用C寫(xiě)的“讀取系統(tǒng)日志”，花了我不少時(shí)間的，雖然不難

???? #include <stdio.h>
//#include <unistd.h>
#include <string.h>
#include <time.h>

#include <windows.h>

#define BUFFER_SIZE 1024*64

//#define DEFAULT_FILE ?"C:\\ossec-extracted-evt.log"

FILE *fp;
int event_record=0;

/* Event logging local structure */
typedef struct _os_el
{
??? int time_of_last;?
??? char *event_name;

??? EVENTLOGRECORD *er;
??? HANDLE h;

??? DWORD record;
}os_el;
os_el el[3];
int el_last = 0;

/** int startEL(char *app, os_el *el)
?* Starts the event logging for each el
?*/
int startEL(char *app, os_el *el)
{
??? /* Opening the event log */
??? el->h = OpenEventLog(NULL, app);
??? if(!el->h)
??? {
??????? return(0);????
??? }

??? el->event_name = app;
??? GetOldestEventLogRecord(el->h, &el->record);

??? return(1);
}

?

/** char *el_GetCategory(int category_id)
?* Returns a string related to the category id of the log.
?*/
//得到一個(gè)事件的類(lèi)型，，輸入是一個(gè)事件類(lèi)型id輸出是漢字串
char *el_GetCategory(int category_id)
{
??? char *cat;
??? switch(category_id)
??? {
??????? case EVENTLOG_ERROR_TYPE:
??????????? cat = "錯(cuò)誤";
??????????? break;
??????? case EVENTLOG_WARNING_TYPE:
??????????? cat = "警告";
??????????? break;
??????? case EVENTLOG_INFORMATION_TYPE:
??????????? cat = "信息";
??????????? break;
??????? case EVENTLOG_AUDIT_SUCCESS:
??????????? cat = "審核成功";
??????????? break;
??????? case EVENTLOG_AUDIT_FAILURE:
??????????? cat = "審核失敗";
??????????? break;
??????? default:
??????????? cat = "Unknown";
??????????? break;
??? }
??? return(cat);
}

/** int el_getEventDLL(char *evt_name, char *event_sourcename, char *event)
?* Returns the event.
?*/
int el_getEventDLL(char *evt_name, char *event_sourcename, char *event)
{
??? HKEY key;
??? DWORD ret;
??? char keyname[256];

??? keyname[255] = '\0';

??? _snprintf(keyname, 254,
??????????? "System\\CurrentControlSet\\Services\\EventLog\\%s\\%s",
??????????? evt_name,
??????????? event_sourcename);

??? /* Opening registry */????
??? if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, keyname, 0, KEY_ALL_ACCESS, &key)
??????????? != ERROR_SUCCESS)
??? {
??????? return(0);???
??? }

??? ret = MAX_PATH -1;?
??? if (RegQueryValueEx(key, "EventMessageFile", NULL,
??????????????? NULL, (LPBYTE)event, &ret) != ERROR_SUCCESS)
??? {
??????? event[0] = '\0';?
??????? return(0);
??? }

??? RegCloseKey(key);
??? return(1);
}

?

/** char *el_Getmessage()
?* Returns a descriptive message of the event.
?*/
//輸出是時(shí)間描述信息
char *el_GetMessage(EVENTLOGRECORD *er,? char *event_name,
????? char * event_sourcename, LPTSTR *el_sstring)
{
??? DWORD fm_flags = 0;
??? char tmp_str[257];
??? char event[MAX_PATH +1];
??? char *curr_str;
??? char *next_str;
??? LPSTR message = NULL;

??? HMODULE hevt;

??? /* Initializing variables */
??? event[MAX_PATH] = '\0';
??? tmp_str[256] = '\0';

??? /* Flags for format event */
??? fm_flags |= FORMAT_MESSAGE_FROM_HMODULE;
??? fm_flags |= FORMAT_MESSAGE_ALLOCATE_BUFFER;
??? fm_flags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;

??? /* Get the file name from the registry (stored on event) */
??? if(!el_getEventDLL(event_name, event_sourcename, event))
??? {
??????? return(NULL);????
??? }????

