2 Unix SMB/CIFS implementation.
5 Copyright (C) Günther Deschner 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "rpcclient.h"
23 #include "../librpc/gen_ndr/cli_eventlog.h"
25 static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
28 struct policy_handle *handle)
31 struct eventlog_OpenUnknown0 unknown0;
32 struct lsa_String logname, servername;
34 unknown0.unknown0 = 0x005c;
35 unknown0.unknown1 = 0x0001;
37 init_lsa_String(&logname, log);
38 init_lsa_String(&servername, NULL);
40 status = rpccli_eventlog_OpenEventLogW(cli, mem_ctx,
44 0x00000001, /* major */
45 0x00000001, /* minor */
47 if (!NT_STATUS_IS_OK(status)) {
54 static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
59 NTSTATUS status = NT_STATUS_OK;
60 struct policy_handle handle;
62 uint32_t flags = EVENTLOG_BACKWARDS_READ |
63 EVENTLOG_SEQUENTIAL_READ;
65 uint32_t number_of_bytes = 0;
67 uint32_t sent_size = 0;
68 uint32_t real_size = 0;
70 if (argc < 2 || argc > 4) {
71 printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
76 offset = atoi(argv[2]);
80 number_of_bytes = atoi(argv[3]);
81 data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
87 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
88 if (!NT_STATUS_IS_OK(status)) {
94 enum ndr_err_code ndr_err;
96 struct EVENTLOGRECORD r;
100 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
108 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL) &&
110 number_of_bytes = real_size;
111 data = talloc_array(mem_ctx, uint8_t, real_size);
115 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
125 if (!NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE) &&
126 !NT_STATUS_IS_OK(status)) {
132 size = IVAL(data, pos);
136 blob = data_blob_const(data + pos, size);
137 /* dump_data(0, blob.data, blob.length); */
138 ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
139 (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
140 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
141 status = ndr_map_error2ntstatus(ndr_err);
145 NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
149 if (pos + 4 > sent_size) {
153 size = IVAL(data, pos);
158 } while (NT_STATUS_IS_OK(status));
161 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
166 static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
172 struct policy_handle handle;
176 printf("Usage: %s logname\n", argv[0]);
180 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
181 if (!NT_STATUS_IS_OK(status)) {
185 status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
188 if (!NT_STATUS_IS_OK(status)) {
192 printf("number of records: %d\n", number);
195 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
200 static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
206 struct policy_handle handle;
207 uint32_t oldest_entry = 0;
210 printf("Usage: %s logname\n", argv[0]);
214 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
215 if (!NT_STATUS_IS_OK(status)) {
219 status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
222 if (!NT_STATUS_IS_OK(status)) {
226 printf("oldest entry: %d\n", oldest_entry);
229 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
234 static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
240 struct policy_handle handle;
242 uint16_t num_of_strings = 1;
243 uint32_t data_size = 0;
244 struct lsa_String servername;
245 struct lsa_String *strings;
246 uint8_t *data = NULL;
247 uint32_t record_number = 0;
248 time_t time_written = 0;
251 printf("Usage: %s logname\n", argv[0]);
255 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
256 if (!NT_STATUS_IS_OK(status)) {
260 strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
262 return NT_STATUS_NO_MEMORY;
265 init_lsa_String(&strings[0], "test event written by rpcclient\n");
266 init_lsa_String(&servername, NULL);
268 status = rpccli_eventlog_ReportEventW(cli, mem_ctx,
271 EVENTLOG_INFORMATION_TYPE,
272 0, /* event_category */
284 if (!NT_STATUS_IS_OK(status)) {
288 printf("entry: %d written at %s\n", record_number,
289 http_timestring(talloc_tos(), time_written));
292 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
297 static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
