **/
/** Copyright(c) Microsoft Corp., 1991 **/
/*****************************************************************/
/*
* eventlog.hxx
* This file contains base class for the event log objects.
* LOG_ENTRY_NUMBER
* EVENT_LOG
*
* The hierarchy of the event log objects is as follows:
*
* EVENT_LOG
* / \
* / \
* LM_EVENT_LOG NT_EVENT_LOG
* / \
* / \
* LM_AUDIT_LOG LM_ERROR_LOG
*
*
* History:
* Yi-HsinS 10/15/91 Created
* Yi-HsinS 12/15/91 Moved LM_EVENT_LOG to lmlog.hxx,
* moved NT_EVENT_LOG to ntlog.hxx
* TerryK 12/20/91 Added SaveAsLog and
* WriteTextEntry to EVENT_LOG
* Yi-HsinS 1/15/92 Added Backup, SeekOldestLogEntry,
* SeekNewestLogEntry and modified
* parameters to WriteTextEntry
* Yi-HsinS 5/15/92 Added QuerySourceList()...
* JonN 6/22/00 WriteTextEntry no longer supported
*
*/
#ifndef _EVENTLOG_HXX_
#define _EVENTLOG_HXX_
#include "ctime.hxx"
#include "intlprof.hxx"
#include "logmisc.hxx"
#include "strlst.hxx"
#define SMALL_BUF_DEFAULT_SIZE 1024 // 1K - size of buffer for seek read
#define BIG_BUF_DEFAULT_SIZE (16*1024) // 16K - size of buffer of iter. read
#undef MAXULONG
#define MAXULONG ((ULONG) -1)
#define MAXUINT ((UINT) -1)
#define TYPE_NONE ((USHORT) -1) // Used either when no type exist
// in the log entry.
/*************************************************************************
NAME: LOG_ENTRY_NUMBER
SYNOPSIS: The class for encapsulating the record number of the
event log
INTERFACE: LOG_ENTRY_NUMBER() - Constructor
QueryRecordNum() - Query the record number
QueryDirection() - Query the direction, EVLOG_FWD or EVLOG_BACK
SetRecordNum() - Set the record number
SetDirection() - Set the direction
PARENT: BASE
USES:
CAVEATS:
NOTES: Direction is ignored in NT_EVENT_LOG where all
record numbers are absolute.
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS LOG_ENTRY_NUMBER: public BASE
{
private:
/*
* The record number of the log entry relative to the beginning of the log
* if the direction is EVLOG_FWD and relative to the end of the log
* if the direction is EVLOG_BACK.
*
* Note: with the exception of NT event logs which are absolute record
* numbers.
*/
ULONG _ulRecordNum;
EVLOG_DIRECTION _evdir;
public:
/*
* Constructor
*/
LOG_ENTRY_NUMBER( ULONG ulRecordNum = 0, EVLOG_DIRECTION evdir = EVLOG_FWD)
: _ulRecordNum( ulRecordNum ),
_evdir( evdir ) {}
/*
* Returns the record number of the log entry
*/
ULONG QueryRecordNum( VOID ) const
{ return _ulRecordNum; }
/*
* Returns the direction of browsing the log
*/
EVLOG_DIRECTION QueryDirection( VOID ) const
{ return _evdir; }
/*
* Sets the record number
*/
VOID SetRecordNum( ULONG ulRecordNum )
{ _ulRecordNum = ulRecordNum; }
/*
* Sets the direction of browsing
*/
VOID SetDirection( EVLOG_DIRECTION evdir )
{ _evdir = evdir; }
};
/*************************************************************************
NAME: EVENT_LOG
SYNOPSIS: The common base class for NT event log and LM event log classes
INTERFACE: protected:
I_Next() - The helper method that actually reads the
next entry in the log file.
I_Open() - The helper method that actually opens the
log for reading
I_Close() - The helper method that actually closes the
log file.
CreateCurrentRawEntry() -
Create a RAW_LOG_ENTRY containing the information
in the current log entry.
SetPos() - Set the position for the next read.
public:
EVENT_LOG() - Constructor, takes a server name, the direction
to read the log file, and an optional module name
ignored by LM_EVENT_LOG.
~EVENT_LOG() - Virtual destructor
QueryServer() - Query the server name
QueryModule() - Query the module name
QueryDirection() - Query the direction of reading the log
SetDirection() - Set the direction of reading the log
IsSeek() - TRUE if we need to seek read, FALSE otherwise.
SetSeekFlag() - Set a flag indicating we want to seek read.
