diff options
Diffstat (limited to 'source3/rpcclient/cmd_eventlog.c')
-rw-r--r-- | source3/rpcclient/cmd_eventlog.c | 650 |
1 files changed, 650 insertions, 0 deletions
diff --git a/source3/rpcclient/cmd_eventlog.c b/source3/rpcclient/cmd_eventlog.c new file mode 100644 index 0000000..a22ab8a --- /dev/null +++ b/source3/rpcclient/cmd_eventlog.c @@ -0,0 +1,650 @@ +/* + Unix SMB/CIFS implementation. + RPC pipe client + + Copyright (C) Günther Deschner 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "rpcclient.h" +#include "../librpc/gen_ndr/ndr_eventlog.h" +#include "../librpc/gen_ndr/ndr_eventlog_c.h" +#include "rpc_client/init_lsa.h" + +static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + const char *log, + struct policy_handle *handle) +{ + NTSTATUS status, result; + struct eventlog_OpenUnknown0 unknown0; + struct lsa_String logname, servername; + struct dcerpc_binding_handle *b = cli->binding_handle; + + unknown0.unknown0 = 0x005c; + unknown0.unknown1 = 0x0001; + + init_lsa_String(&logname, log); + init_lsa_String(&servername, NULL); + + status = dcerpc_eventlog_OpenEventLogW(b, mem_ctx, + &unknown0, + &logname, + &servername, + 0x00000001, /* major */ + 0x00000001, /* minor */ + handle, + &result); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return result; +} + +static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status = NT_STATUS_OK; + NTSTATUS result = NT_STATUS_OK; + struct policy_handle handle; + struct dcerpc_binding_handle *b = cli->binding_handle; + + uint32_t flags = EVENTLOG_BACKWARDS_READ | + EVENTLOG_SEQUENTIAL_READ; + uint32_t offset = 0; + uint32_t number_of_bytes = 0; + uint8_t *data; + uint32_t sent_size = 0; + uint32_t real_size = 0; + + if (argc < 2 || argc > 4) { + printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]); + return NT_STATUS_OK; + } + + if (argc >= 3) { + offset = atoi(argv[2]); + } + + if (argc >= 4) { + number_of_bytes = atoi(argv[3]); + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + data = talloc_array(mem_ctx, uint8_t, number_of_bytes); + if (data == NULL) { + goto done; + } + + do { + + enum ndr_err_code ndr_err; + DATA_BLOB blob; + struct EVENTLOGRECORD r; + uint32_t size = 0; + uint32_t pos = 0; + + status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, + &handle, + flags, + offset, + number_of_bytes, + data, + &sent_size, + &real_size, + &result); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + if (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) && + real_size > 0 ) { + number_of_bytes = real_size; + data = talloc_realloc(mem_ctx, data, uint8_t, real_size); + if (data == NULL) { + goto done; + } + status = dcerpc_eventlog_ReadEventLogW(b, mem_ctx, + &handle, + flags, + offset, + number_of_bytes, + data, + &sent_size, + &real_size, + &result); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + + if (!NT_STATUS_EQUAL(result, NT_STATUS_END_OF_FILE) && + !NT_STATUS_IS_OK(result)) { + goto done; + } + + number_of_bytes = 0; + + size = IVAL(data, pos); + + while (size > 0) { + + blob = data_blob_const(data + pos, size); + /* dump_data(0, blob.data, blob.length); */ + ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r, + (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + goto done; + } + + NDR_PRINT_DEBUG(EVENTLOGRECORD, &r); + + pos += size; + + if (pos + 4 > sent_size) { + break; + } + + size = IVAL(data, pos); + } + + offset++; + + } while (NT_STATUS_IS_OK(result)); + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + uint32_t number = 0; + struct dcerpc_binding_handle *b = cli->binding_handle; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = dcerpc_eventlog_GetNumRecords(b, mem_ctx, + &handle, + &number, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + printf("number of records: %d\n", number); + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + uint32_t oldest_entry = 0; + struct dcerpc_binding_handle *b = cli->binding_handle; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = dcerpc_eventlog_GetOldestRecord(b, mem_ctx, + &handle, + &oldest_entry, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + printf("oldest entry: %d\n", oldest_entry); + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + struct dcerpc_binding_handle *b = cli->binding_handle; + + uint16_t num_of_strings = 1; + uint32_t data_size = 0; + struct lsa_String servername; + struct lsa_String *strings; + uint8_t *data = NULL; + uint32_t record_number = 0; + time_t time_written = 0; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings); + if (!strings) { + return NT_STATUS_NO_MEMORY; + } + + init_lsa_String(&strings[0], "test event written by rpcclient\n"); + init_lsa_String(&servername, NULL); + + status = dcerpc_eventlog_ReportEventW(b, mem_ctx, + &handle, + time(NULL), + EVENTLOG_INFORMATION_TYPE, + 0, /* event_category */ + 0, /* event_id */ + num_of_strings, + data_size, + &servername, + NULL, /* user_sid */ + &strings, + data, + 0, /* flags */ + &record_number, + &time_written, + &result); + + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + printf("entry: %d written at %s\n", record_number, + http_timestring(talloc_tos(), time_written)); + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + struct dcerpc_binding_handle *b = cli->binding_handle; + + uint16_t num_of_strings = 1; + uint32_t data_size = 0; + struct lsa_String servername, sourcename; + struct lsa_String *strings; + uint8_t *data = NULL; + uint32_t record_number = 0; + time_t time_written = 0; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings); + if (!strings) { + return NT_STATUS_NO_MEMORY; + } + + init_lsa_String(&strings[0], "test event written by rpcclient\n"); + init_lsa_String(&servername, NULL); + init_lsa_String(&sourcename, "rpcclient"); + + status = dcerpc_eventlog_ReportEventAndSourceW(b, mem_ctx, + &handle, + time(NULL), + EVENTLOG_INFORMATION_TYPE, + 0, /* event_category */ + 0, /* event_id */ + &sourcename, + num_of_strings, + data_size, + &servername, + NULL, /* user_sid */ + &strings, + data, + 0, /* flags */ + &record_number, + &time_written, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + printf("entry: %d written at %s\n", record_number, + http_timestring(talloc_tos(), time_written)); + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle log_handle; + struct lsa_String module_name, reg_module_name; + struct eventlog_OpenUnknown0 unknown0; + struct dcerpc_binding_handle *b = cli->binding_handle; + + unknown0.unknown0 = 0x005c; + unknown0.unknown1 = 0x0001; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + init_lsa_String(&module_name, "rpcclient"); + init_lsa_String(®_module_name, NULL); + + status = dcerpc_eventlog_RegisterEventSourceW(b, mem_ctx, + &unknown0, + &module_name, + ®_module_name, + 1, /* major_version */ + 1, /* minor_version */ + &log_handle, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + done: + dcerpc_eventlog_DeregisterEventSource(b, mem_ctx, &log_handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + struct lsa_String backup_filename; + const char *tmp; + struct dcerpc_binding_handle *b = cli->binding_handle; + + if (argc != 3) { + printf("Usage: %s logname backupname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]); + if (!tmp) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + init_lsa_String(&backup_filename, tmp); + + status = dcerpc_eventlog_BackupEventLogW(b, mem_ctx, + &handle, + &backup_filename, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + +static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + NTSTATUS status, result; + struct policy_handle handle; + uint8_t *buffer = NULL; + uint32_t buf_size = 0; + uint32_t bytes_needed = 0; + struct dcerpc_binding_handle *b = cli->binding_handle; + + if (argc != 2) { + printf("Usage: %s logname\n", argv[0]); + return NT_STATUS_OK; + } + + status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + buffer = talloc_array(mem_ctx, uint8_t, bytes_needed); + if (buffer == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + status = dcerpc_eventlog_GetLogInformation(b, mem_ctx, + &handle, + 0, /* level */ + buffer, + buf_size, + &bytes_needed, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result) && + !NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) { + goto done; + } + + buf_size = bytes_needed; + buffer = talloc_realloc(mem_ctx, buffer, uint8_t, bytes_needed); + if (buffer == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + status = dcerpc_eventlog_GetLogInformation(b, mem_ctx, + &handle, + 0, /* level */ + buffer, + buf_size, + &bytes_needed, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } + + done: + dcerpc_eventlog_CloseEventLog(b, mem_ctx, &handle, &result); + + return status; +} + + +struct cmd_set eventlog_commands[] = { + { + .name = "EVENTLOG", + }, + { + .name = "eventlog_readlog", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_readlog, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Read Eventlog", + .usage = "", + }, + { + .name = "eventlog_numrecord", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_numrecords, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Get number of records", + .usage = "", + }, + { + .name = "eventlog_oldestrecord", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_oldestrecord, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Get oldest record", + .usage = "", + }, + { + .name = "eventlog_reportevent", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_reportevent, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Report event", + .usage = "", + }, + { + .name = "eventlog_reporteventsource", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_reporteventsource, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Report event and source", + .usage = "", + }, + { + .name = "eventlog_registerevsource", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_registerevsource, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Register event source", + .usage = "", + }, + { + .name = "eventlog_backuplog", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_backuplog, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Backup Eventlog File", + .usage = "", + }, + { + .name = "eventlog_loginfo", + .returntype = RPC_RTYPE_NTSTATUS, + .ntfn = cmd_eventlog_loginfo, + .wfn = NULL, + .table = &ndr_table_eventlog, + .rpc_pipe = NULL, + .description = "Get Eventlog Information", + .usage = "", + }, + { + .name = NULL, + }, +}; |