A
amit3281
Hi,
Can Anyone send me Parser source code for Windows Event Log in Java
Thanks in Advance
Amit
Can Anyone send me Parser source code for Windows Event Log in Java
Thanks in Advance
Amit
J
Jeff Higgins
J
Jeff Higgins
Jeff said:
a skeletal implementation
public class Win32EventLogParser
{
public Win32EventLog readEventLog(java.i
bjectInput in)throws java.io.IOException, ClassNotFoundException
{
Win32EventLog log = new Win32EventLog();
log.readExternal(in);
return log;
}
}
@SuppressWarnings("unused")
public class Win32EventLog
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
private Win32EventLogHeader logHeader = new Win32EventLogHeader();
private java.util.List<Win32EventLogRecord> logRecords =
new java.util.ArrayList<Win32EventLogRecord>();
public void readExternal(java.i
bjectInput in)throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
bjectOutput out)throws java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogHeader
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
public static final Long ELF_LOGFILE_HEADER_DIRTY = 0x0001L;
public static final Long ELF_LOGFILE_HEADER_WRAP = 0x0002L;
public static final Long ELF_LOGFILE_LOGFULL_WRITTEN = 0x0004L;
public static final Long ELF_LOGFILE_ARCHIVE_SET = 0x0008L;
private Long HeaderSize;
private Long Signature;
private Long MajorVersion;
private Long MinorVersion;
private Long StartOffset;
private Long EndOffset;
private Long CurrentRecordNumber;
private Long OldestRecordNumber;
private Long MaxSize;
private Long Flags;
private Long Retention;
private Long EndHeaderSize;
public static Win32EventLogHeader
readEventLogHeader(java.i
bjectInputStream in){
// TODO
return null;
}
public void readExternal(java.i
bjectInput in)throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
bjectOutput out)throws java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogRecord
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
public static final Long EVENTLOG_ERROR_TYPE = 0x0001L;
public static final Long EVENTLOG_AUDIT_FAILURE = 0x0010L;
public static final Long EVENTLOG_AUDIT_SUCCESS = 0x0008L;
public static final Long EVENTLOG_INFORMATION_TYPE = 0x0004L;
public static final Long EVENTLOG_WARNING_TYPE = 0x0002L;
private Long Length;
private Long Reserved;
private Long RecordNumber;
private Long TimeGenerated;
private Long TimeWritten;
private Long EventID;
private Integer EventType;
private Integer NumStrings;
private Integer EventCategory;
private Integer ReservedFlags;
private Long ClosingRecordNumber;
private Long StringOffset;
private Long UserSidLength;
private Long UserSidOffset;
private Long DataLength;
private Long DataOffset;
public void readExternal(java.i
bjectInput in) throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
bjectOutput out) throws java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogEOF
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
private Long RecordSizeBeginning;
private Long One;
private Long Two;
private Long Three;
private Long Four;
private Long BeginRecord;
private Long EndRecord;
private Long CurrentRecordNumber;
private Long OldestRecordNumber;
private Long RecordSizeEnd;
public void readExternal(java.i
bjectInput in)throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
bjectOutput out)throws java.io.IOException
{
// TODO
}
}
A
amit3281
a skeletal implementation
public class Win32EventLogParser
{
public Win32EventLog readEventLog(java.i
throws java.io.IOException, ClassNotFoundException
{
Win32EventLog log = new Win32EventLog();
log.readExternal(in);
return log;
}
}
@SuppressWarnings("unused")
public class Win32EventLog
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
private Win32EventLogHeader logHeader = new Win32EventLogHeader();
private java.util.List<Win32EventLogRecord> logRecords =
new java.util.ArrayList<Win32EventLogRecord>();
public void readExternal(java.i
throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
throws java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogHeader
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
public static final Long ELF_LOGFILE_HEADER_DIRTY = 0x0001L;
public static final Long ELF_LOGFILE_HEADER_WRAP = 0x0002L;
public static final Long ELF_LOGFILE_LOGFULL_WRITTEN = 0x0004L;
public static final Long ELF_LOGFILE_ARCHIVE_SET = 0x0008L;
private Long HeaderSize;
private Long Signature;
private Long MajorVersion;
private Long MinorVersion;
private Long StartOffset;
private Long EndOffset;
private Long CurrentRecordNumber;
private Long OldestRecordNumber;
private Long MaxSize;
private Long Flags;
private Long Retention;
private Long EndHeaderSize;
public static Win32EventLogHeader
readEventLogHeader(java.i
{
// TODO
return null;
}
public void readExternal(java.i
throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