303 struct policy_handle handle;
305 uint16_t num_of_strings = 1;
306 uint32_t data_size = 0;
307 struct lsa_String servername, sourcename;
308 struct lsa_String *strings;
309 uint8_t *data = NULL;
310 uint32_t record_number = 0;
311 time_t time_written = 0;
314 printf("Usage: %s logname\n", argv[0]);
318 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
319 if (!NT_STATUS_IS_OK(status)) {
323 strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
325 return NT_STATUS_NO_MEMORY;
328 init_lsa_String(&strings[0], "test event written by rpcclient\n");
329 init_lsa_String(&servername, NULL);
330 init_lsa_String(&sourcename, "rpcclient");
332 status = rpccli_eventlog_ReportEventAndSourceW(cli, mem_ctx,
335 EVENTLOG_INFORMATION_TYPE,
336 0, /* event_category */
348 if (!NT_STATUS_IS_OK(status)) {
352 printf("entry: %d written at %s\n", record_number,
353 http_timestring(talloc_tos(), time_written));
356 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
361 static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
367 struct policy_handle log_handle;
368 struct lsa_String module_name, reg_module_name;
369 struct eventlog_OpenUnknown0 unknown0;
371 unknown0.unknown0 = 0x005c;
372 unknown0.unknown1 = 0x0001;
375 printf("Usage: %s logname\n", argv[0]);
379 init_lsa_String(&module_name, "rpcclient");
380 init_lsa_String(®_module_name, NULL);
382 status = rpccli_eventlog_RegisterEventSourceW(cli, mem_ctx,
386 1, /* major_version */
387 1, /* minor_version */
389 if (!NT_STATUS_IS_OK(status)) {
394 rpccli_eventlog_DeregisterEventSource(cli, mem_ctx, &log_handle);
399 static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
405 struct policy_handle handle;
406 struct lsa_String backup_filename;
410 printf("Usage: %s logname backupname\n", argv[0]);
414 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
415 if (!NT_STATUS_IS_OK(status)) {
419 tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
421 status = NT_STATUS_NO_MEMORY;
425 init_lsa_String(&backup_filename, tmp);
427 status = rpccli_eventlog_BackupEventLogW(cli, mem_ctx,
432 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
437 static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
443 struct policy_handle handle;
444 uint8_t *buffer = NULL;
445 uint32_t buf_size = 0;
446 uint32_t bytes_needed = 0;
449 printf("Usage: %s logname\n", argv[0]);
453 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
454 if (!NT_STATUS_IS_OK(status)) {
458 status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
464 if (!NT_STATUS_IS_OK(status) &&
465 !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
469 buf_size = bytes_needed;
470 buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
472 status = NT_STATUS_NO_MEMORY;
476 status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
482 if (!NT_STATUS_IS_OK(status)) {
487 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
493 struct cmd_set eventlog_commands[] = {
495 { "eventlog_readlog", RPC_RTYPE_NTSTATUS, cmd_eventlog_readlog, NULL, &ndr_table_eventlog.syntax_id, NULL, "Read Eventlog", "" },
496 { "eventlog_numrecord", RPC_RTYPE_NTSTATUS, cmd_eventlog_numrecords, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get number of records", "" },
497 { "eventlog_oldestrecord", RPC_RTYPE_NTSTATUS, cmd_eventlog_oldestrecord, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get oldest record", "" },
498 { "eventlog_reportevent", RPC_RTYPE_NTSTATUS, cmd_eventlog_reportevent, NULL, &ndr_table_eventlog.syntax_id, NULL, "Report event", "" },
499 { "eventlog_reporteventsource", RPC_RTYPE_NTSTATUS, cmd_eventlog_reporteventsource, NULL, &ndr_table_eventlog.syntax_id, NULL, "Report event and source", "" },
500 { "eventlog_registerevsource", RPC_RTYPE_NTSTATUS, cmd_eventlog_registerevsource, NULL, &ndr_table_eventlog.syntax_id, NULL, "Register event source", "" },
501 { "eventlog_backuplog", RPC_RTYPE_NTSTATUS, cmd_eventlog_backuplog, NULL, &ndr_table_eventlog.syntax_id, NULL, "Backup Eventlog File", "" },
502 { "eventlog_loginfo", RPC_RTYPE_NTSTATUS, cmd_eventlog_loginfo, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get Eventlog Information", "" },