??? curr_str = event;

??? /* If our event has multiple libraries, try each one of them */
??? while((next_str = strchr(curr_str, ';')))
??? {
??????? *next_str = '\0';
??????? next_str++;

??????? ExpandEnvironmentStrings(curr_str, tmp_str, 255);
??????? hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
??????? if(hevt)
??????? {
??????????? if(!FormatMessage(fm_flags, hevt, er->EventID,
??????????????????????? 0,
??????????????????????? (LPTSTR) &message, 0, el_sstring))
??????????? {
??????????????? message = NULL;???
??????????? }
??????????? FreeLibrary(hevt);

??????????? /* If we have a message, we can return it */
??????????? if(message)
??????????????? return(message);
??????? }

??????? curr_str = next_str;??
??? }

??? ExpandEnvironmentStrings(curr_str, tmp_str, 255);
??? hevt = LoadLibraryEx(tmp_str, NULL, DONT_RESOLVE_DLL_REFERENCES);
??? if(hevt)
??? {
??????? int hr;???
??????? if(!(hr = FormatMessage(fm_flags, hevt, er->EventID,
??????????????????????? 0,
??????????????????????? (LPTSTR) &message, 0, el_sstring)))
??????? {
??????????? message = NULL;???
??????? }
??????? FreeLibrary(hevt);

??????? /* If we have a message, we can return it */
??????? if(message)
??????????? return(message);
??? }

??? return(NULL);
}

?

/** void Read_event(os_el *el)
?* Reads the event log.
?*/
void Read_event(os_el *el, int printit)
{
??? DWORD nstr;
??? DWORD user_size;
??? DWORD domain_size;
??? DWORD read, needed;
??? int size_left;
??? int str_size;

??? char *mbuffer[BUFFER_SIZE];
??? LPSTR sstr = NULL;

??? char *tmp_str = NULL;
??? char *event_category;???//事件類(lèi)型
??? char *event_sourcename;???//事件來(lái)源
??? char *event_computername;??//事件計(jì)算機(jī)名
??? char *event_descriptive_msg;?//事件描述

??? char event_el_user[257];??//事件用戶(hù)
??? char event_el_domain[257];??//事件域
??? char el_string[1025];
??? char final_out_msg[1024];??//最后輸出的信息
??? LPSTR el_sstring[57];

??? /* Er must point to the mbuffer */
??? el->er = (EVENTLOGRECORD *) &mbuffer;

??? /* Zeroing the last values */
??? el_string[1024] = '\0';
??? event_el_user[256] = '\0';
??? event_el_domain[256] = '\0';
??? final_out_msg[1023] = '\0';
??? el_sstring[56] = NULL;

??? /* Reading the event log */????
??? while(ReadEventLog(el->h,
??????????????? EVENTLOG_FORWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
??????????????? 0,
??????????????? el->er, BUFFER_SIZE -1, &read, &needed))
??? {
??????? while(read > 0)
??????? {

??????????? /* We need to initialize every variable before the loop */
???//得到事件的類(lèi)型
??????????? event_category = el_GetCategory(el->er->EventType);
???//得到事件來(lái)源
??????????? event_sourcename = (LPSTR) ((LPBYTE) el->er + sizeof(EVENTLOGRECORD));
???//得到計(jì)算機(jī)名
??????????? event_computername = event_sourcename + strlen(event_sourcename) + 1;
???//給描述信息初始化
??????????? event_descriptive_msg = NULL;

??????????? /* 初始化domain/user尺寸 */
??????????? user_size = 255; domain_size = 255;
??????????? event_el_domain[0] = '\0';
??????????? event_el_user[0] = '\0';

??????????? /* 設(shè)置時(shí)間的一些描述 some description */
??????????? if(el->er->NumStrings)
??????????? {?
??????????????? size_left = 1020;?

??????????????? sstr = (LPSTR)((LPBYTE)el->er + el->er->StringOffset);
??????????????? el_string[0] = '\0';

??????????????? for (nstr = 0;nstr < el->er->NumStrings;nstr++)
??????????????? {
??????????????????? str_size = strlen(sstr);?
??????????????????? strncat(el_string, sstr, size_left);

??????????????????? tmp_str= strchr(el_string, '\0');
??????????????????? if(tmp_str)
??????????????????? {
??????????????????????? *tmp_str = ' ';??
??????????????????????? tmp_str++; *tmp_str = '\0';
??????????????????? }
??????????????????? size_left-=str_size + 1;

??????????????????? if(nstr <= 54)
??????????????????????? el_sstring[nstr] = (LPSTR)sstr;

??????????????????? sstr = strchr( (LPSTR)sstr, '\0');
??????????????????? sstr++;
?????
??????????????? }

??????????????? /* Get a more descriptive message (if available) */
??????????????? event_descriptive_msg = el_GetMessage(el->er, el->event_name, event_sourcename, el_sstring);
??????????????? if(event_descriptive_msg != NULL)
??????????????? {
??????????????????? /* Remove any \n or \r */
??????????????????? tmp_str = event_descriptive_msg;???
??????????????????? while((tmp_str = strchr(tmp_str, '\n')))
??????????????????? {
??????????????????????? *tmp_str = ' ';
??????????????????????? tmp_str++;
??????