throws java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogRecord
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
public static final Long EVENTLOG_ERROR_TYPE = 0x0001L;
public static final Long EVENTLOG_AUDIT_FAILURE = 0x0010L;
public static final Long EVENTLOG_AUDIT_SUCCESS = 0x0008L;
public static final Long EVENTLOG_INFORMATION_TYPE = 0x0004L;
public static final Long EVENTLOG_WARNING_TYPE = 0x0002L;
private Long Length;
private Long Reserved;
private Long RecordNumber;
private Long TimeGenerated;
private Long TimeWritten;
private Long EventID;
private Integer EventType;
private Integer NumStrings;
private Integer EventCategory;
private Integer ReservedFlags;
private Long ClosingRecordNumber;
private Long StringOffset;
private Long UserSidLength;
private Long UserSidOffset;
private Long DataLength;
private Long DataOffset;
public void readExternal(java.i
java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
java.io.IOException
{
// TODO
}
}
@SuppressWarnings("unused")
public class Win32EventLogEOF
implements java.io.Externalizable
{
private static final long serialVersionUID = 1L;
private Long RecordSizeBeginning;
private Long One;
private Long Two;
private Long Three;
private Long Four;
private Long BeginRecord;
private Long EndRecord;
private Long CurrentRecordNumber;
private Long OldestRecordNumber;
private Long RecordSizeEnd;
public void readExternal(java.i
throws java.io.IOException, ClassNotFoundException
{
// TODO
}
public void writeExternal(java.i
throws java.io.IOException
{
// TODO
}
}- Hide quoted text -
- Show quoted text -
Hi,
Thanks for this stuff it's very helpful, but i am naive user in java
and i am unable to play with binary data to move to particular offset
and to read data from this pattern also i need to run this code in
Linux for JAVA.
Can you explain me binary data handling, I am a c++ user
commands for playing with byte arrays move to particular offset, skip
partikular offset, as in c++ i can very well do it using pointers but
i don't know how to do it with java
Thanks in advance
J
Jeff Higgins
amit3281 said:
Just so I'm not misunderstanding you. You want to parse backed-up
Win32 event log files, not manipulate active event logs?
Is this correct? If so:
I'm not certain why you want to read Win32 event log files on
a Linux platform, but... There seems to be many gotchas involved
in the whole \wide\ topic of Win32 Event logging system.
cf: <http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm>
One practical matter seems to be data format the files are written to.
See below for retrieving the header info.
Probably not. I'm pretty new to Java myself.
Java has Basic I/O and New I/O. For an overview tutorial see:
<http://java.sun.com/docs/books/tutorial/essential/io/index.html>
Maybe a java.io.RandomAccessFile type would work well here. ?
If you weren't working from a Linux platform, and given that
you are familiar with C++, I would say that probably the mobetter
way to approach this would be through Java Native Interface to
the Win32 API.
This writes a basic header to a file and reads it back on
my Win32 platform. I can use it to read header info from backed-up
event log files on my system.
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.i
utputStream;import java.nio.ByteBuffer;
import java.nio.ByteOrder;
public class Test
{
public static void main(String[] args)
{
FileInputStream fis;
FileOutputStream fos;
try
{
Win32EventLogHeader header =
new Win32EventLogHeader();
fos = new FileOutputStream("test");
header.writeHeader(fos);
fos.close();
fis = new FileInputStream("test");
header.readHeader(fis);
fis.close();
}
catch (FileNotFoundException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
}
public static class Win32EventLogHeader
{
public int[] data = {0x30,0x654C664C,0x1,0x1,
-0x1,-0x1,-0x1,0x0,0x80000,0x0,0x0,0x30};
public void writeHeader(OutputStream out)
throws IOException
{
for(int i : data)
{
ByteBuffer buff = ByteBuffer.allocate(4);
buff.order(ByteOrder.LITTLE_ENDIAN).putInt(i);
out.write(buff.array());
}
}
public void readHeader(InputStream in)
throws IOException
{
int count = 0;
int tmp;
while((tmp = in.read()) > -1 && count < 12)
{
data[count] = Integer.reverseBytes(tmp);
}
}
}
}
J
Jeff Higgins
Jeff said:
Oops, old version, sorry.
public void readHeader(InputStream in)
throws IOException
{
ByteBuffer buff = ByteBuffer.allocate(48);
buff.order(ByteOrder.BIG_ENDIAN);
int tmp;
byte[] bytes = new byte[4];
int count = 0;
while((tmp = in.read(bytes)) > -1 && count < 12)
{
buff.put(bytes);
count++;
}
buff.flip();
for(int i = 0; i < 11; i++)
{
data = buff.getInt();
}
}
R
Roedy Green
if you don't find one, these tools might help
http://mindprod.com/jgloss/csv.html
http://mindprod.com/jgloss/regex.html
http://mindprod.com/jgloss/parser.html
That is an ascending list of hammers.
