blob: 34d600a984a683cfe4ea2d70d2d13276acb0df78 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
|
// SPDX-License-Identifier: GPL-3.0-or-later
#ifndef NETDATA_WINDOWS_EVENTS_H
#define NETDATA_WINDOWS_EVENTS_H
#include "libnetdata/libnetdata.h"
#include "collectors/all.h"
typedef enum {
WEVT_NO_CHANNEL_MATCHED,
WEVT_FAILED_TO_OPEN,
WEVT_FAILED_TO_SEEK,
WEVT_TIMED_OUT,
WEVT_OK,
WEVT_NOT_MODIFIED,
WEVT_CANCELLED,
} WEVT_QUERY_STATUS;
#define WEVT_CHANNEL_CLASSIC_TRACE 0x0
#define WEVT_CHANNEL_GLOBAL_SYSTEM 0x8
#define WEVT_CHANNEL_GLOBAL_APPLICATION 0x9
#define WEVT_CHANNEL_GLOBAL_SECURITY 0xa
#define WEVT_LEVEL_NONE 0x0
#define WEVT_LEVEL_CRITICAL 0x1
#define WEVT_LEVEL_ERROR 0x2
#define WEVT_LEVEL_WARNING 0x3
#define WEVT_LEVEL_INFORMATION 0x4
#define WEVT_LEVEL_VERBOSE 0x5
#define WEVT_LEVEL_RESERVED_6 0x6
#define WEVT_LEVEL_RESERVED_7 0x7
#define WEVT_LEVEL_RESERVED_8 0x8
#define WEVT_LEVEL_RESERVED_9 0x9
#define WEVT_LEVEL_RESERVED_10 0xa
#define WEVT_LEVEL_RESERVED_11 0xb
#define WEVT_LEVEL_RESERVED_12 0xc
#define WEVT_LEVEL_RESERVED_13 0xd
#define WEVT_LEVEL_RESERVED_14 0xe
#define WEVT_LEVEL_RESERVED_15 0xf
#define WEVT_OPCODE_INFO 0x0
#define WEVT_OPCODE_START 0x1
#define WEVT_OPCODE_STOP 0x2
#define WEVT_OPCODE_DC_START 0x3
#define WEVT_OPCODE_DC_STOP 0x4
#define WEVT_OPCODE_EXTENSION 0x5
#define WEVT_OPCODE_REPLY 0x6
#define WEVT_OPCODE_RESUME 0x7
#define WEVT_OPCODE_SUSPEND 0x8
#define WEVT_OPCODE_SEND 0x9
#define WEVT_OPCODE_RECEIVE 0xf0
#define WEVT_OPCODE_RESERVED_241 0xf1
#define WEVT_OPCODE_RESERVED_242 0xf2
#define WEVT_OPCODE_RESERVED_243 0xf3
#define WEVT_OPCODE_RESERVED_244 0xf4
#define WEVT_OPCODE_RESERVED_245 0xf5
#define WEVT_OPCODE_RESERVED_246 0xf6
#define WEVT_OPCODE_RESERVED_247 0xf7
#define WEVT_OPCODE_RESERVED_248 0xf8
#define WEVT_OPCODE_RESERVED_249 0xf9
#define WEVT_OPCODE_RESERVED_250 0xfa
#define WEVT_OPCODE_RESERVED_251 0xfb
#define WEVT_OPCODE_RESERVED_252 0xfc
#define WEVT_OPCODE_RESERVED_253 0xfd
#define WEVT_OPCODE_RESERVED_254 0xfe
#define WEVT_OPCODE_RESERVED_255 0xff
#define WEVT_TASK_NONE 0x0
#define WEVT_KEYWORD_NONE 0x0
#define WEVT_KEYWORD_RESPONSE_TIME 0x0001000000000000
#define WEVT_KEYWORD_WDI_CONTEXT 0x0002000000000000
#define WEVT_KEYWORD_WDI_DIAG 0x0004000000000000
#define WEVT_KEYWORD_SQM 0x0008000000000000
#define WEVT_KEYWORD_AUDIT_FAILURE 0x0010000000000000
#define WEVT_KEYWORD_AUDIT_SUCCESS 0x0020000000000000
#define WEVT_KEYWORD_CORRELATION_HINT 0x0040000000000000