?????
??????????????????? }???

??????????????????? tmp_str = event_descriptive_msg;???
??????????????????? while((tmp_str = strchr(tmp_str, '\r')))
??????????????????? {
??????????????????????? *tmp_str = ' ';
??????????????????????? tmp_str++;
??????//strchr(tmp_str, '\n');

??????????????????? }???
??????????????? }
??????????? }
??????????? else
??????????? {
??????????????? strncpy(el_string, "(no message)", 1020);?
??????????? }

??????????? /* 得到username */
??????????? if (el->er->UserSidLength)
??????????? {
??????????????? SID_NAME_USE account_type;
??????????????? if(!LookupAccountSid(NULL, (SID *)((LPSTR)el->er + el->er->UserSidOffset),
??????????????????????????? event_el_user, &user_size, event_el_domain, &domain_size, &account_type))??
??????????????? {
??????????????????? strncpy(event_el_user, "(no user)", 255);
??????????????????? strncpy(event_el_domain, "no domain", 255);
??????????????? }

??????????? }

??????????? else
??????????? {
??????????????? strncpy(event_el_user, "A", 255);?
??????????????? strncpy(event_el_domain, "N", 255);?
??????????? }

??????????? if(printit)
??????????? {
??????????????? tm?? *event_time?? =?? localtime((const?? long?? *)&el->er->TimeWritten);

??????????????? _snprintf(final_out_msg, 1022,
??????????????????????? "事件記錄序號(hào):%d\n事件:%s\n日期:%.4hd-%.2hd-%.2hd\n時(shí)間: %.2hd:%.2hd:%.2hd\n事件類(lèi)型:%s\n事件來(lái)源:%s\n事件ID:(%u)\n用戶(hù):%s/%s\n計(jì)算機(jī):%s\n描述:\n%s\n\n\n",
??????event_record,
??????el->event_name,
??????event_time->tm_year?? +?? 1900,
??????event_time->tm_mon?? +?? 1,
??????event_time->tm_mday,
??????event_time->tm_hour,
??????event_time->tm_min,
??????event_time->tm_sec,?
??????????????????????? event_category,
??????event_sourcename,
???????????????????????
??????????????????????? (WORD)el->er->EventID,
??????????????????????? event_el_domain,
??????????????????????? event_el_user,
???????????????????????
??????event_computername,
??????????????????????? event_descriptive_msg != NULL?event_descriptive_msg:el_string);?
??????????????
??????? ?fprintf(fp, "%s\n", final_out_msg);?
??????????? }

??????????? if(event_descriptive_msg != NULL)
??????????????? LocalFree(event_descriptive_msg);

??????????? /* Changing the point to the er */
??????????? read -= el->er->Length;
??????????? el->er = (EVENTLOGRECORD *)((LPBYTE) el->er + el->er->Length);
???event_record++;
??????? }??

??????? /* Setting er to the beginning of the buffer */?
??????? el->er = (EVENTLOGRECORD *)&mbuffer;
??
??? }
}

/** void win_startel()
?* Starts the event logging for windows
?*/
void win_startel(char *eventlog)
{
??? event_record=1;
?startEL(eventlog, &el[el_last]);
??? Read_event(&el[el_last],1);
??? el_last++;
}
////////////////////////////////////////////////////////
////main////////////////////////////////////////////////
////////////////////////////////////////////////////////
int main()
{
?? fp = fopen("C:\\Documents and Settings\\Administrator\\桌面\\Read_log.txt","w");
?? if(!fp)
?{
??printf("Unable to open file\n");
??exit(1);
?}
?? else
?? {
??printf("open file\n");?
?? }

?fprintf(fp, "\n\n***********安全日志***********\n\n\n");?
?win_startel("Security");
?printf("安全日志打開(kāi)\n");

?fprintf(fp, "\n\n***********應(yīng)用日志***********\n\n\n");?
?win_startel("Application");
?printf("應(yīng)用日志打開(kāi)\n");

?fprintf(fp, "\n\n***********系統(tǒng)日志***********\n\n\n");?
?win_startel("System");
?printf("系統(tǒng)日志打開(kāi)\n");

?

?

?fclose(fp);
?if(fclose(fp))
?{
??printf("關(guān)閉了\n");
?}
?else
?{
??printf("還開(kāi)著呢了，，抓緊關(guān)它吧\n");
?}
?return(0);
}

posted on 2006-08-28 14:18 啤酒 閱讀(2593) 評(píng)論(7)  編輯 收藏 引用