A
amit3281
Thanks for all this stuff, it's a great help for me, also can anyone
help me how to skip some bytes reading bytebuffer,
Also I need to know is there any way in java so that i can typecast
whole class to bytebuffer and members get it's value in it, Like C++
when we typecast structure in byte buffer we get all the structure
elements populated
Also I need to know is there any way i can have pointer of
bytebuffer(read pointer) which i can increment say by 8 or so.
Thanks in Advance
T
Twisted
The obvious method is just to read those bytes and ignore them.
Nope. You should either use serialization, or if it's an existing file
format you want to read, create a data structure in Java classes that
corresponds to the format and write a constructor that reads the data
from a byte buffer and uses it to figure out what values to assign its
members. For example it might have a few integer members and an array
member, read a header, assign the loose integers, create an array of
the appropriate size based on this info, and read more data to
populate the array.
The C/C++ method of just casting data to a struct is brittle anyway,
since byte order and packing/layout can vary from one system or
application to the next.
Well if you have a byte array you can jump by eight by adding eight to
an array index. If you're looking to read in 64-bit integers or
something from some file format, you'll need to know the format's byte
ordering for these values, and read sets of eight bytes, multiply by
the appropriate powers of 2 (or shift-left them), and add them (or
logical-or them) together to construct Java longs.
Working with binary file formats in Java can be a bit of a mess, but
the result should be robust, unlike C code full of casts when you
change compiler or try to use it on a different type of hardware (e.g.
a SPARC instead of x86)...
A
amit3281
Thanks a lot for such a quick and helpful responses.
R
Roedy Green
Java's use of references to independent objects even for Strings and
arrays pretty well precludes that COBOL/C style structure processing.
J
Jeff Higgins
amit3281 wrote
Both RandomAccessFile and FileInputStream have the .getFileChannel() method,
but I've not used the java.nio package yet so I couldn't be of any help
there.
There's a series of FileChannel and ByteBuffer tutorials here:
<http://www.developer.com/java/article.php/1473151>
RandomAccessFile has the .getFilePointer() and .seek(long) methods.
Both RandomAccessFile and FileInputStream have the .getFileChannel() method,
but I've not used the java.nio package yet so I couldn't be of any help
there.
There's a series of FileChannel and ByteBuffer tutorials here:
<http://www.developer.com/java/article.php/1473151>
A
amit3281
Hi,
I had read this article few days before,
http://computer.forensikblog.de/en/2007/02/a_common_misconception.html
this tells that event logs rotates on same file so it may not
compulsary to get first event at same place can anyone clear me this.
Also I want to for what the first 4 bytes in Event Log represents,
before (LfLe).
30 00 00 00 4c 66 4c 65 (LfLe)
Thanks in Advance
Amit Papriwal
A
amit3281
I think i had left some fields
this is whole header, but which type of header, is this file
header........
Thanks and Regards
Amit
J
Jeff Higgins
Please, please see the links to the Microsoft Developer Network Library
that I have posted here and in another thread. The MSDN Library is even
multi-lingual, at the top of the page there is a drop down menu to select
from the languages your choice.
Here is the link to Windows Events, it is an overview topic with links
to increasingly finer detailed topics.
<http://msdn2.microsoft.com/en-us/library/aa964766.aspx>
Here is the link to Event Logging Structures, it is an overview topic with
links to increasingly finer detailed topics.
Here is the link to ELF_LOGFILE_HEADER, it is a detailed specification
for the ELF_LOGFILE_HEADER.
<http://msdn2.microsoft.com/en-us/library/bb309024.aspx>
Here is the link to EVENTLOGRECORD, it is a detailed specification
for the EVENTLOGRECORD.
<http://msdn2.microsoft.com/en-us/library/aa363646.aspx>
ELF_EOF_RECORD
Here is the link to ELF_EOF_RECORD, it is a detailed specification
for the ELF_EOF_RECORD.
<http://msdn2.microsoft.com/en-us/library/bb309022.aspx>
Reiterating some other links I've posted:
<http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm>
<http://java.sun.com/docs/books/tutorial/essential/io/index.html>
<http://java.sun.com/javase/6/docs/api/java/io/RandomAccessFile.html>
<http://java.sun.com/javase/6/docs/api/java/nio/channels/FileChannel.html>
<http://java.sun.com/javase/6/docs/api/java/nio/ByteBuffer.html>
<http://www.developer.com/java/article.php/1473151>
I have no more, I'm sorry. After you read the links above you will
know as much of the subject as I do, probably much more!