#define WEVT_KEYWORD_EVENTLOG_CLASSIC 0x0080000000000000
#define WEVT_KEYWORD_RESERVED_56 0x0100000000000000
#define WEVT_KEYWORD_RESERVED_57 0x0200000000000000
#define WEVT_KEYWORD_RESERVED_58 0x0400000000000000
#define WEVT_KEYWORD_RESERVED_59 0x0800000000000000
#define WEVT_KEYWORDE_RESERVED_60 0x1000000000000000
#define WEVT_KEYWORD_RESERVED_61 0x2000000000000000
#define WEVT_KEYWORD_RESERVED_62 0x4000000000000000
#define WEVT_KEYWORD_RESERVED_63 0x8000000000000000
#define WEVT_LEVEL_NAME_NONE "None"
#define WEVT_LEVEL_NAME_CRITICAL "Critical"
#define WEVT_LEVEL_NAME_ERROR "Error"
#define WEVT_LEVEL_NAME_WARNING "Warning"
#define WEVT_LEVEL_NAME_INFORMATION "Information"
#define WEVT_LEVEL_NAME_VERBOSE "Verbose"
#define WEVT_OPCODE_NAME_INFO "Info"
#define WEVT_OPCODE_NAME_START "Start"
#define WEVT_OPCODE_NAME_STOP "Stop"
#define WEVT_OPCODE_NAME_DC_START "DC Start"
#define WEVT_OPCODE_NAME_DC_STOP "DC Stop"
#define WEVT_OPCODE_NAME_EXTENSION "Extension"
#define WEVT_OPCODE_NAME_REPLY "Reply"
#define WEVT_OPCODE_NAME_RESUME "Resume"
#define WEVT_OPCODE_NAME_SUSPEND "Suspend"
#define WEVT_OPCODE_NAME_SEND "Send"
#define WEVT_OPCODE_NAME_RECEIVE "Receive"
#define WEVT_TASK_NAME_NONE "None"
#define WEVT_KEYWORD_NAME_NONE "None"
#define WEVT_KEYWORD_NAME_RESPONSE_TIME "Response Time"
#define WEVT_KEYWORD_NAME_WDI_CONTEXT "WDI Context"
#define WEVT_KEYWORD_NAME_WDI_DIAG "WDI Diagnostics"
#define WEVT_KEYWORD_NAME_SQM "SQM (Software Quality Metrics)"
#define WEVT_KEYWORD_NAME_AUDIT_FAILURE "Audit Failure"
#define WEVT_KEYWORD_NAME_AUDIT_SUCCESS "Audit Success"
#define WEVT_KEYWORD_NAME_CORRELATION_HINT "Correlation Hint"
#define WEVT_KEYWORD_NAME_EVENTLOG_CLASSIC "Event Log Classic"
#define WEVT_PREFIX_LEVEL "Level " // the space at the end is needed
#define WEVT_PREFIX_KEYWORDS "Keywords " // the space at the end is needed
#define WEVT_PREFIX_OPCODE "Opcode " // the space at the end is needed
#define WEVT_PREFIX_TASK "Task " // the space at the end is needed
#include "windows-events-sources.h"
#include "windows-events-unicode.h"
#include "windows-events-xml.h"
#include "windows-events-providers.h"
#include "windows-events-fields-cache.h"
#include "windows-events-query.h"
// enable or disable preloading on full-text-search
#define ON_FTS_PRELOAD_MESSAGE 1
#define ON_FTS_PRELOAD_XML 0
#define ON_FTS_PRELOAD_EVENT_DATA 1
#define WEVT_FUNCTION_DESCRIPTION "View, search and analyze the Microsoft Windows Events log."
