2 Unix SMB/CIFS implementation.
5 Copyright (C) Günther Deschner 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "rpcclient.h"
23 #include "../librpc/gen_ndr/ndr_eventlog.h"
24 #include "../librpc/gen_ndr/cli_eventlog.h"
25 #include "rpc_client/init_lsa.h"
27 static NTSTATUS get_eventlog_handle(struct rpc_pipe_client *cli,
30 struct policy_handle *handle)
33 struct eventlog_OpenUnknown0 unknown0;
34 struct lsa_String logname, servername;
36 unknown0.unknown0 = 0x005c;
37 unknown0.unknown1 = 0x0001;
39 init_lsa_String(&logname, log);
40 init_lsa_String(&servername, NULL);
42 status = rpccli_eventlog_OpenEventLogW(cli, mem_ctx,
46 0x00000001, /* major */
47 0x00000001, /* minor */
49 if (!NT_STATUS_IS_OK(status)) {
56 static NTSTATUS cmd_eventlog_readlog(struct rpc_pipe_client *cli,
61 NTSTATUS status = NT_STATUS_OK;
62 struct policy_handle handle;
64 uint32_t flags = EVENTLOG_BACKWARDS_READ |
65 EVENTLOG_SEQUENTIAL_READ;
67 uint32_t number_of_bytes = 0;
69 uint32_t sent_size = 0;
70 uint32_t real_size = 0;
72 if (argc < 2 || argc > 4) {
73 printf("Usage: %s logname [offset] [number_of_bytes]\n", argv[0]);
78 offset = atoi(argv[2]);
82 number_of_bytes = atoi(argv[3]);
83 data = talloc_array(mem_ctx, uint8_t, number_of_bytes);
89 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
90 if (!NT_STATUS_IS_OK(status)) {
96 enum ndr_err_code ndr_err;
98 struct EVENTLOGRECORD r;
102 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
110 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL) &&
112 number_of_bytes = real_size;
113 data = talloc_array(mem_ctx, uint8_t, real_size);
117 status = rpccli_eventlog_ReadEventLogW(cli, mem_ctx,
127 if (!NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE) &&
128 !NT_STATUS_IS_OK(status)) {
134 size = IVAL(data, pos);
138 blob = data_blob_const(data + pos, size);
139 /* dump_data(0, blob.data, blob.length); */
140 ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &r,
141 (ndr_pull_flags_fn_t)ndr_pull_EVENTLOGRECORD);
142 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
143 status = ndr_map_error2ntstatus(ndr_err);
147 NDR_PRINT_DEBUG(EVENTLOGRECORD, &r);
151 if (pos + 4 > sent_size) {
155 size = IVAL(data, pos);
160 } while (NT_STATUS_IS_OK(status));
163 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
168 static NTSTATUS cmd_eventlog_numrecords(struct rpc_pipe_client *cli,
174 struct policy_handle handle;
178 printf("Usage: %s logname\n", argv[0]);
182 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
183 if (!NT_STATUS_IS_OK(status)) {
187 status = rpccli_eventlog_GetNumRecords(cli, mem_ctx,
190 if (!NT_STATUS_IS_OK(status)) {
194 printf("number of records: %d\n", number);
197 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
202 static NTSTATUS cmd_eventlog_oldestrecord(struct rpc_pipe_client *cli,
208 struct policy_handle handle;
209 uint32_t oldest_entry = 0;
212 printf("Usage: %s logname\n", argv[0]);
216 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
217 if (!NT_STATUS_IS_OK(status)) {
221 status = rpccli_eventlog_GetOldestRecord(cli, mem_ctx,
224 if (!NT_STATUS_IS_OK(status)) {
228 printf("oldest entry: %d\n", oldest_entry);
231 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
236 static NTSTATUS cmd_eventlog_reportevent(struct rpc_pipe_client *cli,
242 struct policy_handle handle;
244 uint16_t num_of_strings = 1;
245 uint32_t data_size = 0;
246 struct lsa_String servername;
247 struct lsa_String *strings;
248 uint8_t *data = NULL;
249 uint32_t record_number = 0;
250 time_t time_written = 0;
253 printf("Usage: %s logname\n", argv[0]);
257 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
258 if (!NT_STATUS_IS_OK(status)) {
262 strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
264 return NT_STATUS_NO_MEMORY;
267 init_lsa_String(&strings[0], "test event written by rpcclient\n");
268 init_lsa_String(&servername, NULL);
270 status = rpccli_eventlog_ReportEventW(cli, mem_ctx,
273 EVENTLOG_INFORMATION_TYPE,
274 0, /* event_category */
286 if (!NT_STATUS_IS_OK(status)) {
290 printf("entry: %d written at %s\n", record_number,
291 http_timestring(talloc_tos(), time_written));
294 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