IsOpened() - TRUE if the log file has been opened, FALSE if
the log file is closed
SetOpenFlag() - Set a flag indicating the log has been opened
QuerySourceList() - Query the sources supported by the module.
QuerySrcSupportedTypeMask() - Query the types that are
supported by the given source.
QuerySrcSupportedCategoryList() - Query the categories supported
by the given source.
Open() - Opens the handle to the event log
Close() - Close the handle to the event log
Clear() - Clear the event log
Backup()- Backup the event log without clearing the log file
Available only in NT_EVENT_LOG, will assert out
if not redefined.
Reset() - Reset the position to the beginning or the end of
the event log depending on the direction
Next() - The iterator for getting the next entry into
the buffer
SeekLogEntry() - Get the log entry with the given record
number into the buffer. The method is not for
iterating through the log file. It's for getting
non-consecutive log entries. A smaller buffer is
used when reading the log entries.
SeekOldestLogEntry() - Get the oldest log entry in the log
SeekNewestLogEntry() - Get the newest log entry in the log
QueryNumberOfEntries() - Get the number of entries in the log
QueryCurrentEntryData() -
Retrieve the raw data of the current log entry.
QueryCurrentEntryDesc() -
Retrieve the description of the current log entry.
QueryCurrentEntryTime() -
Retrieve the time of the current log entry.
CreateCurrentFormatEntry() -
Create a FORMATTED_LOG_ENTRY containing the info.
in the current log entry.
WriteTextEntry() - Write an entry to a text file
JonN 6/22/00 WriteTextEntry no longer supported
QueryPos() - Get the position of the current event log entry
relative to the beginning or the end of the file
depending on the direction
ApplyFilter() - Apply the filter when reading the log
ClearFilter() - Clear the filter pattern
QueryFilter() - Returns the filter pattern
IsFilterOn() - TRUE if the filter pattern is not NULL
PARENT: BASE
USES: NLS_STR, EVENT_FILTER_PATTERN
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS EVENT_LOG : public BASE
{
protected:
/*
* The computer the log file is on.
*/
NLS_STR _nlsServer;
/*
* The module ( "system", "security" or "application" )
*/
NLS_STR _nlsModule;
/*
* Direction of reading the event log: forward or backward
*/
EVLOG_DIRECTION _evdir;
/*
* Direction of the logs contained in the buffer.
*/
EVLOG_DIRECTION _evdirBuf;
/*
* Flag indicating whether to read sequentially next time or need
* to seek
*/
BOOL _fSeek;
/*
* Flag used for sanity checking - TRUE if the log file is opened.
* FALSE if closed.
*/
BOOL _fOpen;
/*
* Pointer to the filter pattern. NULL means no filter is set.
*/
EVENT_FILTER_PATTERN *_pFilterPattern;
/*
* Helper method for reading the log file.
*/
virtual APIERR I_Next( BOOL *pfContinue,
ULONG ulBufferSize = BIG_BUF_DEFAULT_SIZE ) = 0;
/*
* Helper method for opening the log file for reading.
*/
virtual APIERR I_Open( VOID ) = 0;
/*
* Helper method for closes the log file.
*/
virtual APIERR I_Close( VOID ) = 0;
/*
* Create a RAW_LOG_ENTRY containing information about the current log
* entry.
*/
virtual APIERR CreateCurrentRawEntry( RAW_LOG_ENTRY *pRawLogEntry ) = 0;
/*
* Set the record number passed in as the next log entry to be read.
* If fForceRead is TRUE, then we will set up all variables so that
* we will definitely read the entry. Else, we will search for the
* entry in the buffer and will only read it if it's not there.
*/
virtual VOID SetPos( const LOG_ENTRY_NUMBER &logEntryNum, BOOL fForceRead ) = 0;
public:
/*
* Constructor : takes a server name,
* an optional direction which defaults to EVLOG_FWD,
* and an optional module name.
*/
EVENT_LOG( const TCHAR *pszServer,
EVLOG_DIRECTION evdir = EVLOG_FWD,
const TCHAR *pszModule = NULL);
virtual ~EVENT_LOG();
/*
* Some QueryXXX and SetXXX method.
*/
APIERR QueryServer( NLS_STR *pnlsServer ) const
{ *pnlsServer = _nlsServer; return pnlsServer->QueryError(); }
APIERR QueryModule( NLS_STR *pnlsModule ) const
{ *pnlsModule = _nlsModule; return pnlsModule->QueryError(); }
EVLOG_DIRECTION QueryDirection( VOID ) const
{ return _evdir; }
VOID SetDirection( EVLOG_DIRECTION evdir )
{ _evdir = evdir; }
BOOL IsSeek( VOID ) const
{ return _fSeek; }
VOID SetSeekFlag( BOOL fSeek )
{ _fSeek = fSeek; }
BOOL IsOpened( VOID ) const
{ return _fOpen; }
VOID SetOpenFlag( BOOL fOpen )
{ _fOpen = fOpen; }
/*
* Query the sources supported in the module. This will always
* return NULL for LM error/audit log.
