Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

510 lines
14 KiB

/*****************************************************************/
/** Microsoft Windows NT **/
/** Copyright(c) Microsoft Corp., 1991 **/
/*****************************************************************/
/*
* logmisc.hxx
*
* This file contains some misc. class definitions used in EVENT_LOG
* which include the pattern classes for filter/search and the log
* entry classes encapsulating common information about the log entries.
*
* EVENT_PATTERN_BASE LOG_ENTRY_BASE
* / \ / \
* / \ / \
* EVENT_FILTER_PATTERN EVENT_FIND_PATTERN RAW_LOG_ENTRY FORMATTED_LOG_ENTRY
*
*
* History:
* Yi-HsinS 10/15/91 Created
* Yi-HsinS 3/5/92 Added Set methods to log entry classes
* Yi-HsinS 4/3/92 Change Subtype to Category
*
*/
#ifndef _LOGMISC_HXX_
#define _LOGMISC_HXX_
#include "base.hxx"
// Forward declaration of EVENT_LOG in eventlog.hxx
// This file has to be included before eventlog.hxx
DLL_CLASS EVENT_LOG;
/*
* Direction of reading the event log : forward or backward
*/
enum EVLOG_DIRECTION { EVLOG_FWD, EVLOG_BACK };
#define NUM_MATCH_ALL ((ULONG) -1)
/*************************************************************************
NAME: LOG_ENTRY_BASE
SYNOPSIS: This class encapsulates all the common information
contained in both a RAW_LOG_ENTRY and a FORMATTED_LOG_ENTRY.
INTERFACE: LOG_ENTRY_BASE() - Constructor
~LOG_ENTRY_BASE() - Destructor
Set() - Set all members in the class. Used mainly
when the object is constructed with the
dummy constructor.
The QueryXXX methods:
QueryRecordNum()- Returns the record number of the log entry
QueryTime() - Returns the time in ULONG
QueryType() - Returns the type of the event
QueryCategory() - Returns the category string of the event
QueryEventID() - Returns the event ID
QueryDisplayEventID() - Returns the event ID to be displayed
i. e. strip the top 16 bits off...
QueryEventLog() - Returns the associated event log that
created this entry.
QuerySource() - Returns the source which recorded the event.
QueryUser() - Returns the name of the user on whose behalf
the application which recorded the event is
running.
QueryComputer() - Returns the computer on which the event
is recorded.
PARENT: BASE
USES: NLS_STR, EVENT_LOG
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS LOG_ENTRY_BASE : public BASE
{
protected:
/*
* The following are the common information between a
* RAW_LOG_ENTRY and a FORMATTED_LOG_ENTRY.
*/
ULONG _ulRecordNum;
ULONG _ulTime;
USHORT _usType;
NLS_STR _nlsCategory;
ULONG _ulEventID;
/*
* The pointer to the eventlog object is kept here so that in
* case the log entry description is needed when filtering or finding
* the log, we can get the description via this pointer.
*/
EVENT_LOG *_pEventLog;
public:
LOG_ENTRY_BASE( VOID ) {};
LOG_ENTRY_BASE( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszCategory,
ULONG ulEventID,
EVENT_LOG *pEventLog );
~LOG_ENTRY_BASE();
APIERR Set( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszCategory,
ULONG ulEventID,
EVENT_LOG *pEventLog );
ULONG QueryRecordNum( VOID ) const
{ return _ulRecordNum; }
ULONG QueryTime( VOID ) const
{ return _ulTime; }
USHORT QueryType( VOID ) const
{ return _usType; }
NLS_STR *QueryCategory( VOID )
{ return &_nlsCategory; }
ULONG QueryEventID( VOID ) const
{ return _ulEventID; }
ULONG QueryDisplayEventID( VOID ) const
{ return _ulEventID & 0x0000FFFF; }
EVENT_LOG *QueryEventLog( VOID ) const
{ return _pEventLog; }
virtual NLS_STR *QuerySource( VOID ) = 0;
virtual NLS_STR *QueryUser( VOID ) = 0;
virtual NLS_STR *QueryComputer( VOID ) = 0;
};
/*************************************************************************
NAME: RAW_LOG_ENTRY
SYNOPSIS: This class encapsulates all the common information
contained in a LANMAN audit log entry, LANMAN error
log entry, or a NT event log entry. Each entry contains
pointers into the actual buffer. So, there is no
guarantee that after another read ( Next() or SeekLogEntry() ),
the pointers will still be valid.