#define WEVT_FUNCTION_NAME "windows-events"
#define WINDOWS_EVENTS_WORKER_THREADS 5
#define WINDOWS_EVENTS_DEFAULT_TIMEOUT 600
#define WINDOWS_EVENTS_SCAN_EVERY_USEC (5 * 60 * USEC_PER_SEC)
#define WINDOWS_EVENTS_PROGRESS_EVERY_UT (250 * USEC_PER_MS)
#define FUNCTION_PROGRESS_EVERY_ROWS (2000)
#define FUNCTION_DATA_ONLY_CHECK_EVERY_ROWS (1000)
#define ANCHOR_DELTA_UT (10 * USEC_PER_SEC)
// run providers release every 5 mins
#define WINDOWS_EVENTS_RELEASE_PROVIDERS_HANDLES_EVERY_UT (5 * 60 * USEC_PER_SEC)
// release idle handles that are older than 5 mins
#define WINDOWS_EVENTS_RELEASE_IDLE_PROVIDER_HANDLES_TIME_UT (5 * 60 * USEC_PER_SEC)
#define WEVT_FIELD_COMPUTER "Computer"
#define WEVT_FIELD_CHANNEL "Channel"
#define WEVT_FIELD_PROVIDER "Provider"
#define WEVT_FIELD_PROVIDER_GUID "ProviderGUID"
#define WEVT_FIELD_EVENTRECORDID "EventRecordID"
#define WEVT_FIELD_VERSION "Version"
#define WEVT_FIELD_QUALIFIERS "Qualifiers"
#define WEVT_FIELD_EVENTID "EventID"
#define WEVT_FIELD_LEVEL "Level"
#define WEVT_FIELD_KEYWORDS "Keywords"
#define WEVT_FIELD_OPCODE "Opcode"
#define WEVT_FIELD_ACCOUNT "UserAccount"
#define WEVT_FIELD_DOMAIN "UserDomain"
#define WEVT_FIELD_SID "UserSID"
#define WEVT_FIELD_TASK "Task"
#define WEVT_FIELD_PROCESSID "ProcessID"
#define WEVT_FIELD_THREADID "ThreadID"
#define WEVT_FIELD_ACTIVITY_ID "ActivityID"
#define WEVT_FIELD_RELATED_ACTIVITY_ID "RelatedActivityID"
#define WEVT_FIELD_XML "XML"
#define WEVT_FIELD_MESSAGE "Message"
#define WEVT_FIELD_EVENTS_API "EventsAPI"
#define WEVT_FIELD_EVENT_DATA_HIDDEN "__HIDDEN__EVENT__DATA__"
#define WEVT_FIELD_EVENT_MESSAGE_HIDDEN "__HIDDEN__MESSAGE__DATA__"
#define WEVT_FIELD_EVENT_XML_HIDDEN "__HIDDEN__XML__DATA__"
// functions needed by LQS
// structures needed by LQS
struct lqs_extension {
wchar_t *query;
struct {
struct {
size_t completed;
size_t total;
} queries;
struct {
size_t current_query_total;
size_t completed;
size_t total;
} entries;
usec_t last_ut;
} progress;
// struct {
// usec_t start_ut;
// usec_t stop_ut;
// usec_t first_msg_ut;
//
// uint64_t first_msg_seqnum;
// } query_file;
// struct {
// uint32_t enable_after_samples;
// uint32_t slots;
// uint32_t sampled;
// uint32_t unsampled;
// uint32_t estimated;
// } samples;
// struct {
// uint32_t enable_after_samples;
// uint32_t every;
// uint32_t skipped;
// uint32_t recalibrate;
// uint32_t sampled;
// uint32_t unsampled;
// uint32_t estimated;
// } samples_per_file;
// struct {
// usec_t start_ut;
// usec_t end_ut;
// usec_t step_ut;
// uint32_t enable_after_samples;
// uint32_t sampled[SYSTEMD_JOURNAL_SAMPLING_SLOTS];
// uint32_t unsampled[SYSTEMD_JOURNAL_SAMPLING_SLOTS];
// } samples_per_time_slot;
// per file progress info
// size_t cached_count;
// progress statistics
usec_t matches_setup_ut;
size_t rows_useful;
size_t rows_read;
size_t bytes_read;
size_t files_matched;
size_t file_working;
};
// prepare LQS
#define LQS_DEFAULT_SLICE_MODE 0
#define LQS_FUNCTION_NAME WEVT_FUNCTION_NAME
#define LQS_FUNCTION_DESCRIPTION WEVT_FUNCTION_DESCRIPTION
#define LQS_DEFAULT_ITEMS_PER_QUERY 200
#define LQS_DEFAULT_ITEMS_SAMPLING 1000000
#define LQS_SOURCE_TYPE WEVT_SOURCE_TYPE
#define LQS_SOURCE_TYPE_ALL WEVTS_ALL
#define LQS_SOURCE_TYPE_NONE WEVTS_NONE
#define LQS_PARAMETER_SOURCE_NAME "Event Channels" // this is how it is shown to users
#define LQS_FUNCTION_GET_INTERNAL_SOURCE_TYPE(value) WEVT_SOURCE_TYPE_2id_one(value)
#define LQS_FUNCTION_SOURCE_TO_JSON_ARRAY(wb) wevt_sources_to_json_array(wb)
#include "libnetdata/facets/logs_query_status.h"
#include "windows-events-query-builder.h" // needs the LQS definition, so it has to be last
#endif //NETDATA_WINDOWS_EVENTS_H
|