Good luck.
JH
that I have posted here and in another thread. The MSDN Library is even
multi-lingual, at the top of the page there is a drop down menu to select
from the languages your choice.
Here is the link to Windows Events, it is an overview topic with links
to increasingly finer detailed topics.
<http://msdn2.microsoft.com/en-us/library/aa964766.aspx>
Here is the link to Event Logging Structures, it is an overview topic with
links to increasingly finer detailed topics.
Here is the link to ELF_LOGFILE_HEADER, it is a detailed specification
for the ELF_LOGFILE_HEADER.
<http://msdn2.microsoft.com/en-us/library/bb309024.aspx>
Here is the link to EVENTLOGRECORD, it is a detailed specification
for the EVENTLOGRECORD.
<http://msdn2.microsoft.com/en-us/library/aa363646.aspx>
ELF_EOF_RECORD
Here is the link to ELF_EOF_RECORD, it is a detailed specification
for the ELF_EOF_RECORD.
<http://msdn2.microsoft.com/en-us/library/bb309022.aspx>
Reiterating some other links I've posted:
<http://www.grimes.demon.co.uk/workshops/InstrWSEight.htm>
<http://java.sun.com/docs/books/tutorial/essential/io/index.html>
<http://java.sun.com/javase/6/docs/api/java/io/RandomAccessFile.html>
<http://java.sun.com/javase/6/docs/api/java/nio/channels/FileChannel.html>
<http://java.sun.com/javase/6/docs/api/java/nio/ByteBuffer.html>
<http://www.developer.com/java/article.php/1473151>
I have no more, I'm sorry. After you read the links above you will
know as much of the subject as I do, probably much more!
Good luck.
JH
A
amit3281
Hi,
Can you tell me one thing, I had read all these sites but my parser is
unable to read properly all records in file.
I need to read this file from beginning or from end. i.e oldest record
need to be fetched first or newest...
Thanks in Advance.
Amit
J
Jeff Higgins
First please note that I am no expert, all I know of the subject
is what I've read in the links provided.
You may have a reader that functions perfectly according to the
specifications given in the links to Windows Event Log Format,
but according to the Grimes link there are several "gotchas"
involved, probably more now then when that article was written.
According to the specification,(excerpted below)
there are many ways you could do it.
But it looks like a sequential search starting
with the oldest record would be the easiest.
ELF_LOGFILE_HEADER
StartOffset
The offset to the oldest record in the event log.
EndOffset
The offset to the ELF_EOF_RECORD in the event log.
CurrentRecordNumber
The number of the next record that
will be added to the event log.
OldestRecordNumber
The number of the oldest record in the event log.
For an empty file, the oldest record number is set to 0.
Length
The size of this event record, in bytes.
Note that this value is stored at both ends
of the entry to ease moving forward or backward
through the log. The length includes any pad
bytes inserted at the end of the record for
DWORD alignment.
RecordNumber
The number of the record.
This value can be used with the EVENTLOG_SEEK_READ
flag in the ReadEventLog function to begin reading
at a specified record. For more information,
see Event Log Records.
************************************************
EVENTLOGRECORD
Length
The size of this event record, in bytes.
Note that this value is stored at both ends
of the entry to ease moving forward or backward
through the log. The length includes any pad
bytes inserted at the end of the record for
DWORD alignment.
RecordNumber
The number of the record.
This value can be used with the EVENTLOG_SEEK_READ
flag in the ReadEventLog function to begin reading
at a specified record. For more information,
see Event Log Records.
*************************************************
ELF_EOF_RECORD
BeginRecord
The offset to the oldest record. If the event log is
empty, this is set to the start of this structure.
EndRecord
The offset to the start of this structure.
CurrentRecordNumber
The record number of the next event that will
be written to the event log.
OldestRecordNumber
The record number of the oldest record in the event log.
The record number will be 0 if the event log is empty.
A
amit3281
Hi,
Now I am able to get all values, but when file is live then i am not
able to get values.
As it contains half record in last and half after file header.
Thanks and Regards,
Amit
J
Jeff Higgins
amit said:
Hi Amit
Glad to hear that you're making progress. It sounds like you're
comfortable now following pointers through the file byte stream.
Unfortunatly I'm not able to help with this latest stumbling block.
My knowledge of the subject is exhausted before this. Although I
will say that I seem to recall reading that there is no guarantee
as to where in the stream a new record will be placed, only that
it will contain pointers to the previous and next records. Of
course with my limited knowledge of the subject, anything I say
should be suspected of being incorrect.
All I can do from this point is to reiterate a pointer to the source.
<http://msdn2.microsoft.com/en-us/library/aa964766.aspx>
Best regards.
JH