summaryrefslogtreecommitdiffstats
path: root/source3/rpcclient/cmd_eventlog.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpcclient/cmd_eventlog.c')
-rw-r--r--source3/rpcclient/cmd_eventlog.c650
1 files changed, 650 insertions, 0 deletions
diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c
new file mode 100644
index 0000000..a22ab8a
--- /dev/null
+++ b/source3/rpcclient/cmd_eventlog.c
@@ -0,0 +1,650 @@
+/*
+ Unix SMB/CIFS implementation.
+ RPC pipe client
+
+ Copyright (C) Günther Deschner 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "rpcclient.h"
+#include "../librpc/gen_ndr/ndr_eventlog.h"
+#include "../librpc/gen_ndr/ndr_eventlog_c.h"
+#include "rpc_client/init_lsa.h"
+
+static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *log,
+ struct policy_handle *handle)
+{
+ NTSTATUS status, result;
+ struct eventlog_OpenUnknown0 unknown0;
+ struct lsa_String logname, servername;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ unknown0.unknown0 = 0x005c;
+ unknown0.unknown1 = 0x0001;
+
+ init_lsa_String(&logname, log);
+ init_lsa_String(&servername, NULL);
+
+ status = dcerpc_eventlog_OpenEventLogW(b, mem_ctx,
+ &unknown0,
+ &logname,
+ &servername,
+ 0x00000001, /* major */
+ 0x00000001, /* minor */
+ handle,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return result;
+}
+
+static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status = NT_STATUS_OK;
+ NTSTATUS result = NT_STATUS_OK;
+ struct policy_handle handle;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ uint32_t flags = EVENTLOG_BACKWARDS_READ |
+ EVENTLOG_SEQUENTIAL_READ;
+ uint32_t offset = 0;
+ uint32_t number_of_bytes = 0;
+ uint8_t *data;
+ uint32_t sent_size = 0;
+ uint32_t real_size = 0;
+
+ if (argc < 2 || argc > 4) {
+ printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ if (argc >= 3) {
+ offset = atoi(argv[2]);
+ }
+
+ if (argc >= 4) {
+ number_of_bytes = atoi(argv[3]);
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
+ if (data == NULL) {
+ goto done;
+ }
+
+ do {
+
+ enum ndr_err_code ndr_err;
+ DATA_BLOB blob;
+ struct EVENTLOGRECORD r;
+ uint32_t size = 0;
+ uint32_t pos = 0;
+
+ status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
+ &handle,
+ flags,
+ offset,
+ number_of_bytes,
+ data,
+ &sent_size,
+ &real_size,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) &&
+ real_size > 0 ) {
+ number_of_bytes = real_size;
+ data = talloc_realloc(mem_ctx, data, uint8_t, real_size);
+ if (data == NULL) {
+ goto done;
+ }
+ status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx,
+ &handle,
+ flags,
+ offset,
+ number_of_bytes,
+ data,
+ &sent_size,
+ &real_size,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) &&
+ !NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
+
+ number_of_bytes = 0;
+
+ size = IVAL(data, pos);
+
+ while (size > 0) {
+
+ blob = data_blob_const(data + pos, size);
+ /* dump_data(0, blob.data, blob.length); */
+ ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
+ (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ goto done;
+ }
+
+ NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
+
+ pos += size;
+
+ if (pos + 4 > sent_size) {
+ break;
+ }
+
+ size = IVAL(data, pos);
+ }
+
+ offset++;
+
+ } while (NT_STATUS_IS_OK(result));
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ uint32_t number = 0;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = dcerpc_eventlog_GetNumRecords(b, mem_ctx,
+ &handle,
+ &number,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ printf("number of records: %d\n", number);
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ uint32_t oldest_entry = 0;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = dcerpc_eventlog_GetOldestRecord(b, mem_ctx,
+ &handle,
+ &oldest_entry,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ printf("oldest entry: %d\n", oldest_entry);
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ uint16_t num_of_strings = 1;
+ uint32_t data_size = 0;
+ struct lsa_String servername;
+ struct lsa_String *strings;
+ uint8_t *data = NULL;
+ uint32_t record_number = 0;
+ time_t time_written = 0;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
+ if (!strings) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ init_lsa_String(&strings[0], "test event written by rpcclient\n");
+ init_lsa_String(&servername, NULL);
+
+ status = dcerpc_eventlog_ReportEventW(b, mem_ctx,
+ &handle,
+ time(NULL),
+ EVENTLOG_INFORMATION_TYPE,
+ 0, /* event_category */
+ 0, /* event_id */
+ num_of_strings,
+ data_size,
+ &servername,
+ NULL, /* user_sid */
+ &strings,
+ data,
+ 0, /* flags */
+ &record_number,
+ &time_written,
+ &result);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ printf("entry: %d written at %s\n", record_number,
+ http_timestring(talloc_tos(), time_written));
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ uint16_t num_of_strings = 1;
+ uint32_t data_size = 0;
+ struct lsa_String servername, sourcename;