INTERFACE: RAW_LOG_ENTRY() - Constructor
Set() - Set all members in the class.
The QueryXXX methods:
QuerySource() - Returns the source which recorded the event.
QueryUser() - Returns the name of the user on whose behalf
the application which recorded the event is
running.
QueryComputer() - Returns the computer on which the event
is recorded.
PARENT: LOG_ENTRY_BASE
USES: ALIAS_STR, NLS_STR
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS RAW_LOG_ENTRY : public LOG_ENTRY_BASE
{
private:
ALIAS_STR _nlsSource;
ALIAS_STR _nlsComputer;
/*
* This cannot be a ALIAS_STR because the buffer for NT_EVENT_LOG
* contains a SID and not a user name.
*/
NLS_STR _nlsUser;
public:
RAW_LOG_ENTRY( VOID );
RAW_LOG_ENTRY( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszCategory,
ULONG ulEventID,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
EVENT_LOG *pEventLog );
APIERR Set( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszCategory,
ULONG ulEventID,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
EVENT_LOG *pEventLog );
virtual NLS_STR *QuerySource( VOID ) ;
virtual NLS_STR *QueryUser( VOID ) ;
virtual NLS_STR *QueryComputer( VOID ) ;
};
/*************************************************************************
NAME: FORMATTED_LOG_ENTRY
SYNOPSIS: This class encapsulates all the common information
contained in a LANMAN audit log entry, LANMAN error
log entry, or a NT event log entry. In contrast to
the RAW_LOG_ENTRY, all information in the original
buffer are copied so the log entry will still be
valid after the next read.
INTERFACE: FORMATTED_LOG_ENTRY() - Constructor
Set() - Set all members in the class. Used
mainly when the object is constructed
with the dummy constructor.
The QueryXXX methods:
QuerySource() - Returns the source which recorded the event.
QueryUser() - Returns the name of the user on whose behalf
the application which recorded the event is
running.
QueryComputer() - Returns the computer name which the event
is recorded
QueryTypeString() - Returns the string assoc. with the type
QueryDescription() - Returns the description of the event.
SetDesciption() - Set the description of the event.
PARENT: LOG_ENTRY_BASE
USES: NLS_STR
CAVEATS:
NOTES: This class only contains the common information
of the LM audit log entry, LM error log entry and the NT
event log entry for use in the Event Viewer. It does not
contain all the information available in a log entry.
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS FORMATTED_LOG_ENTRY : public LOG_ENTRY_BASE
{
private:
NLS_STR _nlsType;
NLS_STR _nlsSource;
NLS_STR _nlsUser;
NLS_STR _nlsComputer;
NLS_STR _nlsDescription;
public:
FORMATTED_LOG_ENTRY( VOID ) {};
FORMATTED_LOG_ENTRY( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszType,
const TCHAR *pszCategory,
ULONG ulEventID,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
const TCHAR *pszDescription,
EVENT_LOG *pEventLog );
APIERR Set( ULONG ulRecordNum,
ULONG ulTime,
USHORT usType,
const TCHAR *pszType,
const TCHAR *pszCategory,
ULONG ulEventID,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
const TCHAR *pszDescription,
EVENT_LOG *pEventLog );
/*
* The following returns a pointer to the the _nlsSource, _nlsUser...
* so that we don't need to instantiate another NLS_STR to hold the
* information.
*/
virtual NLS_STR *QuerySource( VOID ) ;
virtual NLS_STR *QueryUser( VOID ) ;
virtual NLS_STR *QueryComputer( VOID ) ;
NLS_STR *QueryTypeString( VOID )
{ return &_nlsType; }
NLS_STR *QueryDescription( VOID )
{ return &_nlsDescription; }
APIERR SetDescription( const TCHAR *pszDescription )
{ return _nlsDescription.CopyFrom( pszDescription ); }
};
/*************************************************************************
NAME: EVENT_PATTERN_BASE
SYNOPSIS: Contains common parts of the EVENT_FIND_PATTERN and the
EVENT_FILTER_PATTERN
INTERFACE: EVENT_PATTERN_BASE() - Constructor
QueryType() - Query the type stored in the pattern
QueryCategory() - Query the category stored in the pattern
QuerySource() - Query the source stored in the pattern
QueryUser() - Query the user stored in the pattern
QueryComputer() - Query the computer stored in the pattern
QueryEventID() - Query the event ID stored in the pattern
CheckForMatch() - Check if a LOG_ENTRY_BASE matches the pattern
or not
PARENT: BASE
USES: NLS_STR
CAVEATS:
NOTES: String fields with empty string "" matches all strings
and numerical fields with NUM_MATCH_ALL matches any number.