299 static NTSTATUS cmd_eventlog_reporteventsource(struct rpc_pipe_client *cli,
305 struct policy_handle handle;
307 uint16_t num_of_strings = 1;
308 uint32_t data_size = 0;
309 struct lsa_String servername, sourcename;
310 struct lsa_String *strings;
311 uint8_t *data = NULL;
312 uint32_t record_number = 0;
313 time_t time_written = 0;
316 printf("Usage: %s logname\n", argv[0]);
320 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
321 if (!NT_STATUS_IS_OK(status)) {
325 strings = talloc_array(mem_ctx, struct lsa_String, num_of_strings);
327 return NT_STATUS_NO_MEMORY;
330 init_lsa_String(&strings[0], "test event written by rpcclient\n");
331 init_lsa_String(&servername, NULL);
332 init_lsa_String(&sourcename, "rpcclient");
334 status = rpccli_eventlog_ReportEventAndSourceW(cli, mem_ctx,
337 EVENTLOG_INFORMATION_TYPE,
338 0, /* event_category */
350 if (!NT_STATUS_IS_OK(status)) {
354 printf("entry: %d written at %s\n", record_number,
355 http_timestring(talloc_tos(), time_written));
358 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
363 static NTSTATUS cmd_eventlog_registerevsource(struct rpc_pipe_client *cli,
369 struct policy_handle log_handle;
370 struct lsa_String module_name, reg_module_name;
371 struct eventlog_OpenUnknown0 unknown0;
373 unknown0.unknown0 = 0x005c;
374 unknown0.unknown1 = 0x0001;
377 printf("Usage: %s logname\n", argv[0]);
381 init_lsa_String(&module_name, "rpcclient");
382 init_lsa_String(®_module_name, NULL);
384 status = rpccli_eventlog_RegisterEventSourceW(cli, mem_ctx,
388 1, /* major_version */
389 1, /* minor_version */
391 if (!NT_STATUS_IS_OK(status)) {
396 rpccli_eventlog_DeregisterEventSource(cli, mem_ctx, &log_handle);
401 static NTSTATUS cmd_eventlog_backuplog(struct rpc_pipe_client *cli,
407 struct policy_handle handle;
408 struct lsa_String backup_filename;
412 printf("Usage: %s logname backupname\n", argv[0]);
416 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
417 if (!NT_STATUS_IS_OK(status)) {
421 tmp = talloc_asprintf(mem_ctx, "\\??\\%s", argv[2]);
423 status = NT_STATUS_NO_MEMORY;
427 init_lsa_String(&backup_filename, tmp);
429 status = rpccli_eventlog_BackupEventLogW(cli, mem_ctx,
434 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
439 static NTSTATUS cmd_eventlog_loginfo(struct rpc_pipe_client *cli,
445 struct policy_handle handle;
446 uint8_t *buffer = NULL;
447 uint32_t buf_size = 0;
448 uint32_t bytes_needed = 0;
451 printf("Usage: %s logname\n", argv[0]);
455 status = get_eventlog_handle(cli, mem_ctx, argv[1], &handle);
456 if (!NT_STATUS_IS_OK(status)) {
460 status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
466 if (!NT_STATUS_IS_OK(status) &&
467 !NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
471 buf_size = bytes_needed;
472 buffer = talloc_array(mem_ctx, uint8_t, bytes_needed);
474 status = NT_STATUS_NO_MEMORY;
478 status = rpccli_eventlog_GetLogInformation(cli, mem_ctx,
484 if (!NT_STATUS_IS_OK(status)) {
489 rpccli_eventlog_CloseEventLog(cli, mem_ctx, &handle);
495 struct cmd_set eventlog_commands[] = {
497 { "eventlog_readlog", RPC_RTYPE_NTSTATUS, cmd_eventlog_readlog, NULL, &ndr_table_eventlog.syntax_id, NULL, "Read Eventlog", "" },
498 { "eventlog_numrecord", RPC_RTYPE_NTSTATUS, cmd_eventlog_numrecords, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get number of records", "" },
499 { "eventlog_oldestrecord", RPC_RTYPE_NTSTATUS, cmd_eventlog_oldestrecord, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get oldest record", "" },
500 { "eventlog_reportevent", RPC_RTYPE_NTSTATUS, cmd_eventlog_reportevent, NULL, &ndr_table_eventlog.syntax_id, NULL, "Report event", "" },
501 { "eventlog_reporteventsource", RPC_RTYPE_NTSTATUS, cmd_eventlog_reporteventsource, NULL, &ndr_table_eventlog.syntax_id, NULL, "Report event and source", "" },
502 { "eventlog_registerevsource", RPC_RTYPE_NTSTATUS, cmd_eventlog_registerevsource, NULL, &ndr_table_eventlog.syntax_id, NULL, "Register event source", "" },
503 { "eventlog_backuplog", RPC_RTYPE_NTSTATUS, cmd_eventlog_backuplog, NULL, &ndr_table_eventlog.syntax_id, NULL, "Backup Eventlog File", "" },
504 { "eventlog_loginfo", RPC_RTYPE_NTSTATUS, cmd_eventlog_loginfo, NULL, &ndr_table_eventlog.syntax_id, NULL, "Get Eventlog Information", "" },