*/
virtual STRLIST *QuerySourceList( VOID );
/*
* Query the types supported by the given source. The type mask
* will always be 0 if this is a LM error/audit log.
*/
virtual APIERR QuerySrcSupportedTypeMask( const NLS_STR &nlsSource,
USHORT *pusTypeMask );
/*
* Query the categories supported by the given source. The pstrlst
* will be NULL if this is a LM error/audit log.
*/
virtual APIERR QuerySrcSupportedCategoryList( const NLS_STR &nlsSource,
STRLIST **ppstrlstCategory );
/*
* Opens ( initializes ) a handle to the event log
*/
APIERR Open( VOID );
/*
* Closes the handle to the event log
*/
APIERR Close( VOID );
/*
* Clear the event log : takes an optional backup file name
*/
virtual APIERR Clear( const TCHAR *pszBackupFile = NULL ) = 0;
/*
* Backup the event log to a file without clearing the log file
* Available only in NT_EVENT_LOG, will assert out if not redefined.
*/
virtual APIERR Backup( const TCHAR *pszBackupFile );
/*
* Reset to the beginning or end depending on the direction of
* browsing
*/
virtual VOID Reset( VOID );
/*
* Get the next log entry in the given direction into the buffer.
* *pfContinue is TRUE if we have not reached end of log file yet, FALSE
* otherwise.
*/
APIERR Next( BOOL *pfContinue );
/*
* If fRead is TRUE, then read the log entry at the given record
* number and set it as the current log entry. Else set the position
* so that the next read starts reading at the given position.
*/
APIERR SeekLogEntry(const LOG_ENTRY_NUMBER &logEntryNum, BOOL fRead = TRUE);
/*
* Get the oldest or the newest log entry into the buffer
* and set it as the current log entry.
*/
virtual APIERR SeekOldestLogEntry( VOID ) = 0;
virtual APIERR SeekNewestLogEntry( VOID ) = 0;
/*
* Get the number of entries in the event log ( this will return
* an approximate number in LM_EVENT_LOG and a more accurate number
* in NT_EVENT_LOG assuming no entries are logged after querying.
*/
virtual APIERR QueryNumberOfEntries( ULONG *pcEntries ) = 0;
/*
* Retrieve the raw data associated with the current log entry.
* Because the raw data is not stored in the FORMATTED_LOG_ENTRY,
* we need this method to extract the raw data.
*/
virtual ULONG QueryCurrentEntryData( BYTE **ppbDataOut ) = 0;
/*
* Retrieve the description associated with the current log entry.
*/
virtual APIERR QueryCurrentEntryDesc( NLS_STR *pnlsDesc ) = 0;
/*
* Get the time associated with the current log entry.
*/
virtual ULONG QueryCurrentEntryTime( VOID ) = 0;
/*
* Create a FORMATTED_LOG_ENTRY containing the information
* in the current log entry.
*/
virtual APIERR CreateCurrentFormatEntry( FORMATTED_LOG_ENTRY
**ppFmtLogEntry ) = 0;
/*
* Write the log entry out to a file in text format
* JonN 6/22/00 WriteTextEntry no longer supported
*/
virtual APIERR WriteTextEntry( ULONG ulFileHandle, INTL_PROFILE &intlprof,
TCHAR chSeparator ) = 0;
/*
* Get the record number ( from the beginning or end of the log file
* depending on the direction ) of the current entry log.
*
* Note: Direction is not important in NT event logs.
*/
virtual APIERR QueryPos( LOG_ENTRY_NUMBER *plogEntryNum ) = 0;
/*
* Apply the filter pattern when reading the log
*/
VOID ApplyFilter( EVENT_FILTER_PATTERN *pFilterPattern )
{ _pFilterPattern = pFilterPattern; }
/*
* Clear the filter pattern : _pFilterPattern will be deleted where it
* is allocated.
*/
VOID ClearFilter( VOID )
{ _pFilterPattern = NULL; }
EVENT_FILTER_PATTERN *QueryFilter( VOID ) const
{ return _pFilterPattern; }
BOOL IsFilterOn( VOID )
{ return ( _pFilterPattern != NULL ); }
};
#endif