+ struct lsa_String *strings;
+ uint8_t *data = NULL;
+ uint32_t record_number = 0;
+ time_t time_written = 0;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
+ if (!strings) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ init_lsa_String(&strings[0], "test event written by rpcclient\n");
+ init_lsa_String(&servername, NULL);
+ init_lsa_String(&sourcename, "rpcclient");
+
+ status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx,
+ &handle,
+ time(NULL),
+ EVENTLOG_INFORMATION_TYPE,
+ 0, /* event_category */
+ 0, /* event_id */
+ &sourcename,
+ num_of_strings,
+ data_size,
+ &servername,
+ NULL, /* user_sid */
+ &strings,
+ data,
+ 0, /* flags */
+ &record_number,
+ &time_written,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ printf("entry: %d written at %s\n", record_number,
+ http_timestring(talloc_tos(), time_written));
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle log_handle;
+ struct lsa_String module_name, reg_module_name;
+ struct eventlog_OpenUnknown0 unknown0;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ unknown0.unknown0 = 0x005c;
+ unknown0.unknown1 = 0x0001;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ init_lsa_String(&module_name, "rpcclient");
+ init_lsa_String(&reg_module_name, NULL);
+
+ status = dcerpc_eventlog_RegisterEventSourceW(b, mem_ctx,
+ &unknown0,
+ &module_name,
+ &reg_module_name,
+ 1, /* major_version */
+ 1, /* minor_version */
+ &log_handle,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ done:
+ dcerpc_eventlog_DeregisterEventSource(b, mem_ctx, &log_handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ struct lsa_String backup_filename;
+ const char *tmp;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ if (argc != 3) {
+ printf("Usage: %s logname backupname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
+ if (!tmp) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ init_lsa_String(&backup_filename, tmp);
+
+ status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx,
+ &handle,
+ &backup_filename,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ int argc,
+ const char **argv)
+{
+ NTSTATUS status, result;
+ struct policy_handle handle;
+ uint8_t *buffer = NULL;
+ uint32_t buf_size = 0;
+ uint32_t bytes_needed = 0;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ if (argc != 2) {
+ printf("Usage: %s logname\n", argv[0]);
+ return NT_STATUS_OK;
+ }
+
+ status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
+ if (buffer == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ status = dcerpc_eventlog_GetLogInformation(b, mem_ctx,
+ &handle,
+ 0, /* level */
+ buffer,
+ buf_size,
+ &bytes_needed,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) {
+ goto done;
+ }
+
+ buf_size = bytes_needed;
+ buffer = talloc_realloc(mem_ctx, buffer, uint8_t, bytes_needed);
+ if (buffer == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ status = dcerpc_eventlog_GetLogInformation(b, mem_ctx,
+ &handle,
+ 0, /* level */
+ buffer,
+ buf_size,
+ &bytes_needed,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ done:
+ dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result);
+
+ return status;
+}
+
+
+struct cmd_set eventlog_commands[] = {
+ {
+ .name = "EVENTLOG",
+ },
+ {
+ .name = "eventlog_readlog",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_readlog,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Read Eventlog",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_numrecord",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_numrecords,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Get number of records",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_oldestrecord",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_oldestrecord,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Get oldest record",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_reportevent",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_reportevent,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Report event",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_reporteventsource",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_reporteventsource,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Report event and source",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_registerevsource",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_registerevsource,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Register event source",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_backuplog",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_backuplog,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Backup Eventlog File",
+ .usage = "",
+ },
+ {
+ .name = "eventlog_loginfo",
+ .returntype = RPC_RTYPE_NTSTATUS,
+ .ntfn = cmd_eventlog_loginfo,
+ .wfn = NULL,
+ .table = &ndr_table_eventlog,
+ .rpc_pipe = NULL,
+ .description = "Get Eventlog Information",
+ .usage = "",
+ },
+ {
+ .name = NULL,
+ },
+};