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS EVENT_PATTERN_BASE: public BASE
{
private:
USHORT _usType;
NLS_STR _nlsCategory;
NLS_STR _nlsSource;
NLS_STR _nlsUser;
NLS_STR _nlsComputer;
ULONG _ulEventID;
public:
EVENT_PATTERN_BASE( USHORT usType,
const TCHAR *pszCategory,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
ULONG ulEventID );
USHORT QueryType( VOID ) const
{ return _usType; }
NLS_STR *QueryCategory( VOID )
{ return &_nlsCategory; }
NLS_STR *QuerySource( VOID )
{ return &_nlsSource; }
NLS_STR *QueryUser( VOID )
{ return &_nlsUser; }
NLS_STR *QueryComputer( VOID )
{ return &_nlsComputer; }
ULONG QueryEventID( VOID ) const
{ return _ulEventID; }
APIERR CheckForMatch( BOOL *pfMatch, LOG_ENTRY_BASE *pLogEntry ) const;
};
/*************************************************************************
NAME: EVENT_FILTER_PATTERN
SYNOPSIS: The pattern used in filtering
INTERFACE: EVENT_FILTER_PATTERN() - Constructor
QueryFromTime() - Query the from time stored in the pattern
QueryThroughTime() - Query the through time stored in
the pattern
CheckForMatch() - Check if a RAW_LOG_ENTRY matches the
pattern or not
PARENT: EVENT_PATTERN_BASE
USES:
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS EVENT_FILTER_PATTERN : public EVENT_PATTERN_BASE
{
private:
ULONG _ulFromTime;
ULONG _ulThroughTime;
public:
EVENT_FILTER_PATTERN( USHORT usType,
const TCHAR *pszCategory,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
ULONG ulEventID,
ULONG ulFromTime,
ULONG ulThroughTime );
ULONG QueryFromTime( VOID ) const
{ return _ulFromTime; }
ULONG QueryThroughTime( VOID ) const
{ return _ulThroughTime; }
APIERR CheckForMatch( BOOL *pfMatch, RAW_LOG_ENTRY *pRawLogEntry ) const;
};
/*************************************************************************
NAME: EVENT_FIND_PATTERN
SYNOPSIS: The pattern used in finding a particular log entry
INTERFACE: EVENT_FIND_PATTERN() - Constructor
QueryDescription()- Query the description
QueryDirection() - Query the direction of search the log
CheckForMatch() - Check if a RAW_LOG_ENTRY or
FORMATTED_LOG_ENTRY matches the pattern
or not
PARENT: EVENT_PATTERN_BASE
USES: NLS_STR
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS EVENT_FIND_PATTERN: public EVENT_PATTERN_BASE
{
private:
NLS_STR _nlsDescription;
/*
* The direction of doing the search - EVLOG_FWD or EVLOG_BACK
*/
EVLOG_DIRECTION _evdir;
public:
EVENT_FIND_PATTERN( USHORT usType,
const TCHAR *pszCategory,
const TCHAR *pszSource,
const TCHAR *pszUser,
const TCHAR *pszComputer,
ULONG ulEventID,
const TCHAR *pszDescription,
EVLOG_DIRECTION evdir );
NLS_STR *QueryDescription( VOID )
{ return &_nlsDescription; }
EVLOG_DIRECTION QueryDirection( VOID ) const
{ return _evdir; }
APIERR CheckForMatch( BOOL *pfMatch,
RAW_LOG_ENTRY *pRawLogEntry ) const;
APIERR CheckForMatch( BOOL *pfMatch,
FORMATTED_LOG_ENTRY *pFmtLogEntry ) const;
